UAA 3.1.0 Release Notes

Branding & White-labeling

We have introduced properties for branding the UAA UI Pages. The default branding is Cloud Foundry. We have also updated the Cloud Foundry brand to the latest. All Pivotal specific assets & stylesheets have been removed from the UAA repository.

Below is the branding snippet from UAA.yml for setting the branding properties. These properties can be bootstrapped from UAA.yml & UAA Release Manifest (if using the UAA Bosh Release)

branding:
  companyName: <Company Name>
  productLogo: <Enter base64 Encoded Image>
  squareLogo: <Enter base64 Encoded Image>
  footerLegalText: <This legal text will show up in the footer.>
  footerLinks:
    Terms: /exampleTerms
    Privacy Agreement: privacy_example.html
    Licensing: http://example.com/ 

Related Stories

• Apply White-Label Logo to all UAA Screens
• Apply White Label Fav Icon to All UAA Pages
• Apply White-Label Footer to All UAA Screens
• Update the Email Templates to use the Company Name from the White - Label Properties
• Update CF branding

Dynamic Home Page for UAA

This release drops support for login.tile property which has a static list of tiles displayed under the "Where To"page.
We have added the ability for the "Where To" Page in UAA to be created dynamically based on OAuth Clients registered with UAA and configured to be displayed on the home page. This serves as a dynamic SSO Dashboard for all Identity Zones.

New end-points (oauth/clients/meta) have been introduced to set Launch URL, Display Icon and Show On Home Page property. These properties can be bootstrapped from the UAA.yml file & UAA Release Manifest (if using the UAA Bosh Release)

# Clients
  uaa.clients:
    description: "List of OAuth2 clients that the UAA will be bootstrapped with"
    example:
      login:
        id: <test-client>
        name: <display_name>
        override: true
        secret: some-secret
        authorized-grant-types: authorization_code,client_credentials,refresh_token
        authorities: test_resource.test_action
        scope: test_resource.test_action
        redirect-uri: http://myapp.com/oauth
        app-launch-url: http://myapp.com
        show-on-homepage: true
        app-icon: <Enter base64 encoded image>

Related Stories

• Provide the ability to have a Configurable Home Page for UAA
  (https://www.pivotaltracker.com/story/show/109742870)
• Build the UAA Home Page based on applications with showonHomePage property set to true
• Show Client Name along with Logo on the Where To Page
• oauth/clients/meta needs client name field

Descriptions for SCIM Groups & Identity Providers

We have added support for setting user friendly display names for SCIM groups & Identity Providers. The API's have been updated to support this operation. The behavior earlier was to set the description for SCIM groups aka OAuth Scopes in message.properties file. This can now be bootstrapped from UAA.yml & UAA-Release Manifest (if using the UAA Bosh Release)

Below is a snippet from UAA.yml

scim:
  groups:
    zones.read: Read identity zones
    zones.write: Create and update identity zones
    idps.read: Retrieve identity providers
    idps.write: Create and update identity providers
    clients.admin: Create, modify and delete OAuth clients
    clients.write: Create and modify OAuth clients
    clients.read: Read information about OAuth clients
    clients.secret: Change the password of an OAuth client

Related Stories

• Provide the ability to set and retrieve description for an Identity Provider
• Display scope descriptions from db
• Provide the ability to add & retrieve descriptions for SCIM Groups
• bootstrap all scope descriptions listed in the UAA documentation into UAA DB. Right now only 4 are being bootstrapped

Other Minor Features

• Support Wildcards for OAuth Client Redirect URI
• Hide username/password boxes if internal user store is disabled and there is no ldap provider/ldap provider active.
• Make the IdentityProvider.config a generic
• Introduce a dynamic mechanism to derive which properties are displayed on the home page

Bug Fixes

• Indirect group memberships in a zone are not allowed in tokens
• uaa-release login.yml.erb does not populate the saml private key
• reating duplicate identity provider should return 409 instead of 500
• /Groups/zones should allow creation of zones.zoneid.scim.read/write/create groups
• Deleting a zone doesn't delete the cross zone scopes like zones.{zoneid}..
• Excluding Authorities from a access token cause load configuration error
• LoginInfoEndpoint should return login.url
• /passcode link should be based on entityBaseURL
• LoginInfoEndpoint 'uaa' and 'login' (if local) - should be zonified
• LDAP certificate issue