Improvement

EIM-10372 Support for removing AD objects with subtree or leaf objects

It is now possible to remove AD objects with leaf or subtree objects. Feature can be enabled in igm.provisioning.xml by adding variable LeafObjectsRemovable="true" to ldap:LdapConnection. Deletion of subtrees is a dangerous operation. Make sure that the lookup condition finds only the correct object to be removed.

Bug

EIM-10396 Fix cloud docker-idm init script

Fix for cloud docker-idm init script. Function is_db_upgrade failed in some environments.

EIM-10406 Cannot create or modify oauth authentication method, error The format of the data in field “oauth2.additional.headers” is not correct

EIM-10251 in version 2022.4 caused that oauth authentication method could not be modified or created. Error shown was "error The format of the data in field “oauth2.additional.headers” is not correct". This has been now fixed.

EIM-10484 Sorting agent view many times with status or serviceagreement does not work

A bug related to feature EIM-8904 was discovered in EIM version 2022.4. The reverse sorting was broken in list views. This is now fixed. Added the possibility to sort by tile, email and searchString1-20 for agents and searchString1-4 for legal persons.

Story

EIM-9121 well.known endpoint for openid

OpenId well-known metadata endpoint published. Endpoint contains following fields: jwks_uri, issuer, authorization_endpoint, token_endpoint, response_types_supported, subject_types_supported, id_token_signing_alg_values_supported, grant_types_supported, userinfo_endpoint, token_endpoint_auth_methods_supported, scopes_supported, code_challenge_methods_supported, revocation_endpoint, revocation_endpoint_auth_methods_supported. Detailed documentation can be found in FAM manual chapter "4.10 Well-Known Configuration Endpoint. igm.oauth2.properties contains also additional properties for well-known endpoint.

EIM-9763 EIM metadata endpoint

EIM SAML-metadata download endpoint published. This endpoint allows SAML-metadata downloading.

EIM-9765 Upgrade bcprov-jdk15-144.jar

The Bouncy Castle Crypto package bcprov-jdk15-144.jar was updated to bcprov-jdk18on-172.jar and bcpkix-jdk18on-172.jar. There were some API changes. If you use event rules and were importing org.bouncycastle.* then please make sure that your code still compiles. Further references available here: https://www.bouncycastle.org/latest_releases.html https://github.com/bcgit/bc-java/wiki/Porting-From-Earlier-BC-Releases-to-1.47-and-Later

EIM-10288 Upgrade dom4j to latest known version

Dom4j dependency was upgraded to version 2.1.3. See https://dom4j.github.io/

EIM-10313 Slowness in oauth2 authentication against EIM

Oauth authentication against EIM was slow when there was a large amount of oauth2 applications registered in EIM. This has been now fixed by optimizing database queries.

EIM-10392 Create GDPR anonymizer POC based on specs

A set of EntityAction functions were created for handling log table agent, account and legal person object anonymization and removals. Functions are accessible via Event rules and they are documented in efecte_identity_javadoc-public-eventrules-2023.1.0.zip. See also efecte_identity_configuration_reference.pdf Chapter 2.17.3 igm.hdb.properties about configuring automatic log table anonymization and/or removals.

EIM-10395 Support email sending without password authentication

In Efecte cloud environments it is possible to modify the EIM Jboss configuration to not require username and password for SMTP email sending.

configuration.properties

# this is the default, set true to allow passwordless email sending

EIM-10439 Log4j 1.2

Following vulnerabilities were fixed by removing the vulnerable classes from log4j-1.2.14.jar. Note that by default these vulnerabilities were not applicable for EIM. CVE-2020-9493 Chainsaw classes removed CVE-2022-23305 JDBCAppender removed CVE-2022-23302 JMSSink removed CVE-2021-4104 JMSAppender removed

EIM-10445 CVE-2018-1271 path traversal on Windows

Backported a patch to spring-webmvc-3.2.15.RELEASE.jar to disallow directory reverse traversal. This fixes a security issue CVE-2018-1271 affecting only Windows platform.

EIM-10488 PostgreSQL 15 support

Support for PostgreSQL version 15 added. Note! There is an issue with more strict sql parsing in PostgreSQL 15. This prevents earlier EIM releases for behaving correctly with Postgres 15.

EIM-10524 EFE-1185852 REST API session fetch slowness

It was discovered that selecting the authenticated agent for REST API session could take several seconds with DB2 database and huge amount of permissions. It is now possible to use optimized version of the query by setting flag OptimizedSessionQuery=true in igm.auth.AuthorizationService.properties.