Release notes

Option for On Behalf Of (OBO) to Verify the User

The profile management feature has been enhanced with user verification. This will allow the OBO to verify the user either through SMS PIN or through TOTP. The user verification can be turned on/off per user management action level from the admin UI user management configuration UI, as shown below.

From the self-service UI, if the selected action requires user verification, the UI will  show the' Verify the User' panel and requires either PIN or TOTP to proceed. The user has to read back the PIN/TOTP to the OBO user.

Google Connector Contact API Upgrade

Google connector was using the contact g-data API to manage contacts. The contact g-data API is retired now. Due to this, the connector has been modified to use the new People API for contact management. The attribute structure in new API is different from the old API. Contact attributes are modified to use new attribute structure without considering backward compatibility. Also, there are few changes in contact management behavior as detailed below.

Note: The scope needed to use this API is the same as it was for the Contact API that is now retired.

Plug-in Configuration ContactKeyAttribute

None of the attribute is mandatory for a contact, so it is not possible to use a predefined key attribute to uniquely identify contacts. To handle this, a new plug-in property is added to configure this.

Contact->changeType

Old contact modify process was depending on the entry level modify type to decide the contact operations during a user modify. It is difficult to identify the contact action based on modify type since the key attribute may not be unique in some cases. A contact level attribute is introduced to configure this. If this is not configured, it will try an add/modify based on contact existence for the configured key. Following is the behavior based each supported value.

Delete: For deleting a contact, resourceName is required. If the resourceName attribute is available in data, contact delete is processed with that. If resourceName is missing, modify processor will identify the contact with matching key attribute value and use it’s resourceName to delete the contact. If there is no matching contact for the key, the contact entry is skipped.

Modify: For updating a contact, resourceName and etag are required. If both attributes are available in data, contact modify is processed with those values. If any or both are missing, modify processor will identify the contact with matching key attribute value and use it’s resourceName and etag to update the contact. If the change type is modify and no matching contact exists for that key, the contact operation is marked as failure.

Add: When the change type is add, the contact is added without any key validation. So using a change type add can create duplicate contacts based on the key. To avoid this, we can keep the change type empty.

Mapping Between New and Old Contact Attributes

Google Connector Support Group Rename

Google Apps connector has been enhanced to support rename of existing groups. To achieve this, the connector has modified to include a new attribute "Original_GroupEmail" to provide the current name. When a group is renamed, old name will be added as an alias by Google. So the group can be fetched using the the old name even after rename.

Microsoft Office 365 Support Get-MailboxStatistics

Microsoft Office 365 connector has been enhanced to support the Get-MailboxStatistics command for MailBox objects. LastLogonTime is the only attribute included from this command to date. This is a read only attribute and is available in export and lookup functions.

Connectors Support Custom Attribute Files

Attribute schema creation for connectors are enhanced to support custom attributes file that can be at Studio level or ORG level. ORG level file should be in the name custom_<OrgId>_<ConnectorDefinitionName>attrcfg.xml and Studio level file should be in the name custom_<ConnectorDefinitionName>attrcfg.xml. These files should under the folder where the default attribute files are kept - Fischer\Provisioning\dataforum\config. Including a sample xml below.

<prio:root xmlns:prio="http://www.fisc.com/prio/">
    <prio:attributes type="Employee">
        <prio:attribute>
            <prio:Abbr>CustomAddress</prio:Abbr>
            <prio:Name>CustomAddress</prio:Name>
            <prio:subAttributes>
                <prio:attribute>
                    <prio:Abbr>XPersonAddress</prio:Abbr>
                    <prio:Name>XPersonAddress</prio:Name>
                    <prio:subAttributes>
                        <prio:attribute>
                            <prio:Abbr>xperaAttr1</prio:Abbr>
                            <prio:Name>xperaAttr1</prio:Name>
                        </prio:attribute>
                        <prio:attribute>
                            <prio:Abbr>xperaAttr1Date</prio:Abbr>
                            <prio:Name>xperaAttr1Date</prio:Name>
                        </prio:attribute>
                        <prio:attribute>
                            <prio:Abbr>xperaAttr2</prio:Abbr>
                            <prio:Name>xperaAttr2</prio:Name>
                        </prio:attribute>
                    </prio:subAttributes>
                </prio:attribute>
                <prio:attribute>
                    <prio:Abbr>XStudentId</prio:Abbr>
                    <prio:Name>XStudentId</prio:Name>
                    <prio:subAttributes>
                        <prio:attribute>
                            <prio:Abbr>xStudentId</prio:Abbr>
                            <prio:Name>xStudentId</prio:Name>
                        </prio:attribute>
                        <prio:attribute>
                            <prio:Abbr>xStudentIdType</prio:Abbr>
                            <prio:Name>xStudentIdType</prio:Name>
                        </prio:attribute>
                    </prio:subAttributes>
                </prio:attribute>
            </prio:subAttributes>
        </prio:attribute>
    </prio:attributes>
</prio:root>

Active Directory Powershell Connector PDC Discovery

The PDC discovery for Active Directory powershell connector is modified to include -ForceDiscover switch to avoid any caching issue when PDC is got changed. Before the fix, an Identity/Provisioning/GIG tomcat restart was required. Also made changes to log the failure instead of throwing an exception when the PDC discovery is failed.  This will make sure that all connector operations which doesn't require PDC will be suceeded.

Fixed defects

List of defects reported by customers or implementation, does not contain defects raised internally.

• Fixed issue with the Oracle HCM Employee-Atomfeeds data format export failing when InitialTransactionStartDate is given in DateTime format.
• Fixed issue with Workday Transaction Log data format export when the client machine time is slightly ahead. Adjusted transaction through date by a second to avoid the issue. When there is major difference is time, client machine time should be adjusted.
• Fixed issue in "Date Difference" mapper rule not considering leap year when date difference is calculated as Years.
• Fixed issues in Google connector resulted by case sensitive comparison while managing aliases with a modify type of replace.
• Fixed issue with Workflow Chainer configurations when product attribute display names are enabled.
• Fixed issue where the interactive password policy feature was displaying multiple times on the screen.     
• Fix for logout issue in password reset pages due to bug in the interactive password policy feature.     
• Fixed issue with update for Google Recaptcha Challenge not being displayed fully on the screen. 
• Fixed issue where the password validation feature would exit the user from the user interface incorrectly if the password policy had "starts with" rule configured.
• Fixed issue where all the alias management configurations were not imported during an org import.    
• Fixed issue with post import processing when a GIG associated import task in bulk mode is completed in non connectivity mode. For example, if all of the records were set with Transaction-ProcessEntry = 2 would cause this issue.
• Fixed issues with Gallagher Security filter management and API filter creation when there is left or right parentheses in the value field.
• Fixed issues where the mandatory field message was display by default on the Identity Claim - Profile Update screen.    
• Fixed SQL error on resource listing when searching resources by system. This issue created an error on the screen that the org_id column was ambiguous.
• Fixed issue of Data Mapper Replace Value rule losing target value after )
• Fixed issue of not populating PSA groups for resource node when a new resource is added to an existing group node using configuration hub. 

Latest Identity 7.7.20 Release Notes