Release notes

Salesforce REST connector

A new Salesforce connector has been introduced, using the REST API provided by Salesforce. This new connector supports the following dataformats: User, UserRole, Contact, and Profile.

SAP SuccessFactors connector

SAP SuccessFactors is a Human Capital Management software. Fischer Identity has developed a new connector for this system, which supports the following operations: employee export, import, and lookups.

RAVE Connector

RAVE is an emergency alert system. Fischer Identity's RAVE connector supports import and export operations for the following dataformats: User, Group, UserList.

Oracle HCM

National ID

Changes have been made to our Oracle HCM connector to disable Oracle HCM National Id support by default. Enabling the feature is now controlled by an environment variable and a connected system parameter.

Effective Date Configuration

Changes to support AsOfEffectiveDate configuration settings for HR Combined data format.

Changes to cache the effective date configuration so that same value is used across pages.

Corrected usage of ResponseDataControllerParameter in lookup calls.

Canvas LMS

Course section

Our Canvas LMS connector has been enhanced to support course section management via the course data format.

Canvas LMS Export and Lookup

MaxResults and ResultsPerPage are now configurable for Canvas LMS connected system lookup. The lookup default values for MaxResults has been changed to 1000 and the ResulsPerPage to 50. We have added a size limit validation for sub records during export and lookup. If any of the Canvas sub records reached higher than the limit 25000, the operation will be marked as failed. Changes were made to use configured ResultsPerPage while fetching sub records with paged calls.

System Remediation Changes

For system remediation, a Remediation Workflow can be configured at the system level and this workflow will be used for remediating all accounts and entitlements of that system (both assigned and unassigned) for the system certification. If the system doesn't have a remediation workflow configured, then administrators will be notified through email regarding the remediation actions.

This enhancement changed remediation of system certification for the resource owner certifier list as well. Previously, the workflows specified at the resource level was used for remediating system certification using resource owner certifiers. This has been changed to use the remediation workflow configured at the system level. If the system doesn't have a remediation workflow configured, then administrators will be notified through email regarding the remediation actions.

System Remediation Events are listed under Self Service events as Request Type “System Remediation”. 

Organization management

The org id is now displayed on the page when switching org.

Multi Valued Attributes in JDBC Schema

Changes to handle multi-valued attributes for JDBC connectors so that there is no parsing issues.

Introduced a plug-in configuration named MultiValuedAttributeHandling for JDBC connectors to control the behavior when there are multiple values. PickFirstValue, PickLastValue, MergeValuesCommaSeparated and MergeValuesPipeSeparated are the possible values and default behavior is to pick the first value.

Workflow & Connectivity Studio Project Files

Prior to 7.6, Workflow & Connectivity Studio was using a proprietary file format (PSSD) when saving projects. Due to this proprietary file format, customization of the projects outside Workflow & Connectivity Studio was not possible. In 7.6, we have modified the way projects are saved to use a simple XML format. Now, an XML editor or utility program can be used to make simple project customizations.

The projects shipped with the product are converted to the new format. Upon upgrade to 7.6, the connector library workflows will use the new xml format. Other projects in the Studio will not be modified during upgrade. Projects in the old format will still be valid and will continue to work after upgrade. Those projects can be loaded and reviewed without changing the format. When a save action happens, the old project will however be converted to the new format.

Two utility tools are added in Studio as part of this enhancement. One of them will help performing project migration and the other, while the other will help performing a migration test.

Migration Tool

This tool can be used to convert projects from the old format to the new format. The project migration tool can be launched using the menu option File-->Project Migration.

Migration Test Tool

This tool can be used to perform a migration test to make sure that the project has retained all configurations after migration. The project migration tool can be launched using the menu option File-->Project Migration Test.

High Availability Failover Handling

Overview: Fischer IdM Suite uses Infinispan and Jgroups libraries for high availability. In a clustered high availability environment only one of the node will be acting as a coordinator. When the current coordinator node is down, another node will be elected as the coordinator. This coordinator election and node change handling are entirely controlled at the library level. The library detects node changes (node joined, node down, etc...) and fire node change events. Fischer listens and processes these node change events.

Singleton Pattern in Clustered Environments: The Singleton pattern ensures that there can be only a single instance of a given class per JVM. Our product extended this pattern to the clustered environment – there can be only a single instance of a given class in the entire cluster. The application of this concept is to ensure that only one of the servers in the cluster is executing a given task - examples are workflow queue distributor, background threads such as access expiry, password expiry, etc...

The Clustered Singleton concept is implemented based on the coordinator state of HA. Since there can only be one coordinator server in a cluster, we will start the clustered singleton operations on the coordinator node. If the node change event indicates that the current coordinator node is down, we will switch those operations to the new coordinator.

Failure Detection:  Infinispan/Jgroups library has different configurations to control failure detection. FD_SOCK and FD_ALL are being used. The FD_SOCK elects a node as a suspect only if the TCP connection breaks. This may be impacted by a longer TCP timeout when there are crashed routers/switches. FD_ALL elects a node as suspect when the heartbeat is missing. Based on our current configuration values, a node is determined as down within 10-12 seconds after missing the heartbeats.

Issues: Our current approach of failover handling is to blindly assumes that a node down event is triggered only when the node is actually down. But, based on our configured values for failure detection, it can be triggered even on missing the heartbeats (the server may be still running, the heart beats might be missed due to different reasons, such as network issue, server busy etc..). So, it is fundamentally wrong to start all cluster singleton operations on the new coordinator on getting node down event for the old coordinator, the same tasks may be running in the old coordinator if the event was false positive (node was actually running, but the down event was triggered due to missing the heartbeats). The failed node is later getting joined to the cluster as worker. So the coordinator state at the cluster level is eventually becomes consistent (there is only one cluster coordinator), but the way we handle the failure detection event is causing clustered singleton operations to be executed both by the old coordinator (if it was not actually down) and by the new coordinator.

Fixes and Enhancements: We have made the following fixes to properly handle cluster change events and accommodate the false positives.

1. A new process has been introduced in the failover handling to detect false positive node down events. This process will attempt to contact the failed server over http to ensure it is actually down. If the server is reachable, we will check the startup time to determine a restart, and adjust the coordinator state if required. The new coordinator’s state will be marked as 'suspect' and a state monitor thread will be launched to periodically check for the coordinator state from the cluster. This thread executes until the coordinator status is confirmed or corrected. This will help make sure that both instances may act as coordinator at the cluster level for a short period. At the product level, one of them is a 'suspected' coordinator so that clustered singleton operations are not processed on that node because of a false positive node down event occurred.

2. Recheck for coordinator state on each execution of the clustered singleton operation (like on running the password expiry process for example). As a result, even if the singleton task thread is created on multiple servers after a false positive node change event, only the current cache coordinator (in the cluster) will execute the task, and the other node will just log the fact that it is not a coordinator and not running this particular task.

3. Removed shutdown of singleton process threads when a node becomes a worker. We can't re-start a java thread which was already started, so shutdown during the view change is not helpful and it will cause issues when the server was never actually down and tree cache notification changes node state from coordinator->worker->coordinator pattern. The recheck (#2 above) during thread execution will cover for the shutdown removal on the view change.

4. A new menu option ‘Server Events’ has been introduced under the server tab in the Admin UI. This interface will show all server restarts and node change events. This will help troubleshooting without digging the logs from multiple servers. The events with old/new members are actual view change events triggered by the tree cache, and the events with ‘-‘ for the old/new members are internal events added on processing false positive down events – the coordinator in those cases will be ‘SUSPECT’, and the subsequent events will indicate how the state got corrected. As indicated in #5 below, the HA status has also been extended to provide more details of false positive events, as well as the length or coordinator-ship etc...

Please see screen-shots below for the server startup and cluster change events.

5. The HA status page will have more details of the node changes. Please see screen-shots below.

The Status and Background Threads columns have been extended to have more values. A new status Re-Attached is introduced to show that the instance ran as the coordinator for a short period due to a false positive node down event, and that the status got corrected to become a worker. A new value Suspect is introduced for Background Threads to show that the instance has become the coordinator due to a false positive node down event, and that the server is waiting to get it corrected. The Background Threads column value is fetched from the instance itself to get the actual value when instances are detached. The Status column provides a link to show information as shown below.

Self-Service search

We have added search support for multiple date fields on a single screen. Previously, only single date fields could be made searchable in listing screens.

Approval delegation UI usability

We improved the usability of our approval delegation feature, by making the "TURN OFF DELEGATION" button disappears upon delegation expiration.

Mapper Debug Info

The mapper debug info is enhanced to have more details and avoid irrelevant information.

1. Included index of start entry, end entry and output entry.

2. Included information about generated record/rule for output entry.

3. Included more details for debug info from Mapper functions.

4. Logs order is changed to match the flow,

5. Avoid FIELD NAME: prefix for attributes and variables.

A sample debug info data after the changes is included below.

Fixed defects

List of defects reported by customers or implementation, does not contain defects raised internally.

• Fixed value with extended LDAP not being formatted when the value is fetched using the DN of the associated account.

• Fixed issue with old version of workflows having workflow chainer object configured with provisioning schema.

• Fixed removal approval which was launched for policies even though the add approval was cancelled.
• Fixed notification handling of failure when missing details.
• Fixed logger issue which would result in logging threads being locked when the buffer is full.
• Fixed additional line break in login alerts
• Fixed issue with User Load feature not handling attribute entitlements correctly, which would possibly result in data missing from FUE.
• Fixed issue in Office 365 connector resulting in entitlement workflow producing an error but still marking itself as complete while not completing entitlement attribution.
• Fixed issue in user match which would result in users being matched due to a different formatter being used in Birthdate field.
• Fixed issue resulting in password hash being retained in the list of past passwords if failing password policy verification.
• Fixed "Review match data" button remaining in a disabled state following upgrade to 7.5.1. This would happen for old user match events having the manager attribute in the review match data section.
• Fixed issue with key rotation occurring on disabled organizations. Rotation will now only occur on enabled organizations.
• Fixed issue with calls not going through active GIG if other GIG is disabled. This could potentially result in calls failing upon a GIG going down.
• Fixed issue where create new user id form could not be submitted due to manager field value not being populated and field not being editable.
• Fixed issue which would result in privileged user being logged out of Self-Service when selecting a user he his the primary manager of.
• Fixed issue with privileged users not being able to see end-users they are a secondary manager for in Self-Service.
• Fixed issue which would prevent the download of old versions of PeopleSoft Triggers.
• Fixed PeopleSoft Trigger change notification which were failing when going through GIG. This issue was due to the web service not getting deployed. Corrected the annotations to get it deployed.
• Fixed issues when managing user licenses using Office365 connector which would result in licensing failing during workflow execution.
• Fixed issue that would occur when updating a policy with an entitlement resource and doing a reevaluation. This issue would result in the REL record for that policy not being added. The issue would occur when the user already had the policy membership and the same entitlement resource was allocated through another policy.
• Fixed issue with approval overrides rules. This issue could result in approval override rules being ignored.
• Fixed purge failures occurring when only user data is selected to be purged.
• Fixed apps icon not showing properly in AppsPortal following 7.5 upgrade.
• Fixed an issue where the user info panel on the Identity Claim page does not collapse after successfully locating the user if there is an acceptable use policy configured.
• Fixed apps icon not showing properly in AppsPortal following 7.5 upgrade.
• Fixed the exclusion list for access expiry notifications, which was causing notifications to not be sent for requested policies.
• Fixed an issue where the user info panel on the Identity Claim page does not collapse after successfully locating the user if there is an acceptable use policy configured.
• Fixed NPE when performing a Linux HA upgrade on the second instance and the monitor database is different from the product database.
• Fixed issue with 'modified date' being updated on the Workflow page in the Admin UI when a workflow is activated or suspended.
• Fixed paging issue in Apps Portal which would cause page to not load for users who have Apps marked as favorite.
• Fixed qualification issue in Apps Portal which would lead certain users to not see the Apps they would normally qualify for.
• Fix issue in Apps Portal which would lead to Apps that are marked as favorite to fail the upgrade if not properly parsed.
• Fixed issue with second level manager approval.
• Fixed issue with Apps icon not being properly displayed in Apps Portal and Admin UI after upgrade.
• Fixed issue with 'Modified User' column not being updated properly when user suspend or activates workflows.
• Fixed job-manager attributes not being passed to pre-process workflows.
• Fixes memory accumulation due to bulk of future dated/grace period provisioning processes.
• Fixed issue occurring when a user who has a future dated event runs back through the system. In such case, the grace period end-date would be pushed to be the date calculated from the new run.
• Fixed issue occurring in Kiosk when no system are selected to be visible in the PEC. Identity System will not be always visible during password reset, irrespective of visibility in PEC.
• Modified the way notifications details and associated send dates are displayed in both Self-Service and Admin UI to provide clearer status on notifications.
• Fixed issue occurring when pre-process workflow changes the pbwuserid value of the new user request. This issue would lead to job managers not receive requests for approval in some cases.
• Fixed issue where a new user match is created if the user has already been matched and hadn't been already matched or created as new, and if a change on the user was processed by the policy engine. The issue would cause a new user match event to be created instead of updating the existing one with the latest data.
• Fixed issue occurring in Kiosk when no system are selected to be visible in the PEC. Identity System will not be always visible during password reset, irrespective of visibility in PEC.
• Fixed wrong Identity-Status value being set when clicking on workflow initiated button.
• Fixed delay when searching for de-provisioned users in Self-Service.
• Fixed error occurring during execution of the current workflow instance, which leads to cancelation of the next scheduled instance and thus stopping the scheduled workflow.
• Fixed issue that would prevent authenticating in Studio when Duo authentication is configured as second factor.
• Fixed issue with Get Identity Info in Studio when using 'include end dated accounts' configuration. When checked, the end-dated accounts would be excluded, and when not checked, the end-dated accounts would be pulled.
• Fixed Google reCaptcha issue preventing reCaptcha from loading.

Compatibility

Java

OpenJDK 8

Database

Operating System

Browser

Sanity Testing

Latest Identity 7.6.9 Release Notes