Upgrade docker to a version >= 20.10.10 before you upgrade Digital Access to this or higher versions, since docker <= 20.10.9 has compatibility issues with the OpenJDK version used.
Info
title
Important!
SHA1 is no longer supported from DA 6.4.0 and later for SAML.
Digital Access has now removed the support for SHA1 algorithm for signing SAML messages. All applications must use other safe and available algorithms.
Added capability for scanning QR code during self provisioning and authentication using the Smart ID Mobile App. The configuration to use QR code or username can be done in Digital Access Admin GUI under Personal mobile authentication method.
DA-1117
After upgrading to Digital Access version 6.4.0 or higher, you set the Reporting database connection from Digital Access Admin. The existing configuration from customize.conf will be read and saved in RemoteConfiguration.xml after the upgrade. However, the admin service should be restarted after upgrade once. For a fresh setup, it is mandatory to set the Reporting database configuration in Digital Access Admin only.
It is now possible to send additional custom attributes in the SAML assertion and OIDC token which can be transformed by the basic attributes added in the assertion. Note that this will only work for single valued attributes for now. Also, it needs the basic attributes to be added first for the transformed attributes consuming these to work.
Example 1: If the basic attributes include FirstName and LastName, a transformed attribute, for example GivenName, can be created which can be a concatenation of the above attributes = ${FirstName} ${LastName}
Example 2: A custom transformed attribute can also be created by concatenating the basic attribute with a static string = ${FirstName} .test.com
In case the transform attribute name and basic attribute name is same, the transformed attribute value will take precedence and will be sent in the SAML assertion even if the basic attribute has 'Include in SAML assertion' enabled.
DA-1255
Added Filter for SAML and OIDC attributes. This can be used to limit the number of attributes sent in the SAML assertion for multi-valued attributes. For example, 'memberOf' can be filtered to send the relevant groups the user is a member of and not exposing all the groups that the user belongs to.
DA-227
The Java Bouncy Castle cryptography API library has been updated to the latest version (bcprov-jdk18on v1.76). This resolves the vulnerabilities found in the the older library. It is now possible to upload RSA private keys to Digital Access without having to encode them to PKCS#8.
As part of this, support for the RADIUS protocol PEAP has been removed. However, it is still possible to use the Authentication Service as an external RADIUS server using protocols: PAP, CHAP, MSCHAP and EAP.
Minor improvements
Jira ticket no
Description
DA-1252
Upgraded Java JDK to version 17.
DA-1377
Implemented subject types 'Persistent' and 'Transient' in Open ID Connect.
DA-1414
Added a flag for the basic SAML and OIDC attributes - "Include in SAML assertion" and "Include in token" respectively. When enabled, the attributes will be included. This is useful when there are transformed attributes added and you do not want to send the basic attributes in the response.
DA-652
Added support for persistent cookie to enable app-to-app SSO (RFC-8252). If you intend to use this feature, contract Nexus support.
Corrected bugs
Jira ticket no
Description
DA-1299
There was an issue where saving Global user account settings with OATH enabled gave an error. This has been fixed.
DA-1348
There was an issue with storing the configuration while saving a OATH database. This has been fixed.
DA-1437
Edit Personal desktop and User Certificate authentication methods in Digital Access Admin hides the "Certificate Authority" field if the Personal mobile authentication method has "Enable Certificate Authority" disabled.
DA-1305
The 'Define Source' value was missing when copying attributes for SAML-federation. This has been fixed.