Hi,
we are going to deploy an updated version of the IdP software on Thursday 12 December, at 13:30.
The main change here is an update to the code we use to authenticate users against the LDAP directories and retrieve attributes for the user.
Notable changes here are:
- Better logging of errors: We will now retrieve and log the LDAP extended error when authentication errors occur. This will in some cases allow us to get a better idea of why authentication fails. E.g. whether the password is wrong or expired, or if the account is locked. (This information is only logged, and not showed to the user.)
- We will distribute authentication requests over all the LDAP servers for an organization. Previously, we tried them in the order they were listed in the configuration.
We have also added a method we can use to downprioritize one of the servers, so that we always try the other servers first. The long term plan is to downprioritize servers automatically based on information from the monitoring system.
- When searching for users, AD-LDS / ADAM has treated some national letters the same as ascii letters. For example a search for 'å' would return results for both 'a' and 'å'. We have now improved the search algorithm to take this into account. (Unfortunately, if anyone has gotten used to entering their username incorrectly and having the IdP "correct" it, they will have to change to enter the correct password.)
- We have improved the attribute retrival code to better handle attribute names with special attribute casing. E.g. "labeledUri" instead of "labeledURI". We now normalize everything to the correct casing.
There are no direct changes to the messages sent from the IdP to the service providers, though due to improved attribute retrieval code, some users may get additional attributes in the authentication responses.
The update is currently running on our test IdP. If you have any question or concerns about this update, please contact us at support@feide.no.
Best regards, Olav Morken UNINETT / Feide
Hi,
this update was deployed at 13:30, and has been running in production for 20 minutes now. So far we haven't seen any problems with it, but if you experience any problems, please let us know.
Best regards, Olav Morken UNINETT / Feide
On Mon, Dec 09, 2013 at 14:23:45 +0100, Olav Morken wrote:
Hi,
we are going to deploy an updated version of the IdP software on Thursday 12 December, at 13:30.
The main change here is an update to the code we use to authenticate users against the LDAP directories and retrieve attributes for the user.
Notable changes here are:
Better logging of errors: We will now retrieve and log the LDAP extended error when authentication errors occur. This will in some cases allow us to get a better idea of why authentication fails. E.g. whether the password is wrong or expired, or if the account is locked. (This information is only logged, and not showed to the user.)
We will distribute authentication requests over all the LDAP servers for an organization. Previously, we tried them in the order they were listed in the configuration.
We have also added a method we can use to downprioritize one of the servers, so that we always try the other servers first. The long term plan is to downprioritize servers automatically based on information from the monitoring system.
When searching for users, AD-LDS / ADAM has treated some national letters the same as ascii letters. For example a search for 'å' would return results for both 'a' and 'å'. We have now improved the search algorithm to take this into account. (Unfortunately, if anyone has gotten used to entering their username incorrectly and having the IdP "correct" it, they will have to change to enter the correct password.)
We have improved the attribute retrival code to better handle attribute names with special attribute casing. E.g. "labeledUri" instead of "labeledURI". We now normalize everything to the correct casing.
There are no direct changes to the messages sent from the IdP to the service providers, though due to improved attribute retrieval code, some users may get additional attributes in the authentication responses.
The update is currently running on our test IdP. If you have any question or concerns about this update, please contact us at support@feide.no.
Best regards, Olav Morken UNINETT / Feide