Release notes
SSL Support for MySQL Connector
MySQL connector now supports SSL connection. Connected System details page now has a 'Use Secure Connection' checkbox, which can be checked to enable SSL connections to MySQL Database.
MySQL database is configured for SSL connection by default. However, to enable SSL connection from the application (identity/provisioning/gig) to the database server, the MySQL client certificate has to be imported into the java's keystore. Please follow the steps below to import the CA certificate.
- Locate ca.pem file of MySQL. For a windows based installation, the sample location is C:\ProgramData\MySQL\MySQL Server 8.0\Data\ca.pem
- Copy ca.pem to java's trust store path - typically %JAVA_HOME%\lib\security
- cd to %JAVA_HOME%\lib\security
- Rename ca.pem to mysql-ca.pem
- Open command prompt in admin mode and issue > keytool -import -alias mysqlServerCACert -file mysql-ca.pem -keystore cacerts
Windows Authentication for SQL Server Connector
SQL server connector now supports Windows Authentication. In order to use Windows Authentication for this connector, check the ‘Use Windows Authentication’ check box in the connected system detail page.
DLL Requirements
To use Windows Authentication, mssql-jdbc_auth-<version>.x64.dll or mssql-jdbc_auth-<version>.x86.dll (depending on 64 bit or 32 bit java) needs to be in the java.library.path. Installer will copy the appropriate .dll file based on the java version to the agentdll folder (under IDENTITY_HOME, DATAFORUM_HOME or GIG_HOME based on the installation).
The current sql server jdbc driver version is 8.4.1, so the name of the .dll file will be either mssql-jdbc_auth-8.4.1.x64.dll or mssql-jdbc_auth-8.4.1.x86.dll.
You can either copy this .dll file to one of the current java.library.path or update the java.library.path to point to the agentll location in tomcat
Example setting in catalina.bat:
set CATALINA_OPTS=%CATALINA_OPTS% -Djava.library.path="%PATH%";"C:\Fischer\IdM\identity\agentdll"
JDBC driver’s .jar location when using multiple contexts in the same tomcat
The mssql-jdbc_auth-xxx.dll file is loaded by the mssql jdbc driver for doing windows auth. By default, the .jar file for the mssql jdbc driver (mssql-jdbc-8.4.1.jre8.jar based on the 8.4.1 version) will be available in the context’s WEB-INF\libs folder. However, if there are multiple contexts (like identity and dataforum in the same tomcat), then, only one of the context will be able to load this .dll. In such scenarios (having identity and dataforum in the same tomcat or for gigs), this mssql jdbc driver .jar file should be manually moved to the tomcat’s libs folder, so that it will be shared by all contexts and the .dll file is required to be loaded only once.
Use Windows Authentication to connect to product DB: The product can connect to the SQL server database using windows authentication. If the system property com.fisc.mssql.useWindowsAuthentication is set to true, then the product will use windows authentication to connect to the product DB. The product Installer still uses password authentication.
Removed SSO option for Self-Service Client Admin
Removed the SSO tab from Self-Service client admin tab, as configuring IdP / SP configurations from the Self-Service Portal is no longer supported.
Oracle EBS Connector
- The Oracle EBS connector has been enhanced so that when the password is updated, Oracle EBS system's password_date field will get updated with the new timestamp, in addition to the last_update field.
- The Oracle EBS connector has been enhanced to support both Service Name or SID to connect. Prior to this enhancement, only SID was supported to connect.
Auto Request Account Resource
The Self-Service engine has been enhanced to auto request account resources on processing the entitlement only resource, if the user does not already have the account resource assigned.
Account resource can be configured as auto requested using the 'This resource can be auto requested on processing entitlement only resources.' option under 'Self-Service Properties' section of the resource detail page.
This same configuration parameter, 'This resource can be auto requested on processing entitlement only resources', mentioned above, is able to be managed by the Configuration Hub, by setting the Resource.AutoRequest attribute.
During runtime, on provisioning the entitlement resource(s), the self-service engine will check whether the account is already provisioned or account resource is part of the current request. If not, one of the auto requestable account resources (to the same system as that of the entitlement resource) will be added to the request (auto requested). The entitlement resource processing will be marked as dependent to this newly added account resource, so that entitlement can be provisioned without error.
Request Access Enhancements
Introduced two new options for OBO users to select resources in request access. First option is to clone the accesses of a user and assign that to another user. Second option is select accesses from a CSV file. These options can be turned on from admin UI Self-Service configuration page.
Once these options are turned on, there will be an extra step for OBO users to pick the access selection option. When clone option is selected, there will be an option to select the user from whom the accesses to be cloned.
When CSV file option is selected, there will be an option to pick the file which contains resource data.
Following is a sample CSV file with access information. The first column should be the name of Policy or Resource. Second column must specify the type of the access. For Policy it should be Policy and for Resource it should be Resource.
Remediation
When there is only a single node in the Chain of Trust, the product will now start the remediation process for users as they get certified, as opposed to waiting for all users to be certified.
Security
The process by which the keystore password is stored has been enhanced. The keystore password is stored by generating a random key using a proprietary algorithm that will be stored in a separate file in an obfuscated form. This key will then be used at the initialization vector key when decrypting the DB connection properties stored in the property file. A new IV key will be created each time the value is encrypted. The encrypted database username, host and port properties stored in the properties file will each be encrypted with its own IV key.
Connected System Management and Usage
Connected systems that are created from the Master Org now have the ability to be configured to be shared/used within other Client Orgs.
Support of database properties in UpdatePassword
Enhanced the UpdateDBUserPassword Dev tool to support updating other encrypted DB properties stored in the prio properties file.
ServiceNow Connector Enhancements
ServiceNow connector is enhanced have the new data formats - Task, CatalogTask, Request and Approval.
ServiceNow trigger is enhanced have the new data formats - User, Task, CatalogTask, Request, RequestItem, RequestItemVariable and Approval.
Note: As a result of the task integration we modified the attribute names to match current ServiceNow recommendations as it relates to the incident data format specifically. The following attributes (if used) are required to be modified to the new name:
Old Name | Replace with |
CalendarDuration | Duration |
Comments | AdditionalComments |
Rfc | ChangeRequest |
SystemClassName | TaskType |
WorkEnd | ActualEnd |
WorkStart | ActualStart |
Exact match handling of user match
User match policy configuration is updated to have an option to combine multiple exact matches. When this option is turned on, all exact match rules will be evaluated in the order of priority and the match results are combined. The matched attribute shown in the UI (as bold) will be of the first matched rule (even if the same record matches in the other rules, the matched attributes will be only from the first matched rule - in other words, matched attributes are not combined). When there are multiple matches after combining matches from all rules, it will force an administrative review.
SPML Enhancements
SPML RA can now be configured just to launch the workflows without updating the Fischer repository tables. This gives the flexibility to run user match or any other pre-process tasks before the SPML data gets saved into the Fischer tables.
Gallagher Security Connector
Gallagher Security is a flexible, integrated access control solution to meet any security requirements. Fischer Identity has developed a new connector for this system, which supports the following operations: Cardholder export, import, and lookups; AccessGroup export and lookup. This connector also supports entitlement association, dissociation and discovery for access group.
Ascentis Connector Effective Date Support
Ascentis connector Employee data format export and lookup are enhanced to support fetching employee job data as of on an effective date. Effective date can be configured in export and lookup using the plug-in parameter AsOfEffectiveDate. This parameter can be configured as a particular date in the format yyyy-MM-dd or as the number of days ahead (+) or before(-) the current date.
Progressive Password Policy Validation
Password policy validation is enhanced to do the evaluation as the user types in the password. The UI will show the passed and failed password rules and the reset button won't be enabled without passing all the password policy rules.
The following features/UIs are updated to show the progressive password policy validation.
- Self-service page-> My Accounts->Reset Passwords.
- Self-service page-> Users-> Profiles
- Kiosk page
- Forgot Password
- Self Registration
- New User Creation
- Standalone password reset
- IdentityClaim
- SMSReset
- Password Expiry
- Admin UI
Sample UI - Self-service page-> My Accounts->Reset Passwords
In the below UI, with the accounts selected, you can see that accounts belong to different PEC's and the rules violated with respect to PEC's are listed. Once the user starts to key in the password characters, the password policies are evaluated on the fly and are reflected in the rules list. Once all the rules are met across both policies, the Reset Password button will be enabled and all rules will be in green. The option to view the password policy rules will be shown as another radio button, provided the view password policy property is enabled, which on selection will show the rules with out any violation information.
In admin page after selecting the account or PEC, once admin starts entering the password, the password policy violation rules will be displayed.
Kiosk Authentication Enhancement
Kiosk authentication is enhanced to support TOTP and PIN authentication as primary authentication options. PIN authentication option supports SMS and Email based on the configuration setting Configuration --> Configuration --> PIN Authentication and Password Reset --> Notification Method within the Admin UI. The Mobile option, which was retained in the screen as deprecated, is now removed from kiosk primary authentication option. The admin UI kiosk primary authentication configuration page after the changes looks like:
When all options are enabled from the Admin UI, the Kiosk Identity verification panel looks like:
Identity Info Mapper Rule Performance Enhancement
Get Identity Info mapper rule is enhanced to support an option which allow the processing in multiple steps. When the info rule details are to be fetched executing query against complex views, the performance is much better when the condition is on primary key column. When this option is turned on, the mapper first fetches the primary key based on the conditions configured. Then the mapper uses the primary key when fetching the info rule details.
Oracle HCM Worker Name Attributes
Oracle HCM Worker data format is enhanced to support all name attributes. The newly added attributes are
name->LocalMilitaryRank, name->LocalPreviousLastName, name->LocalTitle,MilitaryRank, name->NameLanguage, name->PreviousLastName
name->NameInformation1 to name->NameInformation30,
name->LocalNameInformation1 to name->LocalNameInformation30
Configuration Hub - Global Variables
The Configuration Hub, which is used to build configuration related workflows from the Workflow & Connectivity Studio, has been enhanced with a new data format to manage global variables. Prior to the enhancement, global variables could be manually managed from the Admin UI or Workflow & Connectivity Studio UI, but not in automated fashion. The new data format supports export, create, modify and delete of global variables.
The screenshot below is a sample workflow that exports from a flat file, which contains a list of global variables and ultimately ends with the Configuration Hub, which will manage the global variables in the system
The screenshot below show the available configurations that can be adjusted when using the GlobalVariable data format.
The screenshot below shows the available attributes that can be used with the new global variable data format.
Oracle HCM Connector - Additional Worker Managers
Oracle HCM Connector has been enhanced to support manager attributes for worker export and lookup. Prior to the enhancement, multiple exports/lookups were necessary, with additional workflow logic, to loop through the data to determine the appropriate manager for each assignment a user had.
Organization Export/Import Enhancement
The Organization Export/Import features have been updated with the following enhancements:
Ability to Download Org Export Zip
It is possible to download the org export zip file from the org export instance page using the 'Download' button.
Ability to Upload Org Export Zip
The org export zip file used for import can be uploaded from the import UI. The import UI continue to support the old way of specifying the identity share's relative path of the org export zip file. The upload option can be used to upload any org export zip file to the org's upload folder relative to the identity share path.
Ability to do export/import on enabled orgs
The org export/import process can be initiated on the enabled orgs. It is recommended to disable the org on doing a full export/import of the org. If the export/import is done on an enabled org, there may be a chance of stale data, especially when there are processes running which may change the data (for example, workflow executions).
Ability to pick the features to be exported
Organization export feature has been enhanced to pick the features to be exported.
The below UI will be displayed on clicking the 'Export Selected' check box. Only the features which are checked below will be included in the export.
Ability to filter individual features
The 'View' button in the 'Filter' column can be used to set a filter on individual features. If there is a filter set, then that filter will be applied on getting export data for that feature. The export filter can be made on the pre-defined set of columns of each feature. To add/remove the 'filterable' columns, changing the features org config xml will need to be done.
The 'Preview Data' button can be used to see the data when the filter is applied.
Ability to preview the export data
The 'Preview' option can be used to view the export count of the selected features. If there are configured filters, then it will be applied.
Clicking on the count, will display the data in a new UI (the columns will differ for each feature)
Ability to pick features to be imported
The import feature has been enhanced to pick individual features to be imported. The Import Selected option in the UI below can be used to pick the configuration objects.
All features checked from the UI below are included in the import.
Ability to set feature level action on existing configuration objects
The action on existing objects controls how to handle existing objects during an import operation. The options are Skip, Overwrite or Make Unique. This selection of this option was global and applied to all of the features. This has been enhanced to be configured at the feature level for the features selected from the UI above.
Ability to schedule policy re-evaluations
Import UI has an option to schedule policy re-evaluation. When this option is checked, a policy re-evaluation is scheduled when there are re-evaluation required configuration objects (policy, rule, condition, index) imported.
Microsoft Office 365 and Power Shell Connector Authentication
Microsoft Office 365 and PowerShell Connectors are enhanced to support Modern authentication methods. Modern Authentication is a method of identity management that offers more secure user authentication and authorization.
In the Microsoft Office 365 and PowerShell connector, the connector uses the basic authentication mechanism to get connection. Microsoft is encouraging users to replace basic authentication with modern authentication, as basic authentication is now deprecated and will be removed or disabled shortly. The modern authentication mechanism is added in Microsoft Office 365 and PowerShell connectors.
Microsoft Office 365 and PowerShell connector now supports the following three authentication modes.
- Basic authentication with credentials (existing)
- Modern authentication with credentials
- Modern authentication using certificate
- To connect with basic or modern authentication using credentials, we will need the office 365 service account name and password.
- To connect with modern authentication using certificate, the extra connected system parameters needed are: private key (corresponding to the certificate), key file password and the registered application id.
For modern authentication to work, an exchange online management module needs to be installed in the identity and provisioning server as a prerequisite. The certificate should be uploaded in the registered application in Microsoft 365 azure portal. You will need its private key and password to configure the connected system using modern auth.
Power Shell Commands to create certificates
- To create self-signed certificate
$cert = New-SelfSignedCertificate -DnsName "fischerdemo.onmicrosoft.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange - To Export Pfx private certificate file ‘cert.pfx’ with password. This private key file is used in connected system configuration.
$cert | Export-PfxCertificate -FilePath cert.pfx -Password $(ConvertTo-SecureString -String "Password" -AsPlainText -Force) - To export the certificate file ‘cert.cer’. This certificate should be uploaded in the azure application.
$cert | Export-Certificate -FilePath cert.cer
Install ExchangeOnlineManagement module as pre-requisites
- Install-Module -Name ExchangeOnlineManagement
Microsoft Office 365 Connected System Info
PowerShell System Info with credentials - Designer
References:
Box Connector - Invite External User to Enterprise
User Data format Changes
- Added ‘accountDN’ and ‘InviteToEnterpriseIfExternalUserExists’ as import plug-in configuration.
- Added ‘EnterpriseId’ and 'inviteId' as import attribute.
- When user-add operation fails with error ‘user login already used’ and if the value of ‘InviteToEnterpriseIfExternalUserExists’ is True, an automated box invitation will be sent to the external box user to join the enterprise. The ‘inviteId’ will be included in import status record. The default value of ‘InviteToEnterpriseIfExternalUserExists’’ is False.
ExternalUserInvite Data format
A new data format (ExternalUserInvite) has been added to the connector, to invite external Box user in provisioning Box connector.
Supported Operations
- Import: Invite external Box user to join enterprise.
- Export/Lookup: Get Box invite status and details with invite id.
Runtime
During a successful import task with data format ‘ExternalUserInvite’, an automated invitation email would be sent to the external box-user. The box server generates ‘inviteId’ which is included in the import status record. Export and lookup operations fetch box-invite status & details with the given ‘Invite Id’. Status values are pending/accepted/rejected.
The invitation mail contains an ‘Accept Invitation’ button. When the external user clicks the ‘Accept Invitation’ button, it will re-direct the user to Box login page in browser. When logged-in to box account with credentials, a pop-up window with accept and reject button will be displayed. The external box user could join the enterprise using the accept button click; otherwise, can reject the invitation.
Lookup Screen
UNIX SSH Connector - Security Enhancements
UNIX SSH connector is enhanced to support certificate based authentication and enhanced encryption options. The third-party library used by the connector is updated to the latest available version 4.4.15. Introduced a new connected system parameter to configure certificate/private-key required for certificate based authentication. Since password is optional for certificate based authentication, password parameter is made optional.
All these connector changes are backward compatible. So no configuration changes are required after upgrade.
New Admin UI connected system details page looks like
Studio - Manage Product Attributes
Introduced option to manage product attributes from Studio. This option allows management of product attribute and attribute mapping from Studio. UI management display values are not supported from Studio. The attribute manage UI and process flow are similar to the one in admin UI. The menu option Tools --> Manage Product Attributes will display product attribute display page.
The attribute details page looks like:
Studio - Product Attribute Display
Introduced option to configure how the product attributes should be displayed while configuring workflows. This can be configured at Tools --> Configure
Once this is configured, the product attribute display in Studio will be based on this.
Studio - Manage Workflow Schedule
Introduced option to manage workflow schedules from Studio. Also introduced option to start/stop schedule, activate/suspend workflow and monitor workflow instances. All the relevant operations are supported for deploy, re-deploy and edit. The workflow deploy UI is made tab based page to an organized layout.
Workflow schedule management UI has a layout and flow similar to the one in admin UI. Schedules and schedule excludes can be managed based on schedule type.
Activate, Suspend and Auto-Suspend configurations can be managed from Activate/Suspend Configuration tab.
Workflow Instance tab allows monitoring of workflow instance. No instance level actions are supported from this tab.
PSA Policy for Studio Only Access
Introduced a new PSA Policy iPaaS Administration for studio only access. Users qualifying for the 'iPaaS Administrators' user group will be qualified for this policy and will get all studio access and the following limited options in admin UI.
Systems tab
- Connected Systems
Server tab
- Workflows
- Triggers
- WF Instances
- Notification Events
Configuration tab
- Attributes
- Notifications
- Global Variables
GIG Auto Upgrade
Introduced option to auto upgrade GIG. Auto upgrade work based on the new context gigmanager introduced for GIG in 7.7. So GIG must be 7.7 or higher to support auto upgrade. Also the below configurations are import for the GIG auto upgrade to work properly.
Tomcat Configuration
The version recommended for GIG 7.7 is to use tomcat 9.
All context related operations like start and stops contexts are done by using tomcat manager API. Authentication is mandatory for manager APIs. So have to enable authentication by adding the below line to tomcat-users.xml file. Can adjust username and password to complex values.
<user username="tomcat" password="password" roles="manager-script"/>
During upgrade, the gig context files are updated when tomcat is running. If auto deploy option is turned on, tomcat will try to reload the context as update is happening. That can result issues to GIG upgrade. So auto deploy option must be off for the GIG tomcat. Auto deploy configuration is in the file config/server.xml.
GIG Configuration
Introduced option to provide tomcat authentication credentials in GIG details page. The credentials configured for tomcat should be provided for that.
Build Repository Configuration
The build repository supported for GIG auto upgrade is Artifactory. The default configuration is pointed to Fischer production Artifactory. Build repository can be configured at GIG -> GIG -> GIG Build Manager ->Configure Repository. There will be separate authentication credentials created for each customer and that can be obtained by contacting Fischer infrastructure team.
The default configuration is to fetch just the GIG build of version matching with Identity server version. By adjusting the Root Path, Lowest Version and Highest Version parameters, additional versions of GIG .
Build Management
All GIG build management actions can be done at GIG -> GIG -> GIG Build Manager.
Once the repository is configured, build can be fetched using the Fetch Builds button in the GIG Build Manager page.
Once the build are fetched, desired builds can be downloaded using Download Build button . Download is an asynchronous process with download, check-sum validation, new zip creation and check-sum calculation. Refresh button can be used to monitor the progress. Once download is completed, the build status will be set to Enabled.
Manage GIG Server
All GIG server management can be done at GIG -> GIG -> Manage GIG Server.
GIG Management Instances
For each GIG management action, there is an instance listing page to view the instances.
There is option in the instance listing page to see the instance details.
REST end point for SoD Evaluation
New REST end point introduced for evaluating SoDs. This end point accepts the resources (add/remove) and report SoD evaluation result by performing the policy SoD evaluation.
Request payload
{ "startDate": 1728000000, "requestorIdentifiers": [ { "name": "firstName", "value": "frankjones" }, { "name": "email", "value": "frankjones@fisc.com" }, { "name": "employeeNumber", "value": "789456" } ], "beneficiaryIdentifiers": [ { "name": "firstName", "value": "John" }, { "name": "email", "value": "john.smith@fisc.com" }, { "name": "employeeNumber", "value": "889476" } ], "beneficiaryType": "Existing", "items": [ { "externalName": "COR US + iExpenses + IE USER", "systemName": "Oracle R12", "itemType": "Resource", "changeType": "Add" }, { "externalName": "COR US + iExpenses + IE REPORTING & ANALYSIS", "itemType": "Policy", "changeType":"Add" }, { "externalName": "COR US + iExpenses + IE AUDITOR", "systemName": "Oracle R12", "itemType" "Resource", "changeType": "Remove" } ] } |
startDate – Request’s start date. This is optional, when specified should be in the epoch date format (milli seconds). This is used to exclude any accesses which are going to be terminated by that date from the SoD evaluation - used only if the beneficiary type is ‘Existing’.
requestorIdentifiers and beneficiaryIdentifiers are name value map to identify the requestor and beneficiary.
beneficiaryType - New/Existing to identify whether request is for new user or existing user.
items – List of resources (supports Resource and Policy). externalName is the English displayName. systemName is the English displayName of the system, systemName is required only if the externalName is not unique. It is not required when the item type is Policy. changeType can be either Add or Remove.
Response
{ "startDate": 1728000000, "requestorId": "-1234535454466546533", "beneficiaryId": "-334352434654534542", "statusCode": 206, "items": [ { "id": 20049 "externalName": "COR US + iExpenses + IE USER", "systemName": "Oracle R12", "itemType": "Resource", "changeType": "Add", "statusCode": 200 }, { "id": 10485 "externalName": "COR US + iExpenses + IE REPORTING & ANALYSIS", "itemType": "Policy", "changeType":"Add" "statusCode": 403, "message":"SoD for COR Access" }, { id: 0 "externalName": "COR US + iExpenses + IE AUDITOR", "systemName": "Oracle R12", "itemType": "Resource", "changeType": "Remove", "statusCode": 404 } ] } |
Values of statusCode
200 - Ok
206 - Partial Success. Some items have 200 status some have 403
400 - Bad request
403 - Forbidden. SoD violated, message will have the violated SoD's name.
404- Not found
Making REST request
Obtain Access Token
URL: Method: POST Headers: client_id: <org_code> client_secret:<secret from REST configuration> scope:<user’s primary login attribute’s value> Content-Type: application/x-www-form-urlencoded Response: { "access_token": "8caa3f18913aa55f1d6e0b1d067ec7b" "UserId": "3213791920800026438188061046100427035", "scope": "manageOtherProfiles managePasswords manageSecretQuestions profile requestAccess", "expires_in": "1628694470797" } |
Request SoD Evaluation
URL: Method: POST Headers: Authorization: OAuth 8caa3f18913aa55f1d6e0b1d067ec7b Content-Type: application/json Body: SoD Evaluation request in the format mentioned in |
Profile REST end point filter options
The profile REST end point has been enhanced to support the following filter options using wild card character ( * ).
givenName=* matches any value (excludes null and empty values)
givenName=*null* matches only null values.
givenName=John* matches all values starting with John.
givenName=*John matches all values ending with John.
givenName=*John* matches all values contains John.
Fixed defects
List of defects reported by customers or implementation, does not contain defects raised internally.
- Fixed password minimum age test failing for new AD accounts when the Active Directory (AD) password filter is being used. The AD password filter notification processing set the password as modified by the user to cause this issue. The fix is to consider any password filter notifications within 3 minutes of FUA start_date as a 'System' reset so that password minimum age test won't fail. The audit message for the event will reflect that the password filter notification for the new account is processed as by the 'System'.
- Fixed not to show the UI dialog box to download and install DUO mobile app when adding mobile phones of 'other' type. The other mobile phone can be added just like a land line, the QR code will be generated, which can be used later to enable push notifications if the device is a smart phone.
- Fixed duo bypass code not being generated if the user doesn't have any registered device. The fix allows a user to generate a bypass code without any registered device, but since duo requires to have an authentication device to use the bypass codes, user will be prompted to register a device during the authentication phase.
- The "Get Identity Info" mapper rule has been enhanced to retrieve alias information.