Skip to content

uaa/43

You can find the source of this version on GitHub at cloudfoundry/uaa-release. It was created based on the commit 6e0356d4.

Release Notes

Stories included in release

Breaking Changes

Starting with UAA bosh release v43 the following Default Authorities will be set by default for all new identity zones: - openid - password.write - uaa.user - approvals.me - profile - roles - user_attributes - uaa.offline_token

The following Default Authorities will be set by default for the system zone: - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - oauth.approvals - notification_preferences.read - notification_preferences.write

These values can be changed via the UAA Bosh release manifest or UAA identity zone APIs.

Other Spec Changes

Support multiple SAML Keys with Active Key for SAML Key Rotation

login.saml.activeKeyId:
    description: |
      The active key to be used for signing messages and the key to be used to encrypt messages.
      See login.saml.keys
  login.saml.keys:
    description: |
      A map of keys where each map key is the name of the key. The login.saml.activeKeyId must match
      one of the keys in the map.
      To rotate keys, simply add keys. To activate a key, add it as the login.saml.activeKeyId
    example: |
      activeKeyId: key1
      keys:
        key1:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
        key2:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            -----END CERTIFICATE-----
  login.saml.serviceProviderKey:
    description: "Deprecated. Use login.saml.keys. Private key for the service provider certificate."
  login.saml.serviceProviderKeyPassword:
    description: "Deprecated. Use login.saml.keys. Passphrase for the service provider private key."
    default: ""
  login.saml.serviceProviderCertificate:
    description: "Deprecated. Use login.saml.keys. Service provider certificate."
Support OpenID Connect Identity Provider Discovery URL
      my-oidc-provider:
        type: oidc1.0
        discoveryUrl: |
          <URL for OpenID Connect Identity Provider discovery, example: https://accounts.google.com/.well-known/openid-configuration>
          Using this automatic discovery and you can omit several attributes like issuer, auth endpoint,
          token endpoint, userinfo endpoiint, token key url
Support UAADB TLS
  uaadb.tls_enabled :
    description: "Use TLS connection for UAA database"
    default: false

Features

Bug Fixes

Other Updates

The following dependencies have been updated: - Updated hibernate-validator to 4.3.2 - Updated thymeleaf to 3.0.6 and ognl to 3.1.12 - Updated owasp-esapi-java to 2.1.0.1 - Updated spring-security-jwt to 1.0.8 - Updated commons-collections to 3.2.2 - Updated not-yet-commons-ssl to 0.3.17 - Updated statsd to no longer use spring-security and tomcat-embed-logging-juli

Usage

You can reference this release in your deployment manifest from the releases section:

- name: "uaa"
  version: "43"
  url: "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43"
  sha1: "25d858cde37705c9f525e2cad4ab3b9cf21d6de5"

Or upload it to your director with the upload-release command:

bosh upload-release --sha1 25d858cde37705c9f525e2cad4ab3b9cf21d6de5 \
  "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=43"

Jobs

Packages