INDIGO Identity and Access Management v1.11.0

Added

• Add POST endpoint for registration requests confirmation by @enricovianello in #881
• (Experimental¹) Implement MFA by @sam-glendenning, @rmiccoli, @garaimanoj, @Sae126V in #733
• Add explanation message on the user code page by @rmiccoli in 53100d1
• Add confirmation before rotate client secret by @SteDev2 in #875
• Redirect to login page when signing AUP without being authenticated by @federicaagostini in 5acde91

Fixed

• Fix account mapping in VOMS AA by @rmiccoli in #872
• Fix CERN lifecycle handler by @enricovianello in #871, #896
• Client-credentials flow won't create a refresh token by @rmiccoli in indigo-iam/OpenID-Connect-Java-Spring-Server#22
• Fix missing update of matchingPolicy by @garaimanoj in f15ef57
• Fix account research API by checking both certificate subject and issuer in VOMS AA by @rmiccoli in #897
• Prevent the issue of broken SAML login flow by @DonaldChung-HK in #885
• Fix the list of user's group membership requests form admins perspective by @enricovianello in 571d12c
• Fix missing creation of an approved site during device code flow by @federicaagostini in 1e9c200
• Combine all scope filtering logic into one ScopeFilter by @enricovianello in a0c771b
• Fix authorization on some me endpoints by @enricovianello in 5273df7

What's Changed

• Exclude IAM optional groups from VOMS AC by @rmiccoli in #894
• Grant admin scopes to admin-approved clients only by @rmiccoli in 6bbaccd ²
• Restrict access to SCIM scopes to admins only by @enricovianello in 5f20592 ²

The MFA experimental feature

Here is the summary of this experimental enhancement:

• Each authenticated user can enable/disable MFA through a button on his homepage.
  • Users must install and use an authenticator app (usually on a mobile device) as it is required to generate the time-based one-time passwords (TOTPs) necessary for authentication.
• At any time an IAM administrator can disable MFA for a user
• The second factor authentication is currently supported for local authentication only
  • An integration with X.509 certificates and external providers logins is not yet supported
• Encryption and decryption of MFA secrets

Configuration

The mfa Spring JVM profile is used to enable MFA functionality. This profile must be added to the list of active ones because by default it's not included to keep MFA disabled by default for all users.

Notes

1. This initial release featuring Multi-Factor Authentication is experimental and will be enhanced and expanded with new features in future releases, based also on user feedback. ↩

2. The privileged admin (iam:admin.read, iam:admin.write) and SCIM (scim:read, scim:write) scopes can still be assigned by admins to specific clients. The constraint added by this release is related to non-privileged users those are asking a token through this privileged clients. Even if the client is allowed to obtain them, those scopes are filtered from the obtained ones if a not-enough privileged user is involved. This means that client_credentials flow is not affected. These clients may obtain access tokens with these privileged/restricted scopes if and only if it's an admin the requestor. ↩ ↩²