As part of our ongoing efforts to provide customers with the most stable and seamless service release experience, we revamped our release process. Service releases now utilize a staggered deployment schedule over a period of time. With this revamped process, customers should expect new features and bug fixes to be gradually applied to our global customer base.
If you don’t see a new feature immediately following our monthly release, you will soon, unless the feature must be enabled by your account manager.
In June, OneLogin continues our strong commitment to APIs. API Access Management provides a new UI to manage API Authorization Servers using customized tokens to create granular API access. We added a new endpoint that allows you to dynamically create OpenId Connect clients within a OneLogin account, events for OpenId Connect grant and token operations, and now support SHA-256+salt for password hashing.
We also added support for Apple ID in Trusted IdP, improved the User Auth event, support custom attribute mappings to import/export the manager field between OneLogin and AD/LDAP, and improved security configurations to address inactive accounts.
Without further ado, here's what happened in June at OneLogin!
Security & Authentication
API Access Management
OneLogin now offers a new UI to manage API Authorization Servers. This feature allows you to create and manage access tokens for use against an API gateway or to authorize your org's APIs.
This feature dramatically improves the process of configuring access tokens and allows you to customize the context of the token to create granular API access by defining scopes and claims.
To configure API Access Management, go to Developers > API Access Management > Add API or select an extant API.
For more information, see API Access Management.
User Authentication Event
We added a User Policy field to the User Authentication Event. This allows admins to quickly identify which user policy was enforced during the authentication attempt.
To learn more about Events, see Events.
Directories
VLDAP
VLDAP Roles and Groups now have gidNumber on its attributes and posixGroup on its objectClasses, following RFC2307(bis) protocol.
Users now have posixAccount on their objectClass attribute.
Manager Export to ADC/LDAP
You can now use custom attribute mappings to import and export the manager field between OneLogin and AD/LDAP.
To import the Manager field, set Manager by distinguished name.
To export the Manager field, create a new mapping macro {manager_distinguished_name}.
To learn more about VLDAP, see OneLogin Virtual LDAP Service.
To learn more about ADC, see Install & Configure Active Directory Connector 5.
Trusted IdP
We added support for Apple ID in Trusted IdP. Admins can now configure Trusted IdP to log users in to OneLogin with Apple ID.
To learn more about Trusted IdP, see Trusted IdP (Relying Party Trust).
Manageability & Reliability
Usability
We added the ability to search accounts by subdomain for multi-tenant and MSP admins.
Auto-Suspend
We changed our auto-suspend feature within user policies. Users are now auto-suspended after 90 days without logging into OneLogin. Users who logged in only via VLDAP and not directly to OneLogin will be auto-suspended after 90 days. Administrators are opted out of the modified feature and must opt in manually to continue using it.
API
OIDC
We now create events for all OpenId Connect grant and token operations. For example, when a refresh token is used to generate a new access token, an event is created.
Dynamic Client Registration
We added an endpoint that allows you to dynamically create OpenId Connect clients within a OneLogin account. Dynamic Client Registration lets you create tighter integrations with API gateways such as Mulesoft.
To learn more about this feature, see Dynamic Client Registration.
Users
For the Create & Update User endpoints, we now support SHA-256+salt for password hashing. Previously, we only supported salt+SHA-256. This is set in the password_algorithm request parameter.
Bug Fixes
-
If authentication for OTP Protect fails, a 401 error is now returned.