Identity Server 2022.2 is released today, including SSO 9.1 and CustomerID 6.1
During the shorter release cycle we have continued core structural updates for SSO and added in more Risk-Based Authentication (RBA) capabilities. For all the details, please head over to review our Release Notes.
Risk-Based Authentication (RBA): Continuing our development of risk-based authentication, we have extended the ability to require MFA (Multi-Factor Authentication) to directory mapped users. These are external organisations, such as your partners or a company you are acquiring, whose users (external directory users) need access to any of your integrated applications. The applications can be integrated with either OIDC (OpenID Connect) or SAML (Security Assertion Markup Language) and the external user management of these external directory users can be left in the hands of your partner company, while the user credentials will be mapped into your SSO Ubilogin Directory. Now these external users will be able to utilise SMS OTP, SMTP OTP or most importantly TOTP (i.e. with Microsoft Authenticator or Google Authenticator) to easily and strongly assure their identity during the login session. Users can elect to use SMS or SMTP, their credentials will be queried via the integrated IdP or they can elect to use TOTP (Time-based One Time Password), where a secret key pair is generated by SSO and given to the user in the form of a QR code that you generate and they scan with their smartphone.
Following a Zero Trust principle, you will be able to require all classes of users internal (found in Ubilogin Directory), external (found in your partners directory, but mapped into Ubilogin Directory) or unregistered (located in an integrated external IDP) to be multi-factor authenticated during each login session. From this starting zero trust point, we will continue our risk-based authentication development over the next several release cycles. We are excited to expand our Identity Platform into this dynamic security space and believe we will deliver many useful enhancements to the platform. Ask your Sales Team/Account Manager for more information on upcoming development plans.
Ongoing security is key – as we maintain the Identity Platform, we continue to improve both its functionality and security. During this release cycle we’ve updated the third-party libraries used for logging throughout our SSO application. We have fully removed Log4j and replaced it with SLF4j and Logback. Logback replaces the Log4j libraries that SSO has utilised since the beginning of our service offering. While SLF4j is a logging facade – which is an API driven framework that permits us to update and modify the underlying logging application without making service impacting changes. Restated – we can update and improve our codebase without making any future alterations to the log files you utilise from Identity Platform. One caveat of course, where there is additional features created (like risk-based authentication features) your log files will contain additional information, but will remain in the same format and location. You can find highlights of the changes on the Release Notes along with a link to the detailed example of the logging changes found on our Developer Portal.
Continuing into the autumn and winter, we will be continuing our risk-based authentication development – with a focus on account suspension when abuse is being detected by an upstream security device within your environment. The abuse could be protection from brute force password cracking, or phishing attempts or could be more benign like time-of-day access violations (or limits) or limiting the maximum number of times a single user account can log onto a service simultaneously. Naturally we will continue the improvements on security, starting with updating Wildfly – the underlying web server used for CustomerID. There will also be additional improvements throughout the platform. If you have any questions over the features and security improvements offered in this release or over our upcoming development items please feel free to engage with us via the Operations team or your account team – we are always happy for your input to help shape our future developments.