IMPORTANT NOTE ON OPENJDK
with introduction of latest Jetty HTTP server (used by Unity) it was observed that Firefox browser have troubles connecting to Unity launched on some of the OpenJDK distributions (e.g. Fedora). This is due to disabling EC TLS ciphers in affected OpenJDK. In case of troubles please use Oracle Java RE.
GENERAL INFORMATION ABOUT THE RELEASE
There are two distribution formats:
- tar.gz bundle which can be unpacked and this way installed in a single directory,
- rpm which can be installed system-wide in the Linux standard locations.
The rpm is build and tested on Centos 7, noarch. It should work flawlessly also on SL7 and recent Fedora distributions. We may build packages for other distributions in future, however the tar.gz format should be fully portable. Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.
2.6.X RELEASE SERIES
Release 2.6.0 is a major Unity milestone concluding our architectural changes started in the previous release. The release focus was on authentication: a reworked authentication screen, 2 factor authentication, step up authentication and improved remember me are available.
When installing this release as an update a migration will be performed and some configuration changes may be necessary. Make sure to make backup and read update instructions in the documentation!
The highlights are:
- We are introducing authentication flow concept. Authentication flow is used to configure two factor authentication (2FA, MFA). So far Unity allowed to configure MFA in a simplistic way by requiring to login with two fixed authenticators. With authentication flows which replace the old mechanism it is possible to control 2FA flexibly:
- 2nd factor authenticator can be selected at runtime, depending on the user credentials,
- it is possible to set a policy which controls when 2FA is required. Besides simple fixed required 2FA, it is possible to delegate the decision to end user, who can opt-in to use 2FA.
- The new syntax will allow us in future to introduce risk based authentication models easily, without additional breaking configuration changes.
- Authentication screen was fully reworked, the former tiles concept was dropped. This is the biggest breaking change – authentication screen will need to be configured and branded from scratch. However this process should be way easier and result with great UX, not possible before.
- Authentication options are organized in configured number of columns (typically 1 or 2).
- All options visible on the screen can be immediately used. No more extra clicking to select an option to authenticate with.
- Unity takes care about formatting of options so that the screen looks nice and is following the common remote and local authentication UI patterns that are popular in the web (and should be familiar to end users).
- Authentication screen can be made dynamic, adapting to a user. The best of this is an option to only show the previously used authentication option for returning users. This simplifies login experience a lot.
- A lot of effort was made to make the screen easy to style. The top bar is gone. All types of elements have distinct classes making it easy to address then in custom CSS.
- Remember me feature, making device trusted for easier login in future, was fully rewritten. First of all we are using safer architecture then before. What is more the feature can be enabled only for 2nd factor authentication. Finally users have access to remembered devices on HomeUI and can clear the list.
- Additional/step up authentication before executing sensitive operations. Unity can be configured to expose (via HomeUI) certain sensitive operations to end-users. The most obvious one is changing of user’s password, but also SMS telephone number (for SMS credential) or email address (used for password reset) are falling into this category. In this release we are adding possibility to configure how to ensure security of those operations. User may be forced to authenticate again, or to perform step up authentication with 2nd factor (even if it was not needed for initial authentication) before being able to perform a sensitive operation.
- Composite password can be used to create an authenticator which will present a single password-login widget, which will under the hood use one of many configured password verification methods. Using this feature you can mix local password authentication (even with multiple password credentials) with say remote LDAP authentication, without making this anyhow visible to end-users.
Other, smaller changes:
- Microsoft Azure/AD can be be easily used as a new preconfigured remote OAuth authentication service.
- SAML metadata Service Providers with multiple endpoints advertised in metadata are now properly supported, including full support for metadata indexing of endpoints.
- Consent and email confirmation screens have top header removed, what allows for easier branding.
- It is possible to configure messages which are sent to users upon account removal and deactivation.
- Users bulk operations subsystem have a new action, which can send notification to the selected users. This can be used to send for instance information prior to disabling or removing an account or simply to mass-send any form of update.
- IdP endpoints (SAML and OAuth) can be configured to ask user for selecting attribute values, which will be active for the login session. This can be used to ask for active role, organization etc. It is possible to offer single or multi selection of values.
DETAILED LIST OF CHANGES