Release note Digital Access component 6.4.0
Version: 6.4.0
Release Date: 2023-10-23
Upgrade docker
Upgrade docker to a version >= 20.10.10 before you upgrade Digital Access to this or higher versions, since docker <= 20.10.9 has compatibility issues with the OpenJDK version used.
Important!
SHA1 is no longer accepted by Digital Access for SAML signing
Digital Access as IDP will no longer accept SAML messages signed using SHA1 algorithm from DA version 6.4.0 onwards. All applications must use other safe and available algorithms.
If there are clarifications or concerns regarding the above, contact Nexus support for more information.
Features
Jira ticket no | Description |
---|---|
DA-1116 | It is now possible to run Digital Access without databases that are not required. See Configure databases in Digital Access for more information. |
DA-1324 | Added capability for scanning QR code during self provisioning and authentication using the Smart ID Mobile App. The configuration to use QR code or username can be done in Digital Access Admin GUI under Personal mobile authentication method. There is a known issue where the QR scan will not work if there is a user ID named ‘tmp’ in the DA system. ‘tmp’ is a reserved name and should not be used in the user database to avoid this issue. |
DA-1117 | After upgrading to Digital Access version 6.4.0 or higher, you set the Reporting database connection from Digital Access Admin. The existing configuration from customize.conf will be read and saved in RemoteConfiguration.xml after the upgrade. However, the admin service should be restarted after upgrade once. For a fresh setup, it is mandatory to set the Reporting database configuration in Digital Access Admin only. See Configure databases in Digital Access for more information. Before upgrading, make sure that the customize.conf file is present in the administration configuration files folder and that the Reporting database is configured. |
DA-986 | It is now possible to send additional custom attributes in the SAML assertion and OIDC token which can be transformed by the basic attributes added in the assertion. Note that this will only work for single valued attributes for now. Also, it needs the basic attributes to be added first for the transformed attributes consuming these to work. Example 1: If the basic attributes include FirstName and LastName, a transformed attribute, for example GivenName, can be created which can be a concatenation of the above attributes = ${FirstName} ${LastName} Example 2: A custom transformed attribute can also be created by concatenating the basic attribute with a static string = ${FirstName} .test.com In case the transform attribute name and basic attribute name is same, the transformed attribute value will take precedence and will be sent in the SAML assertion even if the basic attribute has 'Include in SAML assertion' enabled. |
DA-1255 | Added Filter for SAML and OIDC attributes. This can be used to limit the number of attributes sent in the SAML assertion for multi-valued attributes. For example, 'memberOf' can be filtered to send the relevant groups the user is a member of and not exposing all the groups that the user belongs to. |
DA-227 | The Java Bouncy Castle cryptography API library has been updated to the latest version (bcprov-jdk18on v1.76). This resolves the vulnerabilities found in the the older library. It is now possible to upload RSA private keys to Digital Access without having to encode them to PKCS#8. As part of this, support for the RADIUS protocol PEAP has been removed. However, it is still possible to use the Authentication Service as an external RADIUS server using protocols: PAP, CHAP, MSCHAP and EAP. |
Minor improvements
Jira ticket no | Description |
---|---|
DA-1252 | Upgraded Java JDK to version 17. |
DA-1377 | Implemented subject types 'Persistent' and 'Transient' in Open ID Connect. |
DA-1414 | Added a flag for the basic SAML and OIDC attributes - "Include in SAML assertion" and "Include in token" respectively. When enabled, the attributes will be included. This is useful when there are transformed attributes added and you do not want to send the basic attributes in the response. |
DA-652 | Added support for persistent cookie to enable app-to-app SSO (RFC-8252). If you intend to use this feature, contact Nexus support. |
Corrected bugs
Jira ticket no | Description |
---|---|
DA-1299 | There was an issue where saving Global user account settings with OATH enabled gave an error. This has been fixed. |
DA-1348 | There was an issue with storing the configuration while saving a OATH database. This has been fixed. |
DA-1437 | Edit Personal desktop and User Certificate authentication methods in Digital Access Admin hides the "Certificate Authority" field if the Personal mobile authentication method has "Enable Certificate Authority" disabled. |
DA-1305 | The 'Define Source' value was missing when copying attributes for SAML-federation. This has been fixed. |
Contact information
For information regarding support, training, and other services in your area, visit www.nexusgroup.com/.