Upgrading from 7.5.X to 7.6.0

Systemd config file update

If the Identity Server is managed by the Systemd service manager the configuration file should be updated with a new exit code definition as follows: SuccessExitStatus=143

The full configuration file can be found from $IDSVR_INSTALL/examples/init_scripts/idsvr.service.

New SAML Authenticator

In version 7.6, the SAML implementation has been rewritten and a new SAML authenticator (saml2) was added based on this new implementation. In the current release, the new saml2 authenticator is shipped together with the existing saml authenticator, but the saml2 authenticator will replace the existing saml authenticator, which is deprecated as of this release of the Curity Identity Server. The saml authenticator will be removed in a future release of the Curity Identity Server.

When using the saml authenticator, it is recommended to upgrade it to the new saml2 authenticator.

The configuration model has slightly changed between the saml and saml2 authenticator. The following example will show what needs to be done to migrate from saml to saml2.

Listing 134 Example configuration of the saml authenticator
<config xmlns="http://tail-f.com/ns/config/1.0">
  <profiles xmlns="https://curity.se/ns/conf/base">
    <profile>
      <id>authentication</id>
      <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type>
      <settings>
        <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication">
          <authenticators>
            <authenticator>
              <id>saml1</id>
              <saml xmlns="https://curity.se/ns/conf/authenticators/saml">
                <idp-entity-id>https://external.example.org/idp/metadata</idp-entity-id>
                <idp-url>https://external.example.org/idp</idp-url>
                <signature-verification-key>external-idp-signature-verification-key</signature-verification-key>
                <wants-response-signed>false</wants-response-signed>
                <wants-assertion-signed>true</wants-assertion-signed>
                <saml-clock-skew>50</saml-clock-skew>
              </saml>
            </authenticator>
          </authenticators>
        </authentication-service>
      </settings>
    </profile>
  </profiles>
</config>

A new saml2 authenticator configuration would look like this:

Listing 135 Example configuration of the saml2 authenticator
<config xmlns="http://tail-f.com/ns/config/1.0">
  <profiles xmlns="https://curity.se/ns/conf/base">
    <profile>
      <id>authentication</id>
      <type xmlns:auth="https://curity.se/ns/conf/profile/authentication">auth:authentication-service</type>
      <settings>
        <authentication-service xmlns="https://curity.se/ns/conf/profile/authentication">
          <authenticators>
            <authenticator>
              <id>saml2</id>
              <saml2 xmlns="https://curity.se/ns/conf/authenticators/saml2">
                <issuer-entity-id>https://my-curity.example.com/sp</issuer-entity-id>
                <idp-entity-id>https://external.example.org/idp/metadata</idp-entity-id>
                <idp-url>https://external.example.org/idp</idp-url>
                <signature-verification-key>external-idp-signature-verification-key</signature-verification-key>
                <request-signing-key>default-signing-key</request-signing-key>
                <clock-skew>50</clock-skew>
              </saml2>
            </authenticator>
          </authenticators>
        </authentication-service>
      </settings>
    </profile>
  </profiles>
</config>

Some notable differences are

  • The saml2 authenticator is configured in its own new XML namespace
  • The issuer-entity-id is now mandatory, making it required to configure the Entity ID that the authenticator identifies itself with to the remote IDP
  • The default behaviour has changed for wants-assertion-signed: it is now true (requiring a signature-verification-key to be configured).
  • The default behaviour has changed for wants-response-signed: it is now false.
  • The name of the saml-clock-skew setting was renamed to clock-skew
  • A new setting include-subject-with-requested-authn-context was added to the saml2 authenticator
  • A new setting force-authn was added to the saml2 authenticator