Securing the Perimeter

Deploying Identity and Access Management with Free Open Source Software

Securing the Perimeter
20% discount
use FOSSIAM2019

Gluu Server Roadmap

See where the Gluu Server is headed to determine which version is right for your project. We support each release for at least 18 months.

CE 3.1.5 Roadmap

Latest stable release

Highlights

  • Support for FIDO 2.0
  • oxTrust UX improvements
  • Easier certificate management
  • Logging improvements

Install Gluu 3.1.5

Issues

oxTrust

  • #1448 Enhancement for some views
  • #1435 add claims - better search / pagination
  • #1434 Regex validation of attribute leads to Error Page
  • #1428 Password length validation not working
  • #1425 Improve registration confirmation page
  • #1424 Improve social login strategy list
  • #1421 Add ability to download a certificate from the list of cert
  • #1417 Add more space between elements in Certificates view
  • #1412 Error removing sector identifier when the client associated has been deleted
  • #1409 Typo in oxTrust Error
  • #1400 Reorder oxTrust log level
  • #1396 improper log level for some log lines
  • #1395 Some error related to recaptcha.
  • #1389 oopw while view Oxtrust Admin client details
  • #1387 Oops when uploading ldif
  • #1386 Errors with User addition/edition
  • #1385 Remove "Select" from Allow for dynamic registration dropdown in Add Scope
  • #1384 Remove "Visibility type" from Type dropdown in Add Group
  • #1382 Add interface in user view to manage Pairwise IDs
  • #1378 Oxtrust Admin Ui Client is delete from Clients list few hour after installation
  • #1376 SCIM service not clearing custom attribute in LDAP using PUT or PATCH
  • #1374 Typo in oxtrust.properties
  • #1372 SCIM group patch anomaly when member list ends up empty
  • #1371 Make email's uniqueness enforcement by oxTrust optional
  • #1364 Add visibility log for clean up services.
  • #1359 CE3.1.4: Missing Authentication Methods
  • #1347 The password reset message should be neutral
  • #1340 Add `password` field for Redis cache configuration
  • #1339 'Test LDAP Connection' in Cache Refresh page
  • #1338 Ubuntu14+CE3.1.4: change string in Forgot Password Flow
  • #1334 Ubuntu18+CE3.1.4: Missing Dashboard values
  • #1329 Wrong error message when password reset token was expired
  • #1328 Configuration > Certificates enhancements
  • #1327 `Remember me` checkbox missing from login screens
  • #1323 It's possible to create OIDC scopes with duplicated names in oxTrust
  • #1322 Prevent duplicate scopes
  • #1312 'attribute-filter.xml.vm' template not 100% compatible in 3.1.4
  • #1311 Changing "oxTrust acr" to "default" in "Default Authentication Method" Deletes oxTrustAuthenticationMode Entry
  • #1308 Extra syntax / remove '222' thing
  • #1305 oxTrust Needs To Register A Front Channel Logout URI
  • #1304 Display available ACR options in client UI
  • #1303 Toggle Pairwise Subject type: algorithmic | peristent
  • #1295 OxTrust throws error few seconds after the first login.
  • #1294 Add a dedicated logger for Velocity's logs
  • #1293 Shorten long fields for brevity
  • #1292 Improve OpenID Scope selection UX
  • #1286 Cache Refresh metrics don't work as expected
  • #1285 Properties set via "Configure Relying Party" control don't have effect on TRs based on a federation's TR
  • #1284 Issues with "Client's registration expires" control of OIDC client's properties page
  • #1283 authenticationRecaptchaEnabled property in oxTrust configuration has invalid drop down menu action
  • #1282 Improve error messages when cust scripts have errors
  • #1273 "Failed to execute registration script" when hitting a non-existing /restv1 URL
  • #1264 Improve some public facing pages to match Gluu design
  • #1262 Suggestion for further re-work of "Add/Update OIDC client" page
  • #1219 Improvement : oxTrust automatically switch to another tab on update action.
  • #1196 Authentication graph improvement
  • #1176 Export Client Config
  • #1149 "uma grant" option not available in oxtrust OIDC client
  • #1112 Change menu item lbael "JSON Configuration" to "Base Configuration"
  • #1034 'Authentication Requests' graph should only include oxAuth authentication
  • #356 Default password reset email contents

oxAuth

  • #975 Implemented Fido2 authenticator script which based on Fido2 API
  • #969 Fix expired entries clean up
  • #968 Store missing IDP name for passport inbound
  • #966 The OTP finish button should be centered
  • #959 Authenticator should not depend on any ACR methods
  • #956 JWT(Access token as JWT) returning empty scope
  • #955 Empty scope should throw proper error ( while registering client ) instead of NPE
  • #954 oxauth-client should re-throw connection exception, so client app can handle it
  • #952 Invalidate OP session after consent flow is completed
  • #951 Introspect endpoint should return 200 OK with active=false if invalid token is provided
  • #948 Simplify passport cust scripts where possible
  • #941 Remove useless js dependency on Super Gluu QA Page
  • #938 A NullPointerException is often throw during logout for some users
  • #934 Store metric records in separate backed o=metric
  • #933 Remove JCE Requirement From Gluu Server CE
  • #932 `Remember me` checkbox missing from login screen
  • #930 Add support to return RPT as JWT
  • #929 Introspection endpoint must return 200 http status code with active=false if token is not found on AS instead of 400
  • #927 oxAuth Does Not Enforce Registered `post_logout_redirect_uri`
  • #925 oxAuth client should log more self explanatory erorr message if oxAuth is not available
  • #924 Make ClientAuthorizations serializable otherwise redis will fail to save it into cache.
  • #917 Add dynamic scopes and claims to discovery
  • #914 All calls to oxauth fails when httpLoggingEnabled is set to true
  • #913 RP iframe Message Should Not Be Created In The Same Way As OP iframe Message
  • #912 Customized Authentication pages's logo
  • #911 Authorization Endpoint : revisit `access_token` parameter in Authorization Request
  • #906 On authentication session expiration and other errors, oxAuth should redirect user to intended RP
  • #896 Remove loginPage and authorizationPage properties
  • #883 Turn off client expiration by default and remove ability to update expiration via endpoint
  • #876 406 from .well-known/openid-configuration
  • #868 token introspection interception script
  • #849 If session_id is not passed in logout request, oxAuth responds as if session termination succeed, while it didn't
  • #830 Client-specific access token expiration
  • #781 Add new endpoints for FIDO 2 / W3C web authentication
  • #704 Add support for Client metadata: software_id, software_version, software_statement
  • #566 Introspection endpoint: Add support for basic authentication
  • #230 Resource Owner Password Credential Grant Interception Script

oxShibboleth

  • #50 'SAML2Logout' Relying party configuration availability
  • #49 Restore previous configuration for nameid generation

SCIM Client

  • #71 NoHttpResponseException: failed to respond

oxCore

  • #105 Increase custom script name length to 60 characters
  • #104 redis with password does not work
  • #102 Update UptimeConverter
  • #99 Add two methods to Person type custom script
  • #96 Add the field enforceEmailUniqueness to oxtrustjson configuration
  • #95 Decrypt redisConfiguration password before using it for authentication
  • #93 Misleading Exception throw in oxCore
  • #91 Improve Custom script error message

Community Edition Setup

  • #503 Enhance oxtrus/oxAuth log level
  • #499 Fix Init Script Headers For Service Startup Order
  • #498 Why Do We Change The Hostname Inside The Chroot?
  • #497 OpenDJ init Script Fixes
  • #496 Change display name of casa client registration script
  • #495 Can we remove downloading oracle JCE in the installer?
  • #491 Enable jetty threadlimit mod if needed
  • #488 Gluu-server should export JAVA_HOME, NODE_HOME and OPENDJ_HOME and modify PATH
  • #486 Clean Up Apache Config
  • #485 Abort setup.py if file descriptor is less than 64k

Gluu Passport

  • #55 Passport social show empty page when the email is already register
  • #54 Review some potential problems in passport-saml-config.json
  • #53 Adjust IDP linking URL for casa social plugin
  • #51 Passport service doesn't perform restart properly / Error: Received unexpected HTTP status code of 503
  • #49 Remove Start.log Requirement From Passport Startup
  • #48 Passport Log Should Read "passport.log" and archive as "passport-$DATE.log"
  • #47 Add logging transport for stdout
  • #33 Overall logging enhancements
  • #29 IDP-inited flow for inbound identity - write custom script
  • #28 IDP-inited flow for inbound identity - AuthZ request + signed user profile
  • #27 IDP-inited flow for inbound identity - SP to OIDC client
  • #26 IDP-inited flow for inbound identity - Add enpoint to trigger flow
  • #24 Passport-Saml: IDP initiated flow fail

Gluu Asimba

  • #26 IndexOutOfBoundsException in org.opensaml.xml.util
  • #25 Asimba does not logout (a session still exists in memory storage)
  • #23 Allow to change the order of the IDPs via the GUI
  • #21 Deploy Asimba in its own tomcat container

CE 3.1.6 Roadmap

ETA: March, 2019

Issues

GluuFederation/oxTrust

  • #1491 Wrong free memory status in Ubuntu 18
  • #1486 Problem to add users at the first time of login
  • #1485 NPE when removing devices in user's profile
  • #1484 Enhance how 2uf devices are displayed in user's profile
  • #1478 Oops page when deleting user
  • #1476 Exception when oxOTPDevices is set. Prevents users' edition
  • #1474 Issues after two successive logoffs take place
  • #1473 Logout trigger OP unauthneticated session creation
  • #1465 Determine facter version in order to prepare right command option
  • #1456 Force required permissions in jsf pages

GluuFederation/oxAuth

  • #993 Adjust passport cust script and pages to remove unnecessary endpoints
  • #992 Second logout request from another RP returns error
  • #991 Cache Native objects clean up not work properly
  • #990 Protect RP initiated logout flow against top-level browsing context changing from iframe
  • #989 IdTokenFactory has to fetch public key base on JWE algorithm.
  • #988 Don't show error message about missing consent cookie at Authorization flow start
  • #987 Adjust passport script to parameterize whether updates should be applied to user profile or not
  • #986 Consent form not shown when second client start authorization
  • #985 Load Fido2 protected device metadata
  • #984 Update session AuthZ parameters on ACR change
  • #977 Typo in otp_configuration.json
  • #901 Super Gluu created time needs time zone support
  • #589 Phone number verification message for Twilio

GluuFederation/oxcore

  • #107 Log all LDAP operation time to separate log

CE 4.0 Roadmap

ETA: June, 2019

Highlights

  • APIs for oxTrust
  • Abstracted DB layer, with additional support for Couchbase
  • Granular user roles for oxTrust to limit access to specific UI features.
  • More auditing features

Issues

oxAuth

  • #901 Super Gluu created time needs time zone support
  • #884 Don't return refresh token if client doesn't have refresh_token grant
  • #861 Request objects should have iat and expiration
  • #860 Move all integration pages and scripts into sub-project of oxAuth
  • #859 Improve Live Script Debug
  • #853 CAS logout with oxAuth-session script ( application_session )
  • #848 Move client side test requestAuthorizationForOpenIdScopeAndPairwiseId to server side test
  • #847 Bouncycastle throw ClassCastException after upgrade to 1.59
  • #839 Support for spontaneous scopes
  • #825 Group configuration properties to make it more user-friendly
  • #823 Authenitcator should not use "@!" to distingusih use/client credentials.
  • #822 Add a new attribute's type to handle attributes containing JSON data more gracefully in OIDC flows
  • #813 CleanupTimer has to run in own connection pool to not effect oxauth performance
  • #811 Upgrade to Jackson 2.x (from current Jackson 1.x)
  • #810 Add Opentracing support
  • #809 Add support for account switching
  • #804 pre-fix value for access token
  • #800 Userinfo can't be contacted with access_token issued during resource owner creds grant flow if redirect_uri is not specified for the client
  • #795 Allow to set the pairwiseIdType (algorithmic/persistent) on a client basis
  • #789 Add support for id token upon token refresh
  • #784 Add support for Token Revocation
  • #767 Could you add these authorization code request and response sections in a future version of oxauth-rp
  • #756 OAuth Scope Refactoring
  • #751 Update Saml script to allow sign request
  • #750 Add CIBA support to oxAuth
  • #748 UMA RPT Policy evaluator : if no policies it grants access. We have to make it configurable (e.g. deny instead of grant)
  • #742 Update Dynamic Registration Management
  • #734 `uniqueIdentifier` removal in replicated server / clustered Gluu Server
  • #720 Add support for DELETE request to OIDC Dynamic Registration endpoint
  • #719 Allow to update oxDisabled attribute using Dynamic Client Registration endpoint
  • #697 Performance : ˜40% of time is blocked by weld synchronization during high load (>800 threads).
  • #694 Support redis failover in standalone
  • #674 UMA: require client requested scopes to be pre-registered
  • #667 Custom interception authorization script for Connect.
  • #663 Cache UMA Permission Ticket
  • #657 Synchronize CAS logout with OpenID Connect logout
  • #640 Provide automatic deployment to build server in order to see real test results
  • #637 Create reusable login template
  • #602 Update client resets grant-types if it has no value
  • #589 Phone number verification message for Twilio
  • #586 UMA 2 : Add Selenium user emulation for Claims-Gathering test pages (country.xhtml and city.xhml)
  • #566 Introspection endpoint: Add support for basic authentication
  • #548 Add s_hash to id_Token
  • #535 Provide customization of front-channel generated html from /end_session
  • #505 Key History
  • #498 Strip querystring from logout redirect URI comparison
  • #485 Support OpenID Connect Claims Languages
  • #480 acr_values router script.
  • #469 Extend Session Endpoint
  • #460 Performance : go over oxauth threads blocks that appears after 140req/s
  • #447 Federation: Publish metadata_statement_uris
  • #446 Federation: add signed_jwks_uri
  • #445 Federation: add signing_keys_uri
  • #437 Implement better HTTP Header Security
  • #413 Increase size of oxAuth-rp text areas
  • #393 Collect performance stats in oxAuth
  • #373 Add support for response-type=None
  • #353 Change client secret to bcrypt
  • #313 Support Proof of Possession Tokens
  • #308 Support JWT Token Revocation
  • #303 OAuth2 Assertion Grant for SAML assertions and signed JWT's
  • #302 Client Registration: Validation user facing values
  • #296 [Feature Request] Please add RADIUS as GLUU custom authentication script
  • #273 RP-Demo configuration improvement
  • #267 IDP Initiated Authentication Script
  • #233 New iFrame implicit flow
  • #223 Add postLogin method for authentication script
  • #218 Implement U2F attestation certificate validation
  • #208 Provide endpoint with list of enabled custom autentication methods
  • #207 User Review of Persistent Client Scope Authorizations
  • #206 OpenID Connect Line Item Scope Approval
  • #195 remove code duplication
  • #141 Add Support for OAuth2 Device Flow
  • #89 Support for Software Statement Protected Client Registration
  • #87 Work with photo attributes
  • #70 Back-Channel Logout
  • #68 Add metric to store CPU/memory usage
  • #9 oxAuth client should support HTTP proxy

oxTrust

  • #1291 Show All attributes show error page
  • #1290 Impossible to add new TR
  • #1289 Impossible to add New user
  • #1220 Improvement : introduce toolbar for `page-wide` buttons.
  • #1219 Improvement : oxTrust automatically switch to another tab on update action.
  • #1147 Users Should Be Able to Add Custom ClientID On Client Creation
  • #1106 OpenID Client Auto-Generated Password Is Not Cryptographically Strong
  • #1096 User sync (cache refresh) in a containerised environment
  • #1088 SMTP Server Configuration Are Not Saved
  • #998 SCIM2 filter code should build filter graph to allow convert it in any filter type
  • #992 Use automate tests to test API insted of manual testing
  • #935 Server Log API
  • #934 Server Status API
  • #933 OxAuth configuration API
  • #932 OxTrust configuration API
  • #931 Registration API
  • #930 Custom Scripts API
  • #929 Certificates API
  • #928 Attributes API
  • #927 Authentication Method API
  • #926 Organization profile API
  • #925 Personal profile API
  • #924 Users API - People
  • #923 Users API - Groups
  • #922 CAS API
  • #921 UMA API
  • #920 OpenID Connect API
  • #919 SAML - Asimba API
  • #918 SAML - TrustRelationship API
  • #885 SCIM interception script: add handler for GET
  • #843 Use decorator for input elements
  • #820 Verify user's memberOf is synced when group members are changed via SCIM
  • #815 Show Modality accordign to requirement
  • #812 Rename @protected SCIM anddotation to @ScimProtectedApi
  • #803 Protect oxTrust apis by UMA
  • #786 Cover oxTrust API by tests
  • #785 Cover all oxTrust GUI by oxTrust API
  • #784 Prepare working prototype which demonstrates oxTrust API
  • #783 Prepare client/server code to protect oxTrust API endpoints using UMA
  • #769 Try to use JSF2 as mail templates
  • #762 Expose API's for everything
  • #758 Couchbase Support
  • #739 Commit with Comment
  • #697 Gluu Server memory usage (3.1.0)
  • #551 Remove ou=appliances
  • #531 Translate resource bundles
  • #467 Support FileBackedHTTPResource for Shibboleth Config Files
  • #389 Create UI to configure IDP Initiated SAML Authentication
  • #388 Support SCIM Password Management Spec
  • #135 Store user pictures in FS
  • #104 New custom script type to pull data from RDBMS and other sources

Gluu Passport

  • #20 Communication betwen passport and auth script should be protected by token
  • #19 Passport should support dynamic mapping
  • #4 rename repo to oxPassport

Community Edition Setup

  • #462 Support Ubuntu 18.04.1 and deprecate 14.04 support
  • #452 Couchbase should not listen by default on all server IPs
  • #451 Don't prompt to install IDP if admin selected Couchbase as persistence DB
  • #450 Create additional Couchbase backends during install
  • #449 Command to import ldif into Couchbase
  • #448 Improve is couchbase up checking method
  • #431 Authentication scripts' levels need to be updated
  • #426 Merge node and passport script
  • #394 Strange attribute values in admin entry
  • #361 Upgrade: ldap data import too slow
  • #360 In setup script: allow selection of LDAP or Couchbase as the database
  • #351 Add oxMultivaluedAttribute to oxEnrollmentCode attribute
  • #284 Don't index binary tokens
  • #275 Configure firewall on host to open https port after installing CE
  • #254 Generate OP signing keys
  • #241 [Proposal] Staged Setup Process. Fixes #30
  • #219 Add command to generate JWKS
  • #170 Dockerizing Gluu Server
  • #102 Reporting metrics and statistics gathering in CE
  • #11 Add more attributes to admin user entry

oxShibboleth

  • #41 Some SAML flows will fail when several tabs of the same browser window initiate them in a quick succession/simultaneously
  • #35 Create authentication flow to replace RemoteUser flow
  • #30 SAML metadata is not processing properly
  • #25 Don't show stacktrace... ever
  • #24 SLO binding links are breaking IDP metadata
  • #16 /opt/shibboleth-idp/metadata/idp-metadata.xml (No such file or directory)
  • #15 Map AuthnContextClassRef --> acr in OpenID Connect
  • #10 Support ForceAuthn=true
  • #5 Override Logout Functionality

oxCore

  • #87 Merge 3.1.4 into Master
  • #85 Use JSON data types to store in Couchabse entries
  • #84 Move Persistence Factory crfeation code from oxAuth/oxTrust to oxPersistence
  • #83 Add new CacheProvider to store data in LDAp under ou=session
  • #82 Use one Coucbase environment
  • #81 Move Cocubase statistic to application-persistence.log
  • #80 Ldap persistence mechanism should support encryption methods which LDAP server doesn't support
  • #79 Update oxAuth/oxTrust to use oxLdap/oxCouchbase
  • #78 oxCouchbase should use SSL to connect server
  • #77 oxCouchbase should support LDAP CRYPT and SHA authentication mechanism
  • #74 findEntriesVirtualListView throwing exception if search takes longer than certain threshold
  • #67 Move ou=appliances under o=orgInum
  • #60 Update to Weld 3.0.2.Final in all projects
  • #58 Change org.xdi -> org.gluu
  • #57 Support Couchbase
  • #50 Add Jedis SSL support for redis cache communication
  • #44 Enable style checker maven plugin
  • #41 Implement weld extension to add Faces messages based on method outcome
  • #28 Create generic CacheService (without dependencies to ehcache)
  • #10 Specify Different Write / Read LDAP servers in ldap.properties
  • #9 Specify "failover" | "round robin" connection pool strategy in ldap.properties
  • #8 Map LDAP credentials to backend

SCIM-Client

  • #62 Add support for boolean custom attributes
  • #61 Migrate to com.fasterxml jackson serialization library
  • #60 Service metadata endpoints must reject the presence of filter query param
  • #59 Wrong modeling of SearchRequest and its schema
  • #57 Bugs in filter functionality
  • #56 Refactor Bulk Operation service code
  • #54 Move SCIM-related oxtrust.properties inside the "ScimProperties" object
  • #53 cases 10.2/10.3, Delete a user with If-Match etag
  • #52 cases 7.2/7.3, Retrieve a user with If-None-Match etag
  • #51 cases 5.13/5.14, Update a user with If-Match etag header
  • #49 case 6.3, Add a value to a multi-valued attribute with PATCH
  • #48 case 6.2, Update a multi-valued attribute with PATCH
  • #47 case 6.1, Update a simple attribute with PATCH
  • #45 cases 11.1/11.2, Searching with POST /.search
  • #44 cases 4.4/5.4/5.5/5.6, Handling of immutable attribute
  • #43 Groups endpoint allows writing non-existing members
  • #42 Group assignment for users should be done at /Group not through /Users endpoint
  • #41 Adjust /Schemas endpoint impl to pick attributes characteristics automatically
  • #40 cases 8.11/8.12, Retrieve a list of users with attributes query param (POST)
  • #39 Replace deprecated ProxyFactory usage in client code
  • #38 cases 7.4/7.5, Retrieve a user with attributes query param
  • #37 cases 8.3/8.4, Retrieve a list of users with attributes query param
  • #36 cases 5.8/5.9, Update a user with attributes query param
  • #35 cases 4.5/4.6, Create a user with attributes query param
  • #34 Remove hard-coded list of ISO3166 countries
  • #33 Enhance ResourceTypes endpoint
  • #32 Add a logging framework
  • #31 Remove redundant code in authorization check for SCIM service
  • #30 Service does not handle properly the attributes/excludedAttributes parameters
  • #29 Add support for PATCH verb to service
  • #28 In user retrieval JSON response has the type attribute malformed for certain multi-valued attributes
  • #27 Creating and retrieval operations return unexpected attributes
  • #26 Validate locale attribute
  • #25 Validate timezone attribute