Hi,
we are going to deploy an updated version of the IdP software on
Thursday 12 December, at 13:30.
The main change here is an update to the code we use to authenticate
users against the LDAP directories and retrieve attributes for the
user.
Notable changes here are:
- Better logging of errors: We will now retrieve and log the LDAP
extended error when authentication errors occur. This will in some
cases allow us to get a better idea of why authentication fails. E.g.
whether the password is wrong or expired, or if the account is
locked. (This information is only logged, and not showed to the
user.)
- We will distribute authentication requests over all the LDAP servers
for an organization. Previously, we tried them in the order they were
listed in the configuration.
We have also added a method we can use to downprioritize one of the
servers, so that we always try the other servers first. The long term
plan is to downprioritize servers automatically based on information
from the monitoring system.
- When searching for users, AD-LDS / ADAM has treated some national
letters the same as ascii letters. For example a search for 'å' would
return results for both 'a' and 'å'. We have now improved the search
algorithm to take this into account. (Unfortunately, if anyone has
gotten used to entering their username incorrectly and having the IdP
"correct" it, they will have to change to enter the correct password.)
- We have improved the attribute retrival code to better handle
attribute names with special attribute casing. E.g. "labeledUri"
instead of "labeledURI". We now normalize everything to the correct
casing.
There are no direct changes to the messages sent from the IdP to the
service providers, though due to improved attribute retrieval code,
some users may get additional attributes in the authentication
responses.
The update is currently running on our test IdP. If you have any
question or concerns about this update, please contact us at
support(a)feide.no.
Best regards,
Olav Morken
UNINETT / Feide