Releases: cloudfoundry/uaa-release
Updated to UAA 3.9.2
This release includes UAA 3.9.2
IMPORTANT BACKWARDS INCOMPATIBLE CHANGES
Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.
These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.
login.saml.serviceProviderCertificate:
description: "UAA SAML Service provider certificate. This is used for signing outgoing SAML Authentication Requests"
example: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----
login.saml.serviceProviderKeyPassword:
description: "Password to protect the service provider private key, blank if no password set."
example: ""
login.saml.serviceProviderKey:
description: "Private key for the service provider certificate."
example: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
login.saml.serviceProviderKeyPassword:
description: "Password to protect the service provider private key."
example: ""
Deprecated Format for JWT Signing Key
NOTE: Please continue to use this format for setting the signing and verification key in cf-release as it doesn't support reading from the new format yet
uaa.jwt.signing_key:
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign the JWT-based OAuth2 tokens"
uaa.jwt.verification_key:
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to verify JWT-based OAuth2 tokens"
New Format for JWT Signing Keys(verification key needn't be set as we derive it from the Private Key)
uaa.jwt.policy.keys:
description: "Map of key IDs and signing keys, each defined with a property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
uaa.jwt.policy.active_key_id:
description: "The ID of the JWT signing key to be used when signing tokens."
example: "key-1"
Updated to UAA 3.9.1
This release includes UAA 3.9.1
Updated to UAA 3.6.4
This release includes UAA 3.6.4
Updated to UAA 3.9.0
This release includes UAA 3.9.0
Updated to UAA 3.6.3
This release includes UAA 3.6.3
Updated to UAA 3.8.0
This release includes UAA 3.8.0
IMPORTANT: Backward Incompatible Changes
With this release UAA defaults to enforcing signature validation on Incoming SAML Assertions. Please make sure any SAML Identity configured for UAA is sending only signed SAML assertions
login.saml.wantAssertionSigned:
description: "Global property to request that external IDPs sign their SAML assertion before sending them to the UAA"
default: true
Other Spec Changes
login.idpDiscoveryEnabled:
description: "IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider. This property will also enable a list of selectable accounts that have signed in via the browser."
default: false
Support for memberOf
uaa.ldap.groups.searchBase:
description: "Search start point for a user group membership search, and sequential nested searches.. You can set this value to 'memberOf' when using Active Directory and skip group search but use the calculated memberOf field on the user records. No nested search will be performed."
default: ""
Support LDAP STARTTLS
uaa.ldap.ssl.tls:
description: "If using StartTLS, what mode to enable. Default is none, not enabled. Possible values are none, simple"
default: none
Release Notes - v13.4
This release exposes a new property to make SAML Signature Algorithm configurable
login.saml.signatureAlgorithm:
description: "Signature hashing algorithm for SAML. Can be SHA1, SHA256, or SHA512."
example: SHA256
Updated to UAA 3.7.4
This release includes UAA 3.7.4
Security Release (CVE-2016-6655)
Please use this security release to patch the following CVEs
Updated to UAA 3.6.2
This release includes UAA 3.6.2