We are pleased to announce Topicus KeyHub 12.3. This release brings many improvements to our virtual appliance, IDP initiated SSO flows and a user manual in English. As usual, a large number of smaller improvements have been made and many issues have been fixed.
Before upgrading to 12.3 be sure to read the following important notices. Some changes need to be made to your configuration or your upgrade will fail. Also, tightened security validations might impact your SSO applications.
TKH-969
TKH-972
Starting with 12.3 we now push our docker containers to our own repository. This means you need to change the images in your docker-compose.yml
. The repository does not require authentication. For keyhub-db
use docker.topicus-keyhub.com/keyhub/keyhub-db
and for keyhub-app
use docker.topicus-keyhub.com/keyhub/keyhub-app
. Also, a new container was added to perform custom attribute evaluation in a sandbox. Without this container, custom attributes on OAuth2 and SAML2 applications will not work. Add the following container to your docker-compose.yml
:
scriptengine:
container_name: "keyhub-scriptengine"
image: docker.topicus-keyhub.com/keyhub/keyhub-scriptengine
restart: always
Finally, add this new container as a dependency to the keyhub-app
container:
depends_on:
- db
- scriptengine
Naturally, if you are running the virtual appliance, this will all be handled as part of the regular upgrade.
TKH-974
In accordance to the OAuth 2.0 Security recommendations Topicus KeyHub now strictly validates query parameter presence and contents in callback URLs. Before upgrading to 12.3, make sure your OAuth2/OIDC applications have their callback URLs correctly set, including any query parameters. The callback URL used by an application can be seen in the browser console as the redirect_uri
query parameter for the request on the /login/oauth2/authorize
endpoint. A mismatch in the callback URL will result in an error when trying to use the SSO application. Naturally, the simple wildcards in the hostname or path and the port ranges are still supported.
TKH-992
The quick search field on the dashboard now also filters the groups on your dashboard. This allows you to quickly search vault records and groups at the same time.
TKH-985
A new endpoint for IDP initiated SAML and OIDC flows has been added. For example, https://keyhub.example.com/login/initiate?client=urn:amazon:webservices
will redirect the user to Amazon. It is also possible to use the client identifier of an OIDC client, which will initiate the third party login flow using the configured Initiate login URI.
TKH-1037
The audit log now shows all group related messages to all members of a group, not just the managers. This will give all members of the group insight in important events such as new members, changes to applications or modified vault records.
With our previous release we've introduced a new way to install Topicus KeyHub: a virtual appliance. This release vastly improves the installation via this virtual appliance and integrates the appliance manager with Topicus KeyHub itself. The following issues were solved:
TKH-769
System and Topicus KeyHub upgrades are now performed by SaltStack execution modules.TKH-921
OSS licenses are now distributed with the appliance in conformance to the license requirements.TKH-934
The appliance manager can now create and restore backups.TKH-936
The installation wizard now allows creating the first directory and user.TKH-937
You can now configure Single Sign-on between Topicus KeyHub and the appliance manager.TKH-938
Before applying new configuration, the appliance manager now shows the modified settings.TKH-955
Tooling for Azure is now automatically installed when the virtual appliance runs on Azure.TKH-961
TKH-980
TKH-982
TKH-983
Code coverage of the test suite is now recorded and has been improved considerably.TKH-964
The appliance manager now has a user manual.TKH-967
The internet connectivity check now uses a more reliable target.TKH-989
A system update could cause SaltStack to restart and the update to fail.TKH-1001
The transfer of the user session during install has been made much more reliable.TKH-1002
The recovery key that must be downloaded during install now has a descriptive name.TKH-1003
TKH-1042
The iptables configuration now correctly blocks connections to the management ports (50022 and 50443) outside the whitelisted ranges.TKH-1004
It is now possible to upload a certificate bundle as trusted CA.TKH-1006
A configuration error could cause the installation to be blocked because of hidden buttons.TKH-1011
It is no longer possible to configure the deployment mode via the appliance manager.TKH-1013
The version of SaltStack is now managed by the appliance installer.TKH-1014
The progress poller has been made much more resilient to network errors.TKH-1032
Changing the maintenance password no longer requires a restart of Topicus KeyHub.The following smaller improvements and bug fixes were made:
TKH-885
The Topicus KeyHub logos were replaced by SVG images.TKH-887
A manager of an owning group can now directly add new groups to applications and linked systems.TKH-947
A review was performed on correct validation of issuer and audience claims throughout Topicus KeyHub.TKH-949
Measures have been taken to prevent a possible SSRF (Server Side Request Forgery) attack on the authorize endpoint, which could cause a Denial of Service.TKH-952
The application server was upgraded to WildFly 13.TKH-953
The web framework Wicket was upgraded to version 8.TKH-956
Stronger input validation is applied to callback URIs for OAuth2 applications.TKH-957
The code of OIDC flows with Topicus KeyHub as RP was rewritten to make it better maintainable.TKH-966
Performance was improved for most of the authentication flows.TKH-973
A sporadic error was fixed when performing re-authentication via OIDC.TKH-975
The JDBC URL can now be configured on the application container, allowing more customized deployment of the database.TKH-977
Copying the rotating password is now also handled by the browser extension.TKH-978
Testing a connection to an LDAP now resets the internal connection pool.TKH-979
Automatic grouping of elements is now performed case insensitive.TKH-984
The browser extension no longer fills the username with 'undefined' on some pages.TKH-986
Webhooks now support basic auth.TKH-987
The event types vault record read and vault record deleted were switched when configuring webhooks.TKH-988
The counters for selected event types were missing on Firefox when configuring webhooks.TKH-990
Fetching a certificate from the server sometimes gave an error when configuring an LDAP directory.TKH-993
Trying to register a new account when no directory exists gave an error.TKH-997
The contents of a selected vault was not updated when a record was moved to a different vaultTKH-998
Moving a vault record was not recorded in the audit log.TKH-999
Copying the username of a vault record from the quicksearch on the dashboard no longer hides the other fields.TKH-1008
The password is now displayed in a monospaced font when editing a vault record.TKH-1015
Recovery of a nonexistent personal vault no longer gives an error.TKH-1020
Registration of an internal account in maintenance mode no longer gives an error.TKH-1024
The manual is now also available in English.TKH-1028
Re-authentication via OIDC resulted in a Javascript error, rendering the return page partly unusable.TKH-1033
Using square brackets in group names could cause errors on some pages.TKH-1035
Resetting the password of an internal account no longer wipes the personal vault for that account.TKH-1036
Invalid 2FA codes were recorded in the audit log twice.TKH-1038
A request for resetting 2FA was erroneously denied when a request for a different account was not yet processed.TKH-1039
The web session timeout was increased to 4 hours.TKH-1041
Webhook deliveries are now removed after 2 days.