Release notes

SSL Support for MySQL Connector

MySQL connector now supports SSL connection. Connected System details page now has a 'Use Secure Connection' checkbox, which can be checked to enable SSL connections to MySQL Database.

MySQL database is configured for SSL connection by default. However, to enable SSL connection from the application (identity/provisioning/gig) to the database server, the MySQL client certificate has to be imported into the java's keystore. Please follow the steps below to import the CA certificate.

1. Locate ca.pem file of MySQL. For a windows based installation, the sample location is C:\ProgramData\MySQL\MySQL Server 8.0\Data\ca.pem
2. Copy ca.pem to java's trust store path - typically %JAVA_HOME%\lib\security
3. cd to %JAVA_HOME%\lib\security
4. Rename ca.pem to mysql-ca.pem
5. Open command prompt in admin mode and issue > keytool -import -alias mysqlServerCACert -file mysql-ca.pem -keystore cacerts

Windows Authentication for SQL Server Connector

SQL server connector now supports Windows Authentication. In order to use Windows Authentication for this connector, check the ‘Use Windows Authentication’ check box in the connected system detail page.

DLL Requirements

To use Windows Authentication, mssql-jdbc_auth-<version>.x64.dll or mssql-jdbc_auth-<version>.x86.dll (depending on 64 bit or 32 bit java) needs to be in the java.library.path. Installer will copy the appropriate .dll file based on the java version to the agentdll folder (under IDENTITY_HOME, DATAFORUM_HOME or GIG_HOME based on the installation).

The current sql server jdbc driver version is 8.4.1, so the name of the .dll file will be either mssql-jdbc_auth-8.4.1.x64.dll or mssql-jdbc_auth-8.4.1.x86.dll.

You can either copy this .dll file to one of the current java.library.path or update the java.library.path to point to the agentll location in tomcat

Example setting in catalina.bat:

set CATALINA_OPTS=%CATALINA_OPTS% -Djava.library.path="%PATH%";"C:\Fischer\IdM\identity\agentdll"

JDBC driver’s .jar location when using multiple contexts in the same tomcat

The mssql-jdbc_auth-xxx.dll file is loaded by the mssql jdbc driver for doing windows auth. By default, the .jar file for the mssql jdbc driver (mssql-jdbc-8.4.1.jre8.jar based on the 8.4.1 version) will be available in the context’s WEB-INF\libs folder. However, if there are multiple contexts (like identity and dataforum in the same tomcat), then,  only one of the context will be able to load this .dll. In such scenarios (having identity and dataforum in the same tomcat or for gigs), this mssql jdbc driver .jar file should be manually moved to the tomcat’s libs folder, so that it will be shared by all contexts and the .dll file is required to be loaded only once.

Use Windows Authentication to connect to product DB:  The product can connect to the SQL server database using windows authentication. If the system property com.fisc.mssql.useWindowsAuthentication is set to true, then the product will use windows authentication to connect to the product DB. The product Installer still uses password authentication.

Removed SSO option for Self-Service Client Admin

Removed the SSO tab from Self-Service client admin tab, as configuring IdP / SP configurations from the Self-Service Portal is no longer supported.

Oracle EBS Connector

• The Oracle EBS connector has been enhanced so that when the password is updated, Oracle EBS system's password_date field will get updated with the new timestamp, in addition to the last_update field.
• The Oracle EBS connector has been enhanced to support both Service Name or SID to connect. Prior to this enhancement, only SID was supported to connect.

Auto Request Account Resource

The Self-Service engine has been enhanced to auto request account resources on processing the entitlement only resource, if the user does not already have the account resource assigned.

Account resource can be configured as auto requested using the 'This resource can be auto requested on processing entitlement only resources.' option under 'Self-Service Properties' section of the resource detail page.

This same configuration parameter, 'This resource can be auto requested on processing entitlement only resources', mentioned above, is able to be managed by the Configuration Hub, by setting the Resource.AutoRequest attribute.

During runtime, on provisioning the entitlement resource(s), the self-service engine will check whether the account is already provisioned or account resource is part of the current request.  If not, one of the auto requestable account resources (to the same system as that of the entitlement resource) will be added to the request (auto requested). The entitlement resource processing will be marked as dependent to this newly added account resource, so that entitlement can be provisioned without error.

Request Access Enhancements

Introduced two new options for OBO users to select resources in request access. First option is to clone the accesses of a user and assign that to another user. Second option is select accesses from a CSV file. These options can be turned on from admin UI Self-Service configuration page.

Once these options are turned on, there will be an extra step for OBO users to pick the access selection option. When clone option is selected, there will be an option to select the user from whom the accesses to be cloned.

When CSV file option is selected, there will be an option to pick the file which contains resource data.

Following is a sample CSV file with access information. The first column should be the name of Policy or Resource. Second column must specify the type of the access. For Policy it should be Policy and for Resource it should be Resource.

Remediation

When there is only a single node in the Chain of Trust, the product will now start the remediation process for users as they get certified, as opposed to waiting for all users to be certified.

Security

The process by which the keystore password is stored has been enhanced. The keystore password is stored by generating a random key using a proprietary algorithm that will be stored in a separate file in an obfuscated form. This key will then be used at the initialization vector key when decrypting the DB connection properties stored in the property file. A new IV key will be created each time the value is encrypted. The encrypted database username, host and port properties stored in the properties file will each be encrypted with its own IV key.

Connected System Management and Usage

Connected systems that are created from the Master Org now have the ability to be configured to be shared/used within other Client Orgs.

Support of database properties in UpdatePassword

Enhanced the UpdateDBUserPassword Dev tool to support updating other encrypted DB properties stored in the prio properties file.

ServiceNow Connector Enhancements

ServiceNow connector is enhanced have the new data formats - Task, CatalogTask, Request and Approval.

ServiceNow trigger is enhanced have the new data formats - User, Task, CatalogTask, Request, RequestItem, RequestItemVariable and Approval.

Note: As a result of the task integration we modified the attribute names to match current ServiceNow recommendations as it relates to the incident data format specifically. The following attributes (if used) are required to be modified to the new name:

Exact match handling of user match

User match policy configuration is updated to have an option to combine multiple exact matches. When this option is turned on, all exact match rules will be evaluated in the order of priority and the match results are combined. The matched attribute shown in the UI (as bold) will be of the first matched rule (even if the same record matches in the other rules, the matched attributes will be only from the first matched rule - in other words, matched attributes are not combined). When there are multiple matches after combining matches from all rules, it will force an administrative review.

SPML Enhancements

SPML RA can now be configured just to launch the workflows without updating the Fischer repository tables. This gives the flexibility to run user match or any other pre-process tasks before the SPML data gets saved into the Fischer tables.

Gallagher Security Connector

Gallagher Security is a flexible, integrated access control solution to meet any security requirements. Fischer Identity has developed a new connector for this system, which supports the following operations: Cardholder export, import, and lookups; AccessGroup export and lookup. This connector also supports entitlement association, dissociation and discovery for access group.

Ascentis Connector Effective Date Support

Ascentis connector Employee data format export and lookup are enhanced to support fetching employee job data as of on an effective date. Effective date can be configured in export and lookup using the plug-in parameter AsOfEffectiveDate. This parameter can be configured as a particular date in the format yyyy-MM-dd or as the number of days ahead (+) or before(-) the current date.

Progressive Password Policy Validation

Password policy validation is enhanced to do the evaluation as the user types in the password. The UI will show the passed and failed password rules and the reset button won't be enabled without passing all the password policy rules.

The following features/UIs are updated to show the progressive password policy validation.

• Self-service page-> My Accounts->Reset Passwords.  
• Self-service page-> Users-> Profiles 
• Kiosk page 
• Forgot Password 
• Self Registration 
• New User Creation
• Standalone password reset 
• IdentityClaim 
• SMSReset 
• Password Expiry
• Admin UI

Sample UI - Self-service page-> My Accounts->Reset Passwords

In the below UI, with the accounts selected, you can see that accounts belong to different PEC's and the rules violated with respect to PEC's are listed. Once the user starts to key in the password characters, the password policies are evaluated on the fly and are reflected in the rules list. Once all the rules are met across both policies, the Reset Password button will be enabled and all rules will be in green. The option to view the password policy rules will be shown as another radio button, provided the view password policy property is enabled, which on selection will show the rules with out any violation information.

In admin page after selecting the account or PEC, once admin starts entering the password, the password policy violation rules will be displayed.

Kiosk Authentication Enhancement

Kiosk authentication is enhanced to support TOTP and PIN authentication as primary authentication options. PIN authentication option supports SMS and Email based on the configuration setting Configuration --> Configuration --> PIN Authentication and Password Reset --> Notification Method within the Admin UI. The Mobile option, which was retained in the screen as deprecated, is now removed from kiosk primary authentication option. The admin UI kiosk primary authentication configuration page after the changes looks like:

When all options are enabled from the Admin UI, the Kiosk Identity verification panel looks like:

Identity Info Mapper Rule Performance Enhancement

Get Identity Info mapper rule is enhanced to support an option which allow the processing in multiple steps. When the info rule details are to be fetched executing query against complex views, the performance is much better when the condition is on primary key column. When this option is turned on, the mapper first fetches the primary key based on the conditions configured. Then the mapper uses the primary key when fetching the info rule details.

Oracle HCM Worker Name Attributes

Oracle HCM Worker data format is enhanced to support all name attributes. The newly added attributes are

name->LocalMilitaryRank, name->LocalPreviousLastName, name->LocalTitle,MilitaryRank, name->NameLanguage, name->PreviousLastName 

name->NameInformation1 to name->NameInformation30, 

name->LocalNameInformation1 to name->LocalNameInformation30

Configuration Hub - Global Variables

The Configuration Hub, which is used to build configuration related workflows from the Workflow & Connectivity Studio, has been enhanced with a new data format to manage global variables. Prior to the enhancement, global variables could be manually managed from the Admin UI or Workflow & Connectivity Studio UI, but not in automated fashion. The new data format supports export, create, modify and delete of global variables.

The screenshot below is a sample workflow that exports from a flat file, which contains a list of global variables and ultimately ends with the Configuration Hub, which will manage the global variables in the system

The screenshot below show the available configurations that can be adjusted when using the GlobalVariable data format.

The screenshot below shows the available attributes that can be used with the new global variable data format.

Oracle HCM Connector - Additional Worker Managers

Oracle HCM Connector has been enhanced to support manager attributes for worker export and lookup. Prior to the enhancement, multiple exports/lookups were necessary, with additional workflow logic, to loop through the data to determine the appropriate manager for each assignment a user had.

Organization Export/Import Enhancement

The Organization Export/Import features have been updated with the following enhancements:

Ability to Download Org Export Zip

It is possible to download the org export zip file from the org export instance page using the 'Download' button.

Ability to Upload Org Export Zip

The org export zip file used for import can be uploaded from the import UI. The import UI continue to support the old way of specifying the identity share's relative path of the org export zip file. The upload option can be used to upload any org export zip file to the org's upload folder relative to the identity share path.

Ability to do export/import on enabled orgs

The org export/import process can be initiated on the enabled orgs. It is recommended to disable the org on doing a full export/import of the org. If the export/import is done on an enabled org, there may be a chance of stale data, especially when there are processes running which may change the data (for example, workflow executions).

Ability to pick the features to be exported

Organization export feature has been enhanced to pick the features to be exported.

The below UI will be displayed on clicking the 'Export Selected' check box. Only the features which are checked below will be included in the export.

Ability to filter individual features

The 'View' button in the 'Filter' column can be used to set a filter on individual features. If there is a filter set, then that filter will be applied on getting export data for that feature. The export filter can be made on the pre-defined set of columns of each feature. To add/remove the 'filterable' columns, changing the features org config xml will need to be done. 

The 'Preview Data' button can be used to see the data when the filter is applied.

Ability to preview the export data

The 'Preview' option can be used to view the export count of the selected features. If there are configured filters, then it will be applied.

Clicking on the count, will display the data in a new UI (the columns will differ for each feature)

Ability to pick features to be imported

The import feature has been enhanced to pick individual features to be imported. The Import Selected option in the UI below can be used to pick the configuration objects.

All features checked from the UI below are included in the import.

Ability to set feature level action on existing configuration objects

The action on existing objects controls how to handle existing objects during an import operation. The options are Skip, Overwrite or Make Unique. This selection of this option was global and applied to all of the features. This has been enhanced to be configured at the feature level for the features selected from the UI above.

Ability to schedule policy re-evaluations

Import UI has an option to schedule policy re-evaluation. When this option is checked, a policy re-evaluation is scheduled when there are re-evaluation required configuration objects (policy, rule, condition, index) imported.

Microsoft Office 365 and Power Shell Connector Authentication

Microsoft Office 365 and PowerShell Connectors are enhanced to support Modern authentication methods. Modern Authentication is a method of identity management that offers more secure user authentication and authorization.

In the Microsoft Office 365 and PowerShell connector, the connector uses the basic authentication mechanism to get connection. Microsoft is encouraging users to replace basic authentication with modern authentication, as basic authentication is now deprecated and will be removed or disabled shortly. The modern authentication mechanism is added in Microsoft Office 365 and PowerShell connectors.

Microsoft Office 365 and PowerShell connector now supports the following three authentication modes.

1. Basic authentication with credentials (existing)
2. Modern authentication with credentials
3. Modern authentication using certificate

- To connect with basic or modern authentication using credentials, we will need the office 365 service account name and password.
- To connect with modern authentication using certificate, the extra connected system parameters needed are: private key (corresponding to the certificate), key file password and the registered application id.

For modern authentication to work, an exchange online management module needs to be installed in the identity and provisioning server as a prerequisite. The certificate should be uploaded in the registered application in Microsoft 365 azure portal. You will need its private key and password to configure the connected system using modern auth.

Power Shell Commands to create certificates

• To create self-signed certificate
  $cert = New-SelfSignedCertificate -DnsName "fischerdemo.onmicrosoft.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
• To Export Pfx private certificate file ‘cert.pfx’ with password. This private key file is used in connected system configuration.
  $cert | Export-PfxCertificate -FilePath cert.pfx -Password $(ConvertTo-SecureString -String "Password" -AsPlainText -Force)
• To export the certificate file ‘cert.cer’. This certificate should be uploaded in the azure application.
  $cert | Export-Certificate -FilePath cert.cer

Install ExchangeOnlineManagement module as pre-requisites

• Install-Module -Name ExchangeOnlineManagement

Microsoft Office 365 Connected System Info

PowerShell System Info with credentials - Designer

References:

Box Connector - Invite External User to Enterprise

User Data format Changes

• Added ‘accountDN’ and ‘InviteToEnterpriseIfExternalUserExists’ as import plug-in configuration.
• Added ‘EnterpriseId’ and 'inviteId' as import attribute.
• When user-add operation fails with error ‘user login already used’ and if the value of ‘InviteToEnterpriseIfExternalUserExists’ is True, an automated box invitation will be sent to the external box user to join the enterprise. The ‘inviteId’ will be included in import status record. The default value of ‘InviteToEnterpriseIfExternalUserExists’’ is False.

ExternalUserInvite Data format

A new data format (ExternalUserInvite) has been added to the connector, to invite external Box user in provisioning Box connector.

Supported Operations

• Import: Invite external Box user to join enterprise.
• Export/Lookup: Get Box invite status and details with invite id.

During a successful import task with data format ‘ExternalUserInvite’, an automated invitation email would be sent to the external box-user. The box server generates ‘inviteId’ which is included in the import status record. Export and lookup operations fetch box-invite status & details with the given ‘Invite Id’. Status values are pending/accepted/rejected.

The invitation mail contains an ‘Accept Invitation’ button. When the external user clicks the ‘Accept Invitation’ button, it will re-direct the user to Box login page in browser. When logged-in to box account with credentials, a pop-up window with accept and reject button will be displayed. The external box user could join the enterprise using the accept button click; otherwise, can reject the invitation.

Lookup Screen

UNIX SSH Connector - Security Enhancements

UNIX SSH connector is enhanced to support certificate based authentication and enhanced encryption options. The third-party library used by the connector is updated to the latest available version 4.4.15. Introduced a new connected system parameter to configure certificate/private-key required for certificate based authentication. Since password is optional for certificate based authentication, password parameter is made optional.

All these connector changes are backward compatible. So no configuration changes are required after upgrade. 

New Admin UI connected system details page looks like

Studio - Manage Product Attributes

Introduced option to manage product attributes from Studio. This option allows management of product attribute and attribute mapping from Studio. UI management display values are not supported from Studio. The attribute manage UI and process flow are similar to the one in admin UI. The menu option Tools --> Manage Product Attributes will display product attribute display page.

The attribute details page looks like:

Studio - Product Attribute Display

Introduced option to configure how the product attributes should be displayed while configuring workflows. This can be configured at Tools --> Configure

Once this is configured, the product attribute display in Studio will be based on this.

Studio - Manage Workflow Schedule

Introduced option to manage workflow schedules from Studio. Also introduced option to start/stop schedule, activate/suspend workflow and monitor workflow instances. All the relevant operations are supported for deploy, re-deploy and edit. The workflow deploy UI is made tab based page to an organized layout.

Workflow schedule management UI has a layout and flow similar to the one in admin UI. Schedules and schedule excludes can be managed based on schedule type.

Activate, Suspend and Auto-Suspend configurations can be managed from Activate/Suspend Configuration tab.

Workflow Instance tab allows monitoring of workflow instance. No instance level actions are supported from this tab.

PSA Policy for Studio Only Access

Introduced a new PSA Policy iPaaS Administration for studio only access. Users qualifying for the 'iPaaS Administrators' user group will be qualified for this policy and will get all studio access and the following limited options in admin UI.

Systems tab

• Connected Systems

Server tab

•   Workflows
•   Triggers
•   WF Instances 
•   Notification Events

Configuration tab

• Attributes
• Notifications
• Global Variables

GIG Auto Upgrade

Introduced option to auto upgrade GIG. Auto upgrade work based on the new context gigmanager introduced for GIG in 7.7. So GIG must be 7.7 or higher to support auto upgrade. Also the below configurations are import for the GIG auto upgrade to work properly.

Tomcat Configuration

The version recommended for GIG 7.7 is to use tomcat 9.

All context related operations like start and stops contexts are done by using tomcat manager API. Authentication is mandatory for manager APIs. So have to enable authentication by adding the below line to tomcat-users.xml file. Can adjust username and password to complex values.

<user username="tomcat" password="password" roles="manager-script"/>

During upgrade, the gig context files are updated when tomcat is running. If auto deploy option is turned on, tomcat will try to reload the context as update is happening. That can result issues to GIG upgrade. So auto deploy option must be off for the GIG tomcat. Auto deploy configuration is in the file config/server.xml.

GIG Configuration

Introduced option to provide tomcat authentication credentials in GIG details page. The credentials configured for tomcat should be provided for that.

Build Repository Configuration

The build repository supported for GIG auto upgrade is Artifactory. The default configuration is pointed to Fischer production Artifactory. Build repository can be configured  at GIG -> GIG -> GIG Build Manager ->Configure Repository. There will be separate authentication credentials created for each customer and that can be obtained by contacting Fischer infrastructure team.

The default configuration is to fetch just the GIG build of version matching with Identity server version. By adjusting the Root Path, Lowest Version and Highest Version parameters, additional versions of GIG .

Build Management

All GIG build management actions can be done at GIG -> GIG -> GIG Build Manager.

Once the repository is configured, build can be fetched using the Fetch Builds button in the GIG Build Manager page.

Once the build are fetched, desired builds can be downloaded using Download Build button . Download is an asynchronous process with download, check-sum validation, new zip creation and check-sum calculation. Refresh button can be used to monitor the progress. Once download is completed, the build status will be set to Enabled.

Manage GIG Server

All GIG server management can be done at GIG -> GIG -> Manage GIG Server. 

GIG Management Instances

For each GIG management action, there is an instance listing page to view the instances.

There is option in the instance listing page to see the instance details.

REST end point for SoD Evaluation

New REST end point introduced for evaluating SoDs. This end point accepts the resources (add/remove) and report SoD evaluation result by performing the policy SoD evaluation.

Request payload

startDate – Request’s start date. This is optional, when specified should be in the epoch date format (milli seconds). This is used to exclude any accesses which are going to be terminated by that date from the SoD evaluation - used only if the beneficiary type is ‘Existing’.

requestorIdentifiers and beneficiaryIdentifiers are name value map to identify the requestor and beneficiary.

beneficiaryType - New/Existing to identify whether request is for new user or existing user.

items – List of resources (supports Resource and Policy). externalName is the English displayName. systemName is the English displayName of the system, systemName is required only if the externalName is not unique. It is not required when the item type is Policy. changeType can be either Add or Remove.

Response

Values of statusCode

200 - Ok

206 - Partial Success. Some items have 200 status some have 403

400 - Bad request

403 - Forbidden. SoD violated, message will have the violated SoD's name.

404- Not found

Making REST request

Obtain Access Token

Request SoD Evaluation

Profile REST end point filter options

The profile REST end point has been enhanced to support the following filter options using wild card character ( * ).

givenName=* matches any value (excludes null and empty values)
givenName=*null* matches only null values.
givenName=John* matches all values starting with John.
givenName=*John matches all values ending with John.
givenName=*John* matches all values contains John.

Fixed defects

List of defects reported by customers or implementation, does not contain defects raised internally.

• Fixed password minimum age test failing for new AD accounts when the Active Directory (AD) password filter is being used. The AD password filter notification processing set the password as modified by the user to cause this issue. The fix is to consider any password filter notifications within 3 minutes of FUA start_date as a 'System' reset so that password minimum age test won't fail. The audit message for the event will reflect that the password filter notification for the new account is processed as by the 'System'.
• Fixed not to show the UI dialog box to download and install DUO mobile app when adding mobile phones of 'other' type. The other mobile phone can be added just like a land line, the QR code will be generated, which can be used later to enable push notifications if the device is a smart phone.
• Fixed duo bypass code not being generated if the user doesn't have any registered device. The fix allows a user to generate a bypass code without any registered device, but since duo requires to have an authentication device to use the bypass codes, user will be prompted to register a device during the authentication phase.
• The "Get Identity Info" mapper rule has been enhanced to retrieve alias information.

Sanity Testing

Latest Identity 7.7.20 Release Notes