Table of Contents
![[Note]](images/note.png) |
Note: This document is also available in other formats |
|---|---|
|
A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com. It also available in a framed HTML version. |
This release notes document covers both EasyAccess 4.3 and the earlier 4.2 upgrade changes and consists of the following major sections:
In addition, the following is included for upgrades for upgrades from versions prior to 4.1:
-
Important installation changes for 4.1 and later, including Hazelcast changes:
Chapter 4, Installation Changes for 4.1 -
How to customize the Password Self-Service (PSS) user interface from 4.1 onwards:
Chapter 5, Customizing PSS for 4.1 or Later -
Boot and store changes from 4.1 onwards:
Chapter 6, Boot & Store Changes for 4.1
See the separate EasyAccess 4.1 Release Notes for all changes related to the 4.1 release.
Upgrading from Pre-4.n Versions
Note that upgrading a version earlier than 4.0 is discussed in the earlier version 4.0.2 release notes.Dependency updates
Underlying dependencies have been updated extensively. Local customizations may be affected.Traces ID for all authenticators
Every authenticator now log using the trace ID if configured.Internal authenticator - Siths e-id
New authenticator for internal use. See separate documentation.Signing service updates
Refactoring in regards to component placement and language updates to conform when using PhenixID signing workflow application. UI updates in regards to conforming better with Web Content Accessibility Guidelines, WCAG. Visual signatures now can contain custom font. Visual signatures now can truncate the signer name. Localisation of the PDF- previewNew GUIDE for creating API endpoints
A new guide is created to aid setting up and maintaining API endpoints.Bundled FIDO icon
A default FIDO icon is bundled with the installation to be used in FIDO authentication scenarios.Add support for overlay in FIDO activation
Fido activation now supports the "overlay" pattern.FIDO token deactivation
MFA - admin now supports the deactivation of FIDO tokens.Support for "proceed on error" in RADIUS valves.
The RADIUS valves now supports proceed on error pattern.Guide clarification
In FIDO enrollment set up GUIDE, selecting IDP has been clarified.CertificateExtractorValve updates
Support extraction of names in string format (rfc822Name, dNSName, uniformResourceIdentifier, iPAddress) and ASN1 encoded otherName.Support for additional SAML profile
Support for SAML Holder-of-Key Web Browser SSO Profile is now supported.Improved event logging Siths e-id
Entry now includes the identified user.Updated event logging, SAMLNias & NiasAuth
Entry event id has been changed using EVT_004811 on success and EVT_004810 on fail. Improved event logging when using phenix-api-bankidNew event id's added. Information about requested action, calling tenant, source IP address (if possible). when applicable include the BankID order ref.Updated behavior when using bank-id on the same device
When using bankid on same device the user is required to manually trigger the switch to bankid application.JWKS response SHA-1 thumb print update
In previous version the value of the x5t was faulty.Freja e-ID valve updates
Support for using the valves "on behalf of/relying party". Valves updated are:-
FrejaEIDAuthRequestValve
-
FrejaEIDAuthStatusValve
-
FrejaEIDSignRequestValve
-
FrejaEIDSignStatusValve
Updated behaviour in ACS selection
New behaviour filters out unsupported binding and selected based in index. The SP can override by sending in a custom ACS URL and binding. Signed request is required.Conforming to new BankID backend
All communications to bankid backend now uses version 5.1.SAMLNias authenticator update
Configuration update that breaks previous configuration. Be sure to verify configuration in current release.NiasAuth authenticator update
Configuration update that breaks previous configuration. Be sure to verify configuration in current release.NIAS valves updated configuration
Breaking configuration change in Nias valves:-
NiasCollectAuthenticationStatusValve
-
NIASSignValve
-
NiasAuthenticateValve
-
NIASCollectSignatureValve
Dependency updates
Underlying dependencies have been updated extensively. Local customizations may be affected.OIDC improvements / updates
-
Correct behavior in regards to "prompt=none"
When prompt=none is sent by the RP and the session is not authenticated the request is sent back in accordance to https://openid.net/specs/openid-connect-core-1_0.html#AuthError
-
Guide update
When setting up an OIDC OP the scenario now produces a jwks_uri based on the defined authorization endpoint URL domain + tenantID. (Same pattern as token_endpoint).
-
Guide update
The kid param of the valve is now automatically set based on the selected keystore for the jwt signing.
-
Guide update
Token endpoint is now constructed using tenant in URI. Previously the tenant was put as a parameter in the query string.
-
Guide update
"userInfo" end point is now created at guide completion.
-
Guide update
Scenario configurations creates a jwt with a proper "amr" configuration. Data type now is array.
-
JWKS response update
Removed "alg" from jwks response. The parameter is optional. Sign algos should be configured in the "well-known/openid-configuration" response. Currently defaults to RS256 which is the only alg supported.
-
OIDC discovery regularly updated
By default discovery URL's are re-discovered every 60 minutes.
-
New error handling for prompt_none - return with POST
When sending error response back when violating the promt=none request. The response must be sent back using HTTP - POST.
-
Changed behavior of OIDC scenarios
Most if the OIDC scenarios have been disabled for new creation. Already added scenarios remain and can be edited.
It is now recommended to use the OIDC->SAML Identity Provider scenario. Using this scenario provides accessibility to all authentication methods included in the platform. Using this scenario also makes it feasible to use already added SAML Identity Providers, both internal and external.
Added friendly name displaying SAML idp
When selecting an idp from a drop down the display name has bee added for clarity.FrejaEIDSAML relying party id added
FrejaEIDSAML now support the property relyingPartyId facilitating MSP scenarions.Compression added to some HTTP resources
Added support for Gzip compression when serving static files if user agent supports.FidoAuthenticatorSAML added missing event
Events are now written on success and failure.Disable logging for org.opensaml.xml in log4j2.xml
New default behaviour for open saml xml handling logging. Default now is OFF.Bug fixes
-
Fido authenticators events
Events written has been updated to better fit the usecase.
-
"Unlock" account in PSS
Faulty behavior when unlocking account in AD fixed.
-
Language mix in PSS
Fixed mix of languages shown in PSS.
-
PSS customization updates
The procedure for customizing the UI in PSS is described in Chapter 5, Customizing PSS for 4.1 or Later.
This chapter describes the changes required when installing EasyAccess version 4.1.
One Touch Changes
After version 2.6 there was a change to the template file used by OneTouch. The server will now look for this file in the folder /resources and the name of the default template file has changed from onetouch_template_json.template to ot_auth_template.json. If there are One Touch scenarios configured in earlier versions, please go into the Configuration Manager, locate your scenario(s) for One Touch and click on the tab "Advanced". Edit the name of the template file according to your environment.If OneTouch tokens have been enrolled in version 2.7 or earlier, you may see an error on startup.
Hazelcast Changes
From version 4.1 onwards, a new version of Hazelcast is used which requires system changes when upgrading from a pre-4.1 version. The following warning can be seen in the server.log file on startup to indicate that changes are need:[CPSubsystem] WARN: [192.168.86.38]:5701 [dev] [4.1.1] CP Subsystem is not enabled. CP data structures will operate in UNSAFE mode! Please note that UNSAFE mode will not provide strong consistency guarantees.This message is explained further in the Hazelcast documentation at:
https://docs.hazelcast.com/imdg/4.1/cp-subsystem/unsafe-mode.html
Note that the changes described should be applied all nodes in the cluster separately before they rejoin the cluster.
- After an upgrade there is a new cluster.xml. This file needs to be replaced manually in the folder /classes.
- Rename earlier cluster.xml and then change cluster_template.xml to be cluster.xml.
- If cluster is configured, the configuration in the network section must be moved from the earlier cluster.xml to the new one.
Location of module session-manager
The location of module session-manager has moved from section "default_modules" to "deploy" in the file /config/boot.json. When doing an upgrade, please make sure to move this module before starting the service. It should be placed like this:"deploy": [
{
"name": "com.phenixidentity~phenix-event",
"enabled": "true"
},
{
"name": "com.phenixidentity~phenix-store-json",
"synchronous": "true",
"address": "com.phenixidentity.configuration",
"config": {
"store.file": "./config/phenix-store.json",
"persistsessions": "false",
"encryption.key": "secret",
"enabled": "true"
}
},
{
"module": "com.phenixidentity~phenix-schedule",
"enabled": "true",
"config": {}
},
{
"name": "com.phenixidentity~phenix-session-manager",
"scope": "global",
"singleton": "true",
"config": {}
},
{
"name": "com.phenixidentity~phenix-store-mpl",
"config": {
After first startup, the module should be removed from the Modules section in config GUI.
In the "Advanced" tab, expand "Modules", find:
com.phenixidentity~phenix-session-managerMake a note of the id and then press the minus sign. Press "Confirm deletion" and then "Commit changes".
Now go to "NODE_GROUPS", find the id and remove it from module_refs. When done, press "Stage changes" and "Commit changes".
Bankid Changes
If using Swedish bankid, the template has been updated.Authentication API
Module com.phenixidentity~phenix-api-authenticate API calls has been updated. In order to access any One Touch api endpoint, the uri now must end with a "/". For example:/api/authentication/onetouch/assign/In addition, the ending part of the URI must be listed as an allowed operation:
"allowedOperation":["assign"]
ADFS MFA Adapter
The ADFS MFA Adapter for OneTouch has been updated to work against an EasyAccess 3.2 backend. The new binaries can be downloaded from this link:https://files.phenixid.se/s/6P2Anz9z5q6tKF7/download
Replace the file PhenixIDMFAAuthenticationProviderOneTouch.dll then unregister and reregister the OneTouch MFA Adapter.
Updates Required for boot.json and phenix.store.json
These are described in Chapter 6, Boot & Store Changes for 4.1.Updated Authenticators
Authenticators have updates that may result in new behavior. The update consists in a change in how a user is bound to the session.For authenticators PostUidPasswordAndOTPSAML, OIDCPostUidPasswordAndOTP and PostUidPasswordAndOTP the session is rebound for each authentication. This means that scenarios, where the above authenticators are used along with others in an already authenticated session, may change the primary user identity when re-authenticating using one of the above authenticators.
This chapter describes how to customize Password Self Service in EasyAccess Server 4.1 and later. The requirements are:
- EasyAccess version 4.1 server or later installed.
- EasyAccess Password Self Service configured.
|
Note |
|---|---|
|
Changes will be made to files that are located in modules for the current version of EasyAccess Server. This means that the customizations need to be manually transferred to the new module version when upgrading (except for the file phenix-store.json). |
Overview
The instructions in this document will help you customize Password Self Service in EasyAccess Server. Changes can be made to the parts described below.Most things in the examples below will work with PSS 4.2, but a few of them will only be available from the 4.3 version.
Depending on the configuration and desired customizations, we will make changes to some, or all of the files mentioned. Make sure that you have a recent copy/backup of these files. Changes to the configuration file phenix-store.json should be made using the configuration portal.
Customizations
The image below indicates with 3 letter labels the various parts of the UI that can be customized.
The details for all customizations are discussed next.
Logo (AAA)
By default, this image is called "default_blue.png" and is located in:<installdirectory>/mods/com.phenixidentity~phenix-prism-pwdreset~<VERSION>\web\images
The image file can be changed in:
\mods\com.phenixidentity~phenix-prism-pwdreset~<VERSION>\web\index.html
Comment out the default and add a new line pointing to the new image. For example:
<!--link rel="icon" href="./favicon.ico"/--> <link rel="shortcut icon" href="./images/mylogo.ico">
CSS Stylesheet Customization
For CSS customization, add the following just before the </body> in:\mods\com.phenixidentity~phenix-prism-pwdreset~<VERSION>\web\index.html.
<link href="./static/css/custom.css" rel="stylesheet">
The following CSS file is an example of a customized pss. Please use this as a template for your 4.2.0 version or later.
The file should be called custom.css and placed in:
mods\com.phenixidentity~phenix-prism-pwdreset~>VERSION>\web\static\css
/* This is a template css file for PSS created for version 4.3 2021-09-21.
The default styling will be used for everything except for
whats configured in this file.
As a quick start, just search and replace the default colors:
Primary background color (active): #80b7ab
Secondary background color (inactive): #e0e0e0
Primary font color (active): #ffffff
Secondary font color (inactive):#747474
*/
/* Top bar wrapper (BBB) */
header>.wrapper{
border-bottom: 1px solid #80b7ab;
border-top: 1px solid #80b7ab;
}
.Border-Color{
border-color:#80b7ab!important ;
border-top: 1px solid #80b7ab !important;
}
/* (CCC) */
#phenix-header-avatar{
background: #80b7ab;
}
/* Color for language menu (CCC) */
ul#list > li[active="true"] {
background-color: #80b7ab !important;
}
/* (HHH) */
#card-holder{
border: 1px solid #80b7ab;
border-color: #80b7ab!important
}
#new-password{
-webkit-box-shadow: inset 2px 0px 0px 0px #80b7ab;
}
.MuiInputLabel-root.Mui-focused,
.MainColor{
color: #000!important
}
/* Password rule, inactive (FFF) */
.label-button-first:not(.active),
.label-button-second:not(.active)
{
color: #747474 !important;
border-color: #747474 !important;
background-color: #e0e0e0 !important;
}
/* Password rule, active (EEE) */
.label-button-first.active,
.label-button-second.active
{
color: #ffffff !important;
border-color: #ffffff !important;
background-color: #80b7ab !important;
}
/* submit password button (GGG) */
#submit_password:not(:disabled){
background: #80b7ab;
}
/* Password rule, font size (EEE/FFF)*/
/* .label-button-first,
.label-button-second
{
Font-size: 10px !important;
}
*/
/* submit password button, font size (GGG) */
/*
#submit_password{
Font-size: 10px !important;
}
*/
/* backgroud (DDD) */
/* body, header, section{
background: #fbfaf8!important;
} */
/*
section {
border: 0px!important;
height: calc(-96px + 100vh)!important;
}
*/
Color of buttons and menu (4.1 specific - CCC / EEE / FFF / GGG)
To change the color of the border background and the buttons, the following CSS has to be applied in the custom.css file:/* Version 4.1.0 (including 4.0.3 and 4.0.4, but not 4.0.5) */
.jss69.active {
background-color: #80b7ab !important; /* background color */
color: black !important; /* Text colour */
border-color: blue !important; /* border */
}
/* Password rules button background color */
.MuiButton-containedPrimary-92 {
background-color: #80b7ab;
}
/* Change password button */
.MuiButton-containedPrimary-92:hover {
background-color: #80b7ab;
}
/* Menu color */
.MuiFab-root-39 {
background-color: #80b7ab;
}
.MuiTypography-colorPrimary-27 {
color: #80b7ab;
}
.MuiListItem-root-146.Mui-selected {
background-color: #80b7ab;
}
Remove Change Language from menu (4.1 specific - CCC)
To remove the possibility to choose language on the reset password page, the following CSS has to be applied in the custom-body.css file./* Hide change language */
.jss35 {
display: none;
}
Text and Translations - Pwd-reset module
To change text, add subtitles on the password page or result page, and add/remove/change settings for language, edit the file translation.json (for the respective language). This is located in:<installdirectory>/mods/com.phenixidentity~phenix-prism-pwdreset~<VERSION>/web/locales/
To add a new language copy one of the language folders located in:
<installdirectory>/mods/com.phenixidentity~phenix-prism-pwdreset~<VERSION>/web/locales/
Rename the folder to the new language code, for example to "nl" for Netherlands.
Edit the translation.json file in the new folder and translate all text variables to the new language.
Add the new language to the lang section of all the translation.json in every language folder. In the example below, "nl": "Dutch" has been added:
"lang": {
"en": "English",
"sv": "Swedish",
"de": "German",
"fr": "French",
"nl": "Dutch"
}
Text and Translations - Prism module
Some translations are inherited from the default webapp. Edit the file translation.json (for the respective language), located in:<installdirectory>/mods/com.phenixidentity~phenix-prism~<VERSION>/locales/
To add a new language copy one of the language folders located in:
<installdirectory>/mods/com.phenixidentity~phenix-prism~<VERSION>/locales/
Rename the folder to the new language code, for example to "nl" for The Netherlands.
Edit the translation.json file in the new folder and translate all text variables to the new language.
Adding control against global breach list
Even though a password meets the local policies, there is still the possibility that the password has been part of a password leak . It is possible to enable online control for breach validation checks. If password has been found in prior data breach the user will be notified and can choose another password.An external password check is enabled using the parameter:
"pwdreset_hint": "true"
On the module:
"name": "com.phenixidentity~phenix-prism-pwdreset"
Example of different password policies
Default policy rules can be changed in the scenario for PSS, under "Password Policy". In case other password policies are needed, they can be added through the Advanced tab, Modules and "com.phenixidentity~phenix-prism-pwdreset". Add the desired regex to "pwdreset_rules", like the examples below.-
At least 3 lower case characters:
{\"name\":\"3-lower\",\"regex\":\"^.*[a-z]{3}.*$\",\"enabled\":true} -
At least 3 uppercase characters:
{\"name\":\"3-upper\",\"regex\":\"^.*[A-Z]{3}.*$\",\"enabled\":true} -
Comply with 3 out of 4:
{\"name\":\"complex\",\"regex\":\"^(?:(?=.*?[a-z])(?=.*?[A-Z]) (?=.*?[0-9])(?=.*?[^a-zA-Z0-9]).*)|(?:(?=.*?[a-z])(?=.*?[A-Z]) (?=.*?[0-9]).*)|(?:(?=.*?[a-z])(?=.*?[A-Z])(?=.*?[^a-zA-Z0-9]).*) |(?:(?=.*?[a-z])(?=.*?[0-9])(?=.*?[^a-zA-Z0-9]).*)|(?:(?=.*?[A-Z]) (?=.*?[0-9])(?=.*?[^a-zA-Z0-9]).*)$\",\"enabled\":true}
Remove Change Language from menu 4.2.x and later (CCC)
To remove the possibility to choose language on the reset password page, add the line below on the module for EasyAccess PSS:"enable_language": "false",This is done in the Configuration portal/Advanced tab/Modules. Add the parameter to the configuration, as in this example:
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/pss",
"enable_language": "false",
"auth_redirect_url":
"/pss/authenticate/77ad39d3-5f5f-425d-b50e-fdad2e073da5",
"http_configuration_ref": "95c7aa57-7a0b-414a-85e1-c5468277bb33",
"enable_roles": "true",
"standalone": "true",
"module_refs": "0b5f8151-9f82-4877-a2a7-0b9a393ecc6c"
}
}
After an upgrade to version 4.1 manual editing is required for the following files:
-
boot.json
-
phenix-store.json
boot.json Changes
Locate the section "default_modules" and insert the section below:{
"name": "com.phenixidentity~phenix-httpclient-mod",
"scope": "global",
"singleton": "true",
"config": {
"_proxy": "",
"ssl_tls_version": "TLSv1.2",
"ssl_trust_all": "false",
"_ssl_keystore_ref": "",
"_ssl_truststore_ref": "",
"request_timeout": "2000",
"connect_timeout": "-1",
"socket_timeout": "-1",
"allow_redirect": "false",
"allow_relative_redirect": "false",
"max_redirects": "0",
"request_body_max_size": "2097152",
"response_body_max_size": "2097152"
}
}
Refer to the reference file at this link for details:
https://media.screensteps.com/attachment_assets/assets/003/945/546/original/boot.json
phenix-store.json Changes
In the "ADVANCED" tab, locate the section "MODULES" and insert the following section:{
"name" : "com.phenixidentity~phenix-httpclient-mod",
"scope" : "global",
"singleton" : "true",
"config" : {
"_proxy" : "",
"ssl_tls_version" : "TLSv1.2",
"ssl_trust_all" : "false",
"_ssl_keystore_ref" : "",
"_ssl_truststore_ref" : "",
"request_timeout" : "2000",
"connect_timeout" : "-1",
"socket_timeout" : "-1",
"allow_redirect" : "false",
"allow_relative_redirect" : "false",
"max_redirects" : "0",
"request_body_max_size" : "2097152",
"response_body_max_size" : "2097152"
},
"enabled" : "true",
"created" : "2020-11-24 11:17:56.988",
"id" : "84d7028c-9174-459d-8eeb-c6fed70d77ab"
}
Locate the section "NODE_GROUPS", then the "node group" with the name "default" ( "name" : "default"). In the "module_refs" parameter, add the ID of the newly added module, 84d7028c-9174-459d-8eeb-c6fed70d77ab.
For example:
{
"name" : "default",
"description" : "Default node group
(created automatically) - all nodes belong to this group",
"config" : {
"module_refs" : "84d7028c-9174-459d-8eeb-c6fed70d77ab"
},
"created" : "2020-11-24 11:17:57.007",
"id" : "7dda2447-2f86-4743-88ba-3ce65bd984fa",
"modified" : "2020-11-24 11:17:57.017"
}
Note that the above does not represent a working production configuration.
