Your Customer Identity and Access Management (CIAM) solution sits at the core of your security, user experience and regulatory compliance strategies. But the best results are possible when your CIAM solution makes it easy to securely integrate and update applications. This saves your developers and business partners time when performing regular security maintenance. This principle has led to the focal development found within our latest Identity Platform software release cycle – 2021.3. Here’s a taste of what’s new:
Rotate SSO security keys regularly
Ubisecure’s Identity Platform has always had the ability to update the signing and encryption keys used within our SSO application. With this release, we’ve enhanced the feature to make that process even easier. SSO master key rotation has been designed to take your existing environment into account. By importing your existing security key, key-initial, you are able to support all existing applications with no additional steps. Please note that before you continue, it is important that you review the Key Rotation – SSO pages, linked on the IDS 2021.3 release notes. Your existing applications may require reintegration before you create new keys and set them as active or as a valid future key.
Ubisecure SSO uses only one signing and encryption key at a time. These keys can be the same key or two distinct keys. The key being used for signing or encryption is called the active key. Ubisecure SSO will automatically rotate keys according to the keys specifications in the system. All key creation and association is currently manual, and will need to be completed through the SSO Management API.
SAML and OpenID Connect Provider metadata can contain multiple signing keys at the same time, but only one active encryption key. These signing keys can include previous, active and future keys. In order to allow smooth transition, your applications should be able to use all of the keys published in the Ubisecure SSO metadata.
We are sure you will find this feature enhancement to be beneficial to your overall security posture. As this is a significant change to the current use of SSO signing and encryption keys, we suggest testing key rotation in a non-production environment first and verifying that application integrations and external authentication methods work as expected. After verifying that the process works, you can perform the same process in production.
End users change details – frequently
Within Ubisecure CustomerID, we have added a new PATCH API. It augments the existing PUT API and can be used for when you are updating only a portion of the end users’ attributes. For example, updating their email address or phone number. The PATCH API permits you to update only the required attribute without having validation run on the full end-user record. This will speed up the update process and prevent any non-standard alterations from blocking the update. The API replaces all the defined attributes; an empty value will remove the attribute, and non-mentioned attributes will not change the existing value. We are confident that this new API will facilitate your end-user configuration changes.
Improvements and Corrections
For all software, there is opportunity for continual improvements to be made and for identified deviations to be removed. For a complete list, we encourage you to review the release notes. For example, for Ubisecure SSO, id_tokens are now also included in refresh_token grant responses when scope includes “openid”; this will remove the need to do an extra call to the userinfo endpoint when using refresh tokens. Note that additional scopes cannot be included when using the refresh token to get a new access token.
And for Ubisecure CustomerID, there are a couple of improvements. First, role invitation messages have been updated to be optional. This will help if you are onboarding large numbers of new users to an existing role and do not want to send a personal message with the invitation. Another Ubisecure CustomerID improvement is found within User Driven Federation (UDF). Previously, it was possible for a user to register multiple times and federate the CustomerID accounts to separate external identities. User accounts within CustomerID are now limited to one per SSN, which means that if the user forgets where they federated their account to or loses access to their federated account, they will need to request support from you. This ensures that user accounts are active and no false account linking is possible.
There are lots of additional improvements and corrections – along with the current system recommendations. Details from this release can be found in the 2021.3 release notes.
Identity Platform 2021.3 is available now! Check out more details of enhancements in our 2021.3 release, and download the latest version here.
A note on the Log4j Vulnerabilities
Whilst unrelated to the Identity Platform 2021.3 release, I’d like to take this opportunity to update you on the much-publicised Log4j vulnerability. As many of you will be aware, several Java-based vulnerabilities within the Apache Log4j library (CVE-2021-44228 and CVE-2021-45046) have recently come to light, affecting software and web applications globally. Ubisecure Engineering took immediate action to research this topic with regard to our own Identity Platform. We have tested a variety of potential attack vectors, at this time are confident that there is no exploitable vector that we have been able to uncover.
We have updated our customers and partners regarding recommended precautionary steps. We will continue to update customers and partners if any new developments arise. If you have any concerns, please do reach out to support @ ubisecure.com.