Skip to content

What's new in Gluu Server v4#

Version 4.4.2#

Library Updates and bug fixes#

Gluu Server version 4.4.2 is a patch version that updates packaged libraries and fixes bugs identified in version 4.4.1. A full list of these fixes and updates can be found in the release notes.

Version 4.4.1#

request_uri blocklist and allowlist implemented to enhance security#

The request_uri Authorization Request parameter enables OpenID Connect requests to be passed by reference, rather than by value (see the spec). However, when implemented as written in the spec, the request_uri could be used to launch an SSRF (Server-Side Request Forgery) attack against the IDP. To mitigate this risk, we've implemented both a request_uri blocklist and a request_uri allowlist that are configurable in the Gluu Server OpenID Provider JSON configuration.

Version 4.4#

Support for MySQL in Gluu Server virtual machine deployments#

Previously only supported in Cloud Native deployments, all Gluu Server deployments have now been optimized to work with MySQL for persistence. This support allows more organizations to more efficiently handle clustering and scaling.

Important

As of version 4.4.0, LDAP is no longer supported as a persistence mechanism in multicluster Cloud Native deployments.

Version 4.3#

Amazon Aurora and Google Spanner support for Gluu Server Cloud Native (“Gluu CN”)#

Cloud Native design principles instruct us to use cloud services where possible, and nowhere does this make more sense than with regard to persistence. The performance on these two horizontally scalable database services is excellent. Using cloud databases with the Gluu Server will help your organization operate a highly available, geographically distributed identity service with greater ease.

Support for FIDO 2.0 platform authenticators (e.g. Apple TouchID)#

The Gluu Server includes a standalone FIDO server which validates and registers credentials. Now that server supports “platform authenticators”--FIDO devices that are built into hardware like mobile phones and laptops. In 4.3, there is also an upgraded Casa plugin to enable users to manage their platform FIDO devices (i.e. register, remove). And platform devices are also available for API-based management via Gluu’s FIDO SCIM extension.

Improvements to the SCIM API#

SCIM is a popular JSON/REST API for performing user management. In 4.3, we tweaked the SCIM API interception script for the GET operation. Previously, this script was executed after the database query was executed. Now, it’s executed before, enabling you to optimize the database filter before it runs, improving efficiency. Gluu 4.3 also introduces two new security models for SCIM: OAuth and None. For more information see the documents

More metrics! You can now get data on "monthly active users"#

Calculating monthly active users is tricky, because it can impact performance by consuming RAM or persistence. So we integrated a new feature that algorithmically calculates monthly active users and stores the data centrally for reporting. This will enable you to give more information back to business users about how end users utilize your digital identity service. See the docs for further instructions

Shibboleth IDP: major update to version 4.1.4#

The Shibboleth Foundation is hard at work upgrading the server (and not giving you a lot of time to get current). Gluu 4.3 has the latest Shibboleth IDP bits, which include no noticeable improvements, because nothing in SAML ever changes.

A new VM distribution for SUSE Enterprise Linux (SLES 15 sp3)#

Now that SUSE is the largest independent open source company, we thought it was time to finally support their Linux Distro. So happily, SUSE Linux Enterprise Server 15 SP3 is now available for testing. You might want to wait until 4.3.1 to put it into production, as it’s a new release. But let us know what you think!

A new VM distribution for RHEL 8 with the DISA STIG security profile#

The RHEL 8 DISA STIG security profile enables organizations to implement security policies on their servers to align with the US Department of Defense’s guidelines for hardening that operating system. There are over 200 security recommendations that are implemented. Some of the notable ones include: central crypto policy enforcement, a new file security demon called fapolicyd, and of course configuration for SELinux, the universally loved kernel security enforcement mechanism among linux administrators. This new distribution of the Gluu Server upgrades the default configuration profile and some of the TLS libraries to make your distribution FIPS 140-2 conformant.

Version 4.2#

OpenID Connect FAPI Certification#

Financial-grade APIs are REST APIs that provide JSON data representing sensitive data. These APIs are protected by the OAuth 2.0 Authorization Framework. Start in Version 4.2, the Gluu Server supports FAPI and has been certified by OpenID. See more information in the docs and the spec.

Client Initiated Backchannel Authentication#

The Gluu Server now supports CIBA. OpenID Connect Client Initiated Backchannel Authentication Flow is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser. CIBA enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. For more information, check the docs and the spec.

Support for OpenID Back-Channel Logout#

The Gluu Server now supports back-channel logout, using direct back-channel communication betweeh the OP and RPs being logged out without requiring input from the User Agent. See the docs and spec.

New Interception Scripts#

In 4.2, we've introduced new interception scripts for Post-Authentication Authorization (more details), UMA2 RPT claims (more details), and application session management (more details).

Deployment Changes#

SCIM is now a separate component in the Gluu Server#

Starting in Version 4.2, SCIM has been separated into its own Gluu Server component. Installation is now optional when setting up a new server. See the docs for more information.

Jackrabbit Support for Kubernetes Deployments#

The Kubernetes deployment of the Gluu Server 4.2 now includes support for the Jackrabbit Java Content Repository for persistence of oxAuth custom files, oxShibboleth IDP files, Casa and oxTrust custom files. This is most useful in larger deployments. See the docs for more information.

FIDO U2F and FIDO 2 Security Key Consolidation#

The FIDO2 Interception Script now handles both U2F and FIDO2 keys using a separate component in the Gluu Server. The U2F script is still available, but will be deprecated in future versions. See the docs for more information.

Non-Backwards-Compatible Changes#

New JSON Properties#

The following properties were implemented in 4.2 to help upgrading customers maintain past behavior:

New Behavior Issue Number JSON Property
response_type and grant type are no longer added to client by default #1252 clientRegDefaultToCodeFlowWithRefresh
client_secret is no longer returned on client read #1053 returnClientSecretOnRead
The offline_access scope is now required to use the refresh_token grant type #1172 forceOfflineAccessScopeToEnableRefreshToken
The Authorization endpoint no longer uses session_id by default #1195 sessionIdRequestParameterEnabled
The reason field is no longer returned in error responses by default #1344 errorReasonEnable

Version 4.1#

OIDC client creation improvements#

In version 4.1, we fixed several issues with OpenID Connect clients that were causing early expiration and errors with attributes.

Shibboleth IDP cache support#

Shibboleth IDP user sessions are now cached similarly to other services, allowing them to survive server restarts and be more easily replicated in a clustered environment. See more details in the IDP documentation

Casa and oxd added to installation script#

For convenience, Casa and oxd can now be installed with the standard Community Edition setup script. See all the options in the setup script documentation.

Minor bug fixes and feature improvements#

A variety of bug fixes and UX improvements are included with the latest release. See our complete release notes.

Version 4.0#

Persistence redesign#

In 4.0, the Gluu Server persistence layer is more modular. Previously LDAP was tightly bundled. Now, any persistence mechanism can be supported with a jar file that implements the base Persistence API. The desired mechanism can then be specifed in gluu.properties. Learn more.

Support for Couchbase#

Couchbase Enterprise Edition (EE) is now supported as a persistence mechanism, enabling hyper-scalable authentication and authorization. Learn more.

Extensive Passport redesign#

New UI's in 4.0 enable simpler configuration of inbound identity workflows and improved support for external OpenID Connect Providers ("inbound OpenID"). Read the docs.

No version numbers in packages#

Previously, the version number was included in the Gluu Server package, e.g. gluu-server-3.1.6. Starting in 4.0, the latest stable Gluu Server package name is simply gluu-server. This simplifies version upgrades, server operations, and improves interoperability between Gluu products.

More SAML IDP features#

NameIDs can now be configured inside oxTrust, and SAML ACRS parameters are now supported, which, when used in conjunction with force authentication, enables stepped-up authentication for SAML SPs.

Support for RADIUS authentication#

The Gluu Server now supports two options for RADIUS authentication to enable SSO and 2FA to non-web applications like SSH, VPN, and Wi-Fi:

  • Gluu RADIUS: a free, single-threaded RADIUS implementation based on the TinyRADIUS server; and...

  • Radiator: a robust, commercial AAA server built for ISPs and carriers.

Improved clean up service#

Introduced in CE 3.1.6, cleanService is now more configurable. This service periodically removes unused and expired cache and session-related database entries to improve server performance. Read the docs.

Updated libraries and components#

4.0 includes the latest version of Shibboleth, updated Java libraries and Jetty, and Oracle JDK has been replaced with Amazon Corretto, an open source, production-ready distribution of OpenJDK.

Minor bug fixes and feature improvements#

A variety of bug fixes and UX improvements are included with the latest release. See our complete release notes.