7.2.1

• Home

Table of Contents

• System Admin Guide
  • Alarms
    • Overview
      • Terminology
      • The Alarm Object
      • Sliding Window Alarms
      • Managing Alarms
      • Notifications
      • Clusters
    • Alarm Types
      • Expiry
      • Failed Authentication
      • Failed Communication
      • Failed Connection
      • Slow Connection
    • Alarm Handlers
      • Email Notifier
      • Webhook Notifier
      • Slack Notifier
      • PagerDuty Notifier
    • Testing Alarms
      • Testing Alarms using the Web UI
      • Testing Alarms using the CLI
      • Verifying the alarm
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
  • Credential Managers
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL and CockroachDB
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
  • Logging
    • Log Levels
    • Configuration Overview
    • Appenders
      • Standard Out
      • Cluster Log
      • Request Log
      • Audit Log
      • Metrics
    • Loggers
    • Masking
    • Shipping Logs
    • Log4j Scripting Languages
    • Files Not Configurable by Log4j
      • Configuration Service Logs
  • Monitoring
    • JMX
    • Zulu Flight Recorder
      • Starting a Recording Manually
      • Starting a Recording from the Command Line
      • Starting a Recording on Startup
    • Status Endpoint
      • Command line tool
    • Prometheus-compliant Metrics
      • Common Alerts
      • Configuration
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • Server Events
    • Event Listener Types
      • Script EventListeners
      • EventListener Plugins
    • Types of Events
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 4.0.X to 4.1.0
      • Changes Related to Claims Request Parameter Processing
      • Upgrading the XML Configuration
      • New Templates
      • New Message Files
      • Upgrading Assisted Token JavaScript
      • SDK Changes
    • Upgrading from 4.1.X to 4.2.0
      • SDK
      • Upgrading the XML Configuration
    • Upgrading from 4.2.X to 4.3.0
      • Upgrading the XML Configuration
      • Front-End Templates
      • New Messages
      • Changes Related to Invalid Mutual TLS Usage
    • Upgrading from 4.3.X to 4.4.0
      • Updating templates
    • Upgrading from 4.4.X to 4.5.0
      • Net iD Access authenticator
      • Axiomatics Authorization Manager
    • Upgrading from 4.5.X to 5.0.0
      • Upgrading the XML Configuration
      • SDK
      • Updating Databases
      • Other
    • Upgrading from 5.0.X to 5.1.0
      • SDK
      • SSO cookie Changes
    • Upgrading from 5.1.X to 5.2.0
      • SDK
    • Upgrading from 5.2.X to 5.3.0
      • HTML-Form Authenticator
      • Transaction Metadata API
      • SDK
    • Upgrading from 5.3.X to 5.4.0
      • Upgrading the XML Configuration
      • OpenID Connect Response Types and ID Tokens
      • Reset Password Links and Email Templates
      • Deprecated SDK methods
      • Robots.txt file in Webroot Directory
      • Client ID in Prometheus metrics
      • Debug Attribute Action Included
      • Changes to HAAPI representantions
      • Alarms
    • Upgrading from 5.4.X to 6.0.0
      • Upgrading the XML Configuration
      • Updating Templates
      • Umask Explicitly Set
      • Changes to HAAPI client configuration
      • Changes to the HAAPI attestation policies
      • Changes to the HAAPI SDK
      • Changes to the HAAPI Android SDK
      • Transaction Metadata API
      • REST API Removal
    • Upgrading from 6.0.X to 6.1.0
      • Apache Velocity Engine
    • Upgrading from 6.1.X to 6.2.0
      • Upgrading the XML Configuration
      • Logging of BankID messages
    • Upgrading from 6.2.X to 6.3.0
      • Upgrading the XML Configuration
      • Updating Templates
      • RESTCONF Conformance Updates
      • TLS 1.0 and 1.1 Disabled
      • SDK
    • Upgrading from 6.3.X to 6.4.0
      • Default Java Options Changed
      • Java Upgraded to Version 11
      • SDK
      • Changes to the HAAPI Web SDK
      • DPoP Proof Token Clock Skew
      • DN Certificate Validation
    • Upgrading from 6.4.X to 6.5.0
      • BankID Authenticator and Signing Consentor Messages
      • Logging Changes
    • Upgrading from 6.5.X to 6.6.0
      • Relaxation of DN Certificate Validation
      • Changed Default for Maximum Number of Request Threads
    • Upgrading from 6.6.X to 6.7.0
      • Updating Databases
      • Removal of OpenSSL dependency
      • Redirect URI validation
      • Template Updates
    • Upgrading from 6.7.X to 6.8.0
      • SDK Changes
      • Serialization
      • TLS
      • RESTCONF
      • Template Updates
      • Deprecation of the Net iD Authenticator
      • BankID authenticator
      • BankID Consentor
    • Upgrading from 6.8.X to 7.0.0
      • Upgrading the XML Configuration
      • SDK Changes
      • Java Upgraded to Version 17
      • Procedures API Changes
      • Log4j2 Changes
      • Database Changes
      • Prometheus Metrics
      • Validation for Endpoint URIs Changed
      • NetiD Access Authenticator
      • BankID Authenticator and Signing Consentor
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • Common Usecases
    • SITHS Authentication with attributes from Active Directory
      • 1. Windows Connector
      • 2. SITHS Authenticator
      • 3. Test App
      • 4. Test configuration
      • 5. Active Directory Data Source
      • 6. Attribute Transformer
      • 7. Add transformer to the authenticator
      • 8. Test the configuration
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Email
      • Base Configuration
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Hyperlink
      • Inactive Accounts
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • Configuration
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML
      • Paths
      • Validation Scripts
      • Configuration
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Sequence Action
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
    • Json Web Key Set (JWKS)
    • Device Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
      • Claim mappers
      • Claim value providers
      • Configuring a claim
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customizing the Look and Feel
      • Creating Custom Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Sass to CSS
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Environment
      • Localization
      • White-listed-proxies
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
    • Profile
      • Authorization-server
      • Authentication-service
      • User-management-service
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

Upgrading from 5.4.X to 6.0.0

Version 6.0.0 contains a number of changes to the configuration model, Hypermedia API (HAAPI), REST APIs, and more. Details are provided below.

Upgrading the XML Configuration

Description	Applicability	Change Method
Deprecated Axiomatics authorization manager removed	Axiomatics authorization manager	Manual
Changed default HSTS’s max-age value	Service role config	Automatic using XSLT, or manual
Non-templatized DCR Client authentication	Non templatized DCR	Automatic using XSLT, or manual
Base-URL can not have a path	base-url config	Automatic using XSLT, or manual
Unneeded authorization rules for all groups	NACM config for all groups	Manual
Zone configuration on data sources removed	zone config	Automatic

Axiomatics Authorization Manager Removed

Support for the Axiomatics authorization manager has been completely removed. It has been deprecated since version 4.5. If any configuration for this obsolete authorization manager is still present, it will need to be removed prior to upgrading. Specifically, the following emphasized lines and any configuration referring to such an authorization manager should be deleted.

<config xmlns="http://tail-f.com/ns/config/1.0">
    <processing xmlns="https://curity.se/ns/conf/base">
        <authorization-managers>
            <authorization-manager>
                <id>axio1</id>
                <axiomatics xmlns="https://curity.se/ns/conf/authorization-manager/axiomatics">
                   <!-- ... -->
                </axiomatics>
            </authorization-manager>
        </authorization-managers>
    </processing>
</config>

Customers still using this authorization manager should migrate to scopes authorization manager or other alternatives.

Changed Default HSTS Max-age Value

The default value of the max-age setting of the HTTP Strict Transport Security (HSTS) behaviour was changed from 0 to 15465601. In case previous configuration relied on the default setting of 0, this now needs to be explicitly set with the value 0. The upgrade XSLT can take care of this. It is also possible to manually set this value.

Listing 105 Configuration of the HSTS setting of a service role, explicitly setting

<environments>
  <environment>
    <services>
      <service-role>
        <id>my-service-role</id>
        ...
        <hsts>
          <max-age>0</max-age>  <!-- explicitly configure max-age with the previous default value -->
        </hsts>
      </service-role>
    </services>
  </environment>
</environments>

Non-templatized DCR Client Authentication

The configuration model for non-templatized DCR has been updated such that it now requires to configure how a client must authenticate to obtain the initial registration token, instead of implying client-secret when nothing is set. This change may render existing configuration (that relied on an implied client-secret value) as invalid.

An example of configuration that used to be valid:

Listing 106 Example of previous configuration for non-templatized DCR that implied client-secret

<authorization-server>
  <dynamic-client-registration>
    <non-templatized>
      ...
    </non-templatized>
</dynamic-client-registration>

This configuration must be changed, to include the following XML elements:

Listing 107 Example configuration for non-templatized DCR that explicitly selects client-secret

<authorization-server>
  <dynamic-client-registration>
    <non-templatized>
      <client-authentication-method> <!-- This tag must to be added -->
        <secret/>
      </client-authentication-method>
    </non-templatized>
  </dynamic-client-registration>
</authorization-server>

This change can be made manually, or by the upgrade XSLT template.

Base-URL Can not Have a Path

When configuring a base-url, it can not no longer contain a path nor query component. If a previous configuration had this set, it must be removed, either manually, or by running the XSLT script as part of the upgrade to version 6.0.

The base-url can be configured for a service-role, as well as for the admin-ui service.

Unneeded Authorization Rules for All Groups

Previously, whenever rules for a particular group were defined, the admin UI would always make rules for the any-group, a group of access control rules that applied to all users in all groups. In some cases, these rules in the any-group caused issues. For this reason, the admin UI no longer adds them. Consequently, the previously-created rules should probably be removed. If things are working as expected, however, they can be left. To remove them, delete all rules in the rule-list named any-group that has a comment of Created by Web UI. An example of the rules that should be removed are highlighted in the following listing:

Listing 108 my good caption

<config xmlns="http://tail-f.com/ns/config/1.0">
  <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <rule-list>
      <name>any-group</name>
      <group>*</group>
      <rule>
        <comment>Created by Web UI</comment>
        <!-- ... -->
      </rule>
      <rule>
        <comment>Created by Web UI</comment>
        <!-- ... -->
      </rule>
      <!-- Leave any rules that do not have a comment like the one above -->
    </rule-list>
  </nacm>
</config>

Zone Configuration on Data Source Removed

The zone configuration setting on a data source has been removed. It has not been in use, no action for upgrade is required.

Updating Templates

The version of jQuery that the default templates use was upgraded from 3.4.1 to 3.5.1. According to the release notes of this third-party script, this change should not incur any breaking changes. If it becomes an issue, the file $IDSVR_HOME/usr/share/webroot/assets/js/lib/jquery-3.5.1.min.js can be replaced with the old version. Be aware, however, that this upgrade was done to avoid a security vulnerability in the old version, so downgrading is not recommended.

Umask Explicitly Set

The umask is now explicitly set to 077 in the idsvr command. This ensures that any files or directories created by that process are not writable, readable or executable by any other user. If this change is undesirable, then it can be changed. The recommended way of doing so is to set the umask in $IDSVR_HOME/etc/startup.properties. This change was done for security reasons, however, and altering it unnecessarily is discouraged.

Changes to HAAPI client configuration

Browser-based OAuth clients don’t need to use CORS in order to access HAAPI. The configuration changes allowing CORS accesses for the client’s origin, which were previously required for a browser-based client to use HAAPI, can now be removed.

Changes to the HAAPI attestation policies

The following Web attestation policy properties were removed: allow-web-driver, allow-ios, allow-android, and allow-java. The Web attestation process will not try to detect these browser characteristics (e.g. if the browser is being automated via web driver or is a webview running on Android).

It is still possible to define a custom Web attestation policy and set disable-origin-verification to true, for development and testing purposes.

Changes to the HAAPI SDK

• The Kind class was renamed to ActionKind
• The FormActionFields#addTextField(String, Message, Message) method was removed. New overloads were added for completeness.
• The launch action template was removed and a new client-operation template was added, which also supports the same use-cases. As such, the Actions#addLaunchAction method was also removed. Actions#addClientOperationAction can be used to add client-operation actions instead.
• The qrcode link relation was removed. As such, the HaapiContract.Links.Relations.QR_CODE constant was also removed. Links now have an optional type attribute that can be set to an image media type in such cases.
• The activation-url link relation was replaced by activation. As such, the HaapiContract.Links.Relations.ACTIVATION_URL constant was removed.

Changes to the HAAPI Android SDK

The customization of the HTTP client used internally by the HaapiTokenManager was changed. Instead of supporting an optional OkHttpClient.Builder configurer, it now supports an optional connectionProvider to create and customize the HttpURLConnection that is now used internally by the token manager. Due to this change, it is now possible to use the HAAPI Android SDK without any dependencies on the OkHttp library.

However, it is still possible to configure an application level OkHttpClient instance with an interceptor to automatically handle the token and session management. For this to be possible the OkHttp library dependency (com.squareup.okhttp3:okhttp:3.14.*) must now be explicitly added to the application dependencies.

Transaction Metadata API

The Transaction Metadata API was deprecated in version 5.3.0 and has now been completely removed.

REST API Removal

The deprecated REST API has been removed. Refer to the version 4.0.0 upgrade guide for details about migrating to the new RESTCONF API.