release: github.com/cloudfoundry/uaa-release / 43

Github source: 6e0356d4 or master branch

Stories included in release

Breaking Changes

Starting with UAA bosh release v43 the following Default Authorities will be set by default for all new identity zones: - openid - password.write - uaa.user - approvals.me - profile - roles - user_attributes - uaa.offline_token

The following Default Authorities will be set by default for the system zone: - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - oauth.approvals - notification_preferences.read - notification_preferences.write

These values can be changed via the UAA Bosh release manifest or UAA identity zone APIs.

Other Spec Changes

Support multiple SAML Keys with Active Key for SAML Key Rotation

login.saml.activeKeyId:
    description: |
      The active key to be used for signing messages and the key to be used to encrypt messages.
      See login.saml.keys
  login.saml.keys:
    description: |
      A map of keys where each map key is the name of the key. The login.saml.activeKeyId must match
      one of the keys in the map.
      To rotate keys, simply add keys. To activate a key, add it as the login.saml.activeKeyId
    example: |
      activeKeyId: key1
      keys:
        key1:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
        key2:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
  login.saml.serviceProviderKey:
    description: "Deprecated. Use login.saml.keys. Private key for the service provider certificate."
  login.saml.serviceProviderKeyPassword:
    description: "Deprecated. Use login.saml.keys. Passphrase for the service provider private key."
    default: ""
  login.saml.serviceProviderCertificate:
    description: "Deprecated. Use login.saml.keys. Service provider certificate."
Support OpenID Connect Identity Provider Discovery URL
      my-oidc-provider:
        type: oidc1.0
        discoveryUrl: |
          <URL for OpenID Connect Identity Provider discovery, example: https://accounts.google.com/.well-known/openid-configuration>
          Using this automatic discovery and you can omit several attributes like issuer, auth endpoint,
          token endpoint, userinfo endpoiint, token key url
Support UAADB TLS
  uaadb.tls_enabled :
    description: "Use TLS connection for UAA database"
    default: false

Features

Bug Fixes

Other Updates

The following dependencies have been updated: - Updated hibernate-validator to 4.3.2 - Updated thymeleaf to 3.0.6 and ognl to 3.1.12 - Updated owasp-esapi-java to 2.1.0.1 - Updated spring-security-jwt to 1.0.8 - Updated commons-collections to 3.2.2 - Updated not-yet-commons-ssl to 0.3.17 - Updated statsd to no longer use spring-security and tomcat-embed-logging-juli

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43 --sha1 25d858cde37705c9f525e2cad4ab3b9cf21d6de5

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: uaa
  version: "43"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 25d858cde37705c9f525e2cad4ab3b9cf21d6de5 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43