IMPORTANT NOTE ON OPENJDK
with introduction of latest Jetty HTTP server (used by Unity) it was observed that Firefox browser have troubles connecting to Unity launched on some of the OpenJDK distributions (e.g. Fedora). This is due to disabling EC TLS ciphers in affected OpenJDK. In case of troubles please use Oracle Java RE.
GENERAL INFORMATION ABOUT THE RELEASE
There are two distribution formats:
- tar.gz bundle which can be unpacked and this way installed in a single directory,
- rpm which can be installed system-wide in the Linux standard locations.
The rpm is build and tested on Centos 7, noarch. It should work flawlessly also on SL7 and recent Fedora distributions. We may build packages for other distributions in future, however the tar.gz format should be fully portable. Java 8 JRE is the primary installation prerequisite. For more detailed installation information please check the Unity manual.
2.8.X RELEASE SERIES
Release 2.8.0 brings a lot of enhancements in functionality related with communication with existing users (enquiries), proper support for native clients, but most importandly a new web endpoint – UpMan – allowing for delegating group management to restricted users.
When installing this release as an update a migration will be performed and some configuration changes are mandatory. Make sure to make backup and read update instructions in the documentation!
Binding agnostic authenticators
configuration update required
So far configuration of authenticators in Unity was quite challenging. Each authenticator was configured as a pair of credential verificator and credential retrieval, and each authenticator was specific to a single binding: REST, WS/SOAP or web. This required complex configuration and a lot of internal knowledge.
With Unity 2.8.0 release this was simplified. Authenticators are not binding-specific anymore, the concepts of credential verificator and retrieval are used only under the hood and so administrator need not to even know them. For those admins who will upgrade the types of new authenticators are the same as former verificators, and (internally) Unity selects an appropriate retrieval automatically, depending on the type of endpoint on which authenticator is installed.
This change requires a significant amount of changes in configuration. While this may sound disturbing, the good aspect is that those changes will simplify your configuration, in some cases significantly. Upgrade documentation contains a detailed instruction with examples.
By far the biggest addition to Unity in this release is a new endpoint: Unity Project Management, UpMan. This endpoint addresses a frequently asked problem of delegation of particular Unity group management to a group-administrator, who otherwise has no full Unity admin rights. UpMan, besides providing a complex workaround around authorization issues, also exposes a user firendly UI, simple and task-focussed. Project manager is not bothered with Unity specific terms and difficult pipelines; instead simple tasks are just simple.
Currently the v1 of UpMan is naturally limited — we would love to hear your thoughts!
- Sticky enquiry: a new type of enquiry is introduced, which is intended for repeatable user updates. Sticky forms can be filled multiple times, and are not “pushed” to the users at login. Instead user may fill it by entering form’s link on its own, or one of the following two features can be used:
- Sticky enquiries on HomeUI: HomeUI can be configured to display sticky enquiry forms. If one of the forms is applicable to the user it will be available on the web interface
- Invitations to enquiries: existing Unity users may be invited to fill an enquiry in the same way as prospective user can be invited to register with a registration form. This is especially useful in case of sticky enquiries.
- Grid widget & search for remote registration: so far it was only possible to create a form allowing for remote registration with one of few enumerated remote IdPs. Now even a huge SAML federation can be exposed on registration form, as IdPs can be presented in grid widget with search. Forms now have similar capabilities as the authentication screen.
- It is possible to filter allowed groups when creating an invitation to a form.
- Flexible control of users for whom enquiry is applicable: so far enquiries were applicable to members of one or more groups. Now additional, more complex rules can be created. Enquiry can have an MVEL expression set, more precisely targeting users. E.g. it is possible to create an enquiry for all users who are not a member of a given group, or, not possessing a given attribute.
Public and native OAuth clients
Support for public and native OAuth clients, including PKCE is added. RFC 7636 is supported now, along with the key guidelines for authenticating native clients from RFC 8252. This feature is controlled by a new OAuth client’s attribute, specifying client type to confidential or public. The only limitation is that public clients still need some password (even though not a secure one).
Other notable changes
- Support of PNG and GIF images in attributes. Thanks to Remek, our new contributor, Unity has a new attribute syntax: ‘image’. It is a replacement of the legacy (but still supported for backwards compatibility) jpegImage. The new syntax supports not only JPEG images, but also GIFs and PNGs. What is more it is preserving the original quality of the JPEG image, what was not the case in the legacy jpegImage.
- experimantal Open & private groups. Unity groups can be marked as ‘public’. Doing this alone has no practical effect, but there is additional feature which can be found on enquiry and registration forms: group enrollment in a form can be limited to public, or non-public (private) groups only. This feature allows for creating autoaccepted forms for less not restricted groups, while keeping remaining groups regularly secured. Important note: this feature is experimantal and may quite likely may evolve, becoming for instance group tagging feature.
- Historical passwords (used for checking recent passwords) are removed when password hashing policy is changed.
- After modification of local credential config, authenticators using it are automatically refreshed. Up to now this had to be done manually.
- Larger default and in general configurable limit of maximum attribute size (was around 60kB) is now available.
DETAILED LIST OF CHANGES