UnboundID Identity Broker Release Notes

UnboundID Logo
  Return to Documentation Index

Identity Broker

Following are notes for version of the UnboundID Identity Broker. Notes for the following versions of the Identity Broker are also available in this document:

New Features

These are new features for this release of the Identity Broker:

  • The 4.5 Identity Broker, functioning as a Resource Server, can be configured to retrieve data from the UnboundID Identity Data Store and/or multiple back-end data stores in response to SCIM API requests. This means that the Broker's policy and consent enforcement can be applied to client requests, so that the returned data contains only those entries and attributes that pass the authorization rules.

  • When configured for multiple data stores, the Identity Broker can combine attributes into a single response, making the separate data stores look like a single one from the point of view of the client application. For each attribute, a specific data store can be marked as "authoritative" for read operations. Attribute-level control over write operations is provided also.

  • The Broker now supports the OpenID Connect protocol for incoming AuthN requests. These are checked against the credentials stored in the UnboundID Identity Data Store.

  • A new config-diff command line utility can compare two server configurations and produce the difference as a dsconfig batch file. The file can then be used to bring the source configuration in line with the target. Comparisons can be done between live servers or configuration files, and between current or legacy configurations. Run 'config-diff --help' to get more information including example use cases.

Known Issues and Workarounds

The following are known issues in the current version of the Identity Broker:

  • Migration from 4.1 Identity Broker to 4.5 Identity Broker is NOT supported.

  • Java 1.7 has a synchronization bottleneck in HashMap that severely impacts performance. Use update 1.7u40, if possible, to avoid this issue. Issue:DS-9477

Resolved Issues

The following issues have been resolved with this release of the Identity Broker:

  • Update SCIM and the Identity Access API to return a 400 status code when the id attribute is included in a PATCH request, as the id attribute is read-only. Issue:DS-9195

  • Update the OAuth authorization endpoint to require that the presented redirect URI exactly match one of the registered values for the client application. The previous behavior was to require that the presented redirect URI start with one of the registered values, and this behavior can still be obtained by issuing the following command followed by a server restart.

    dsconfig set-oauth-service-prop --set "redirect-resolver:Prefix Match Redirect Resolver" Issue:DS-8412

  • Add a --batch-file option to the broker-admin and consent-admin tools to allow multiple commands to be run with a single invocation of the tool. Issue:DS-8422

  • Fix a bug in the JDBC Access Logger that could cause incompatibility with some database versions and display a "Cannot commit when autoCommit is enabled" error message. Issue:DS-8750

  • Update the server startup process so that if no messages have been logged for at least five minutes, the server will generate and log a message about the current phase of startup processing. This can help reassure administrators that the server is still starting and provide information about what phase of startup may be taking so long. Issue:DS-7450

  • Update java.properties generation so that comments related to alternative JVM tunings are no longer present in the file. In most cases, rather than updating java.properties by hand you should use the dsjavaproperties tool to generate JVM options. Issue:DS-8339

  • Add an allow-insecure-local-jmx-access option to the global config that will expose JMX data via insecure local JVM connection Issue:DS-4300

  • Add a new alert handler that can use the Twilio service to deliver administrative alerts via SMS. Long alerts may be either truncated or split into multiple SMS messages. Issue:DS-5587

  • Update the configuration schema to make the ds-cfg-inherit-default-root-privileges attribute mandatory for object class ds-cfg-root-dn-user which is used to define Root User DNs. When this attribute is not present on Root DN User entries, the effect is for the root user to inherit default privileges. It has been made mandatory to make this behavior more explicit. During an update of the server, root DN user entries that do not explicitly declare a value for this attribute will be updated with a value of 'true'. Issue:DS-8450

  • Fix an issue that required create-initial-broker-config to be run independently of setup when using an external trust store. Issue:DS-8623

  • Add a WebLogic specific descriptor file for the web console to help with deployment compatibility. Issue:DS-8925 SF#:1915

  • The trust store password options have been deprecated for most tools that do not require read-write access to a trust store. Issue:DS-8789

  • Make a number of criteria-related improvements:

    - Add Server SDK support for creating custom connection, request, result, search entry, and search reference criteria implementations.

    - Update the simple request criteria type to make it possible to consider the search scope in determining whether a search operation matches the criteria.

    - Update the simple result criteria type to make it possible to consider the indexed/unindexed status in determining whether a search operation matches the criteria.

    - Add a new type of request criteria that may be used to more easily identify operations that target the server root DSE.

    - Add a new type of result criteria that may be used to classify operations based on replication assurance requirements and/or whether those requirements were satisfied.

    - Add a new allowed-insecure-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an insecure connection and the server is configured to reject insecure requests.

    - Add a new allowed-unauthenticated-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an unauthenticated connection and the server is configured to reject unauthenticated requests. Issues:DS-5079,DS-8168,DS-8770

  • Update the Broker's default approval page to add a section for optional scopes (scopes that have the 'required' property set to 'false'). Optional scopes appear in the approval form in a separate section from required scopes, accompanied by inline help that mentions that they can be unchecked to withhold approval. Issue:DS-8307

  • Configuration of many of the common beans used in spring-security-config.xml are now done via the configuration framework. The spring-security-config.xml file should only be modified for advanced use cases. Issue:DS-9027

  • Update error messages returned by the Identity Broker to distinguish between different types of authentication failures: - An authentication failure due to an incorrect client ID or client secret results in the following error message: Authentication client session failure: Bad credentials - An authentication failure due to an incorrect resource owner ID or password results in the following error message: Access token denied: Bad credentials Note that authentication failure error messages do not allow the client to distinguish between a failure due to an incorrect ID/username and a failure due to an incorrect secret/password. Issues:DS-8405,DS-8622

  • Add a new sign-log configuration property to file-based loggers that may be used to cause the server to digitally sign messages written by that logger. A new validate-file-signature tool may be used to verify signature information in signed log files, as well as LDIF files generated by signed LDIF exports. Issue:DS-8662

  • Conform to the OpenID Connect standard method for obtaining refresh tokens by using the "offline_access" scope. The access_type authorization parameter is no longer supported. Issue:DS-8792

  • The broker-admin tool now accepts and displays durations in the form "32w 12h" for application validity settings. The properties accessTokenValiditySeconds, refreshTokenValiditySeconds and consentValiditySeconds have been renamed accordingly to accessTokenValidityDuration, refreshTokenValidityDuration and consentValidityDuration. Issue:DS-9090

  • Remove the --offlineAccess option from the oauth2-request tool. To request a refresh token, include offline_access as one of the requested scopes. Issue:DS-9098

  • Add support for two new extended operations. A list configurations extended operation may be used to obtain information about the configurations that are available within to the server, including the currently-active configuration, the baseline configuration (i.e., the base configuration for an out-of-the-box installation of the current version), and all archived configurations that reflect configuration changes over time. A get configuration extended operation may be used to retrieve a specific configuration from the server. Issue:DS-9149

  • Update setup to fix a bug in which file path options specified as relative to the current directory may cause the server to be configured incorrectly or cause setup failure. Issue:DS-8389

  • Update the HTTP Connection handler to support configuration for tracking sessions either through HTTP cookies or by URL rewriting. Issues:DS-8639,DS-9128

  • Expose the Plugin type in the Server SDK, which is primarily useful for this server to have custom code run at server startup or shutdown using the 'startup' and 'shutdown' plugin types. Issue:DS-9165

  • Update the server to provide a degree of sandboxing around Server SDK extensions so that an unexpected exception thrown by an extension will be caught and result in an administrative alert rather than being caught further up in the stack and potentially causing other problems. Issue:DS-9247

  • In the rare cases where it is necessary to forcefully terminate the JVM from within the server itself, ensure that any files marked for deletion when the JVM shuts down are manually deleted before the JVM is terminated. This can help avoid problems like server shutdown not being detected properly because the server PID file hasn't been removed. Issue:DS-9267

  • Provide improved schema validation to detect additional cases in which certain misspelled tokens in the definition for a schema token could be silently interpreted as an extra property for that schema element. The server will now log a warning message about these unexpected tokens so that administrators can either correct them or prefix them with "X-" to indicate that they are an extra property provided for informational purposes. Issue:DS-9236

  • Reduce the time it takes the server to shut down in certain situations. Background threads sometimes missed a signal to wake up and had to wait for their next polling interval to see that a shut down had been requested. Issue:DS-9334

  • Update the default behavior of all file-based loggers to have include-thread-id=true. This will include a compact thread ID in all log messages. This can make it easier to correlate log messages generated by the same thread within a single log file or across different types of log files. Issue:DS-9352

  • Remove -XX:+UseMembar from the default set of generated JVM properties except on early JVM versions where this setting was required to work around a threading bug in the JVM.

  • Update the server JVM arguments generated by setup and dsjavaproperties to explicitly define -XX:MaxNewSize and -XX:NewSize for JVM's 1GB in size and larger. Also, add a comment to the generated java.properties file directing the administrator to use dsjavaproperties for making memory-related changes to this file rather than editing it directly. Issue:DS-9227

  • Add password file arguments to the scripts used to prepare external servers. Issue:DS-9406

  • Provide an example consumer-centric starter schema. This includes an LDAP schema, a make-ldif template for generating sample data, and a broker-admin batch file for mapping between the LDAP schema and a Data View. See resource/example-starter-schema/README.txt for more information. Issues:DS-8659,DS-9017

  • Update the setup and dsjavaproperties tools to permit maximum heap size values for memory that is not currently available on the host, though the value must still be less than the total amount of memory present on the host. Issue:DS-9111

  • Update the setup and dsjavapropeties tools to permit JVM heap size values to be as large as the amount of memory present on the system would permit. Issue:DS-9494

  • Update the Server SDK to provide the ability to run command line utilities within the server process. A ToolExecutor can be retrieved from the ServerContext. Currently, only the config-diff command is supported, but additional commands might be supported in the future. Issue:DS-9537 SF#:00001858

  • Enhance dsconfig to write to the config audit log when in offline mode. Issue:DS-1495

  • On Linux, issue a warning on startup and after a JVM pause if the kernel setting vm.swappiness is not 0 as this can cause the server to become unresponsive for several seconds when memory is paged back from disk during a garbage collection. Issue:DS-9070

  • Automatically record server monitor data at shutdown, as it may be useful for debugging purposes in cases where a problem was experienced within the server that was resolved by a restart. Issue:DS-9777

  • Improve the performance of certain monitor entry searches that target specific monitor entries by object class. In particular, this includes searches with AND or OR filters, as well as filters that target object classes not defined in the server schema. Issue:DS-9772

Identity Broker

New Features

These features were added for version of the Identity Broker:

  • The UnboundID Identity Broker is the first of a new class of components for consumer and subscriber identity management architectures.

    As a stand-alone server, it provides authorization decisions for client applications, provisioning systems, API gateways, and analytical tools in any architecture involving personal, account, or sensitive identity data.

    Working together with the UnboundID Identity Data Store and Identity Proxy, the Identity Broker is designed to make high-volume and high-speed authorization decisions based on ever-changing consumer profile and consent data. Functionally, the Identity Broker is both the Policy Decision Point and the OAuth2 provider for externalized authorization. Performance-wise, the Identity Broker can support the request volumes driven by the complex, real-time interactions necessary to support today's consumer-facing mobile, social, and cloud ecosystems.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Identity Broker:

Resolved Issues

These issues were resolved with version of the Identity Broker:

  • Fix a bug where under certain error conditions the start server scripts could prompt user to overwrite existing file. Issue:DS-7268

  • Update the JMX connection handler to infer an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) for JMX attributes from the underlying LDAP attribute type and value. The legacy behavior to return all JMX attributes as String values can be set if desired through the advanced global configuration property 'jmx-value-behavior'. Issue:DS-7635

  • Add the --noPropertiesFile option to the status command so that it does not fail when the option is provided to collect-support-data. Issue:DS-8390

  • Update setup to add a masters/peers trust-all argument so that the deployer must explicitly indicate that they trust the master/peer as well as any other masters/peers that are accessed during setup. In addition, if this argument is not specified a prompting trust store manager will be used instead of the previous behavior of using a trust-all manager all the time. If setup is in non-interactive mode and neither the trust-all argument nor the JKS trust store has been specified, and setup is accessing the master/peer over SSL or StartTLS setup will fail. Issue:DS-8381