77.8.0

What's Changed

• build(deps): bump github.com/onsi/gomega from 1.33.0 to 1.33.1 in /k8s by @dependabot in #2858
• fix: MySQL Performance Issues in "/ids/Users" Endpoint by @adrianhoelzl-sap in #2859

Full Changelog: v77.7.0...v77.8.0

77.7.0

What's Changed

This release addresses a serious performance issue that can affect installations using a MySQL database for UAA and has a large number of users (10,000+).

Fix

• Fix: performance issue in MySQL -- revert #2704 by @bruce-ricard in #2857

Full Changelog: v77.6.0...v77.7.0

77.6.0

What's Changed

Security

• The bc-fips bump addresses CVE-2024-29857.

Fix

• fix: load static resources from default zone if zone not found by @tack-sap in #2828

Misc

• Remove direct usage of commons-httpclient 3.1 by @strehle in #2826
• Refactor tests for EntityAliasHandler.ensureConsistencyOfAliasEntity by @adrianhoelzl-sap in #2824

Dependency Bumps

• build(deps): bump versions.springSecurityVersion from 5.8.11 to 5.8.12 by @dependabot in #2829
• build(deps): bump versions.tomcatCargoVersion from 9.0.87 to 9.0.88 by @dependabot in #2832
• build(deps): bump k8s.io/client-go from 0.29.3 to 0.29.4 in /k8s by @dependabot in #2835
• build(deps): bump org.apache.commons:commons-text from 1.11.0 to 1.12.0 by @dependabot in #2833
• build(deps): bump k8s.io/client-go from 0.29.4 to 0.30.0 in /k8s by @dependabot in #2839
• build(deps): bump github.com/onsi/gomega from 1.32.0 to 1.33.0 in /k8s by @dependabot in #2842
• build(deps): bump org.gradle:test-retry-gradle-plugin from 1.5.8 to 1.5.9 by @dependabot in #2852
• build(deps): bump org.bouncycastle:bc-fips from 1.0.2.4 to 1.0.2.5 by @dependabot in #2853

Full Changelog: v77.5.0...v77.6.0

77.5.0

What's Changed

Security Fix

• Spring Framework update from 5.3.33 to 5.3.34 by @dependabot in #2822, solves https://spring.io/security/cve-2024-22262

Misc

• Fix flaky test in ScimUserEndpointsMockMvcTests by @adrianhoelzl-sap in #2804
• Further Integration Tests for Alias Identity Providers Feature by @adrianhoelzl-sap in #2722
• Set default SAML signatureAlgorithm value to SHA256 by @hsinn0 in #2807
• Misc API docs improvements by @peterhaochen47 in #2795
• fix: gradle test might give false green by @peterhaochen47 in #2801
• backfill tests: SAML SP metadata by @peterhaochen47 in #2794
• Prevent Update and Delete of Entities with Alias if Alias Feature is disabled by @adrianhoelzl-sap in #2803
• Sonar fix by @strehle in #2816
• Move OAuth2 classes BaseClientDetails to UaaClientDetails by @strehle in #2806

Dependency Bumps

• build(deps): bump commons-io:commons-io from 2.15.1 to 2.16.0 by @dependabot in #2811
• build(deps): bump commons-io:commons-io from 2.16.0 to 2.16.1 by @dependabot in #2819
• build(deps): bump versions.braveVersion from 6.0.2 to 6.0.3 by @dependabot in #2823
• update dependency nokogiri to v1.16.4 by @strehle in #2827

Full Changelog: v77.4.0...v77.5.0

77.4.0

What's Changed

• Add 'aliasId' and 'aliasZid' Fields to ScimUser by @adrianhoelzl-sap in #2765
• Cleanup from PR 2765 by @strehle in #2797
• Bump Gradle to 8.7 by @strehle in #2798
• Support own key and cert for jwtClientAuthentication by @strehle in #2771
• build(deps): bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 4.4.1.3373 to 5.0.0.4638 by @dependabot in #2800

Full Changelog: v77.3.0...v77.4.0

77.3.0

What's Changed

• Load jwtClientAuthentication in uaa.yml by @strehle in #2758
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.8.0.202311291450-r to 6.9.0.202403050737-r by @dependabot in #2772
• Update rack in Gemfile.lock by @strehle in #2773
• Optimize "/ids/Users" endpoint by @adrianhoelzl-sap in #2704
• feat: Use Database availability as indicator for /healthz response by @tack-sap in #2763
• build(deps): bump versions.jacksonVersion from 2.16.1 to 2.16.2 by @dependabot in #2774
• Fix sonar by @strehle in #2770
• build(deps): bump versions.springFrameworkVersion from 5.3.32 to 5.3.33 by @dependabot in #2777
• build(deps): bump versions.guavaVersion from 33.0.0-jre to 33.1.0-jre by @dependabot in #2778
• build(deps): bump org.postgresql:postgresql from 42.7.2 to 42.7.3 by @dependabot in #2781
• build(deps): bump versions.tomcatCargoVersion from 9.0.86 to 9.0.87 by @dependabot in #2780
• build(deps): bump versions.jacksonVersion from 2.16.2 to 2.17.0 by @dependabot in #2776
• build(deps): bump k8s.io/client-go from 0.29.2 to 0.29.3 in /k8s by @dependabot in #2786
• update dependency nokogiri to v1.16.3 by @strehle in #2787
• build(deps): bump versions.springSecurityVersion from 5.8.10 to 5.8.11 by @dependabot in #2788
• Fix uaa start. Prevent exception if encryption section missing by @strehle in #2767
• build(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0 in /k8s by @dependabot in #2791
• fix: saml signatureAlgorithm in AuthnRequest by @swalchemist in #2792

Full Changelog: v77.2.0...v77.3.0

77.2.0

What's Changed

Fixes

• Fix audience type by @strehle in #2757
• avoid NPE by @klaus-sap in #2747
• Sonar fixes by @strehle in #2760
• Solve sonar bug by @strehle in #2768
• more methods for sanitized logging by @klaus-sap in #2764

Misc

• refactor: Remove a use of a constant from opensaml library by @hsinn0 in #2743
• Move IdP Alias Handling to separate Class by @adrianhoelzl-sap in #2737
• remove more IdP tests by @swalchemist in #2742
• doc: clarify token revocation by @peterhaochen47 in #2749

Dependency Bumps

• build(deps): bump org.apache.santuario:xmlsec from 4.0.1 to 4.0.2 by @dependabot in #2746
• build(deps): bump versions.braveVersion from 6.0.1 to 6.0.2 by @dependabot in #2748
• update dependency org.seleniumhq.selenium:selenium-java to v4.18.1 by @strehle in #2744
• build(deps): bump org.json:json from 20240205 to 20240303 by @dependabot in #2761

Known Issues

• During the upgrade to this version from UAA v76 or below with canary deployment (where briefly both new and old UAA servers could be running), UAA delete user endpoint might respond with an error even though the user deletion is successful. Mitigation: Delete users after the canary deployment finishes. But if you do run into this issue, you can ignore the error and check whether the user has been successfully deleted after the canary deployment finishes.

Full Changelog: v77.1.0...v77.2.0

77.1.0

What's Changed

Fixes

• Fix invalid identity zone by @klaus-sap in #2711
• Fix filter check in ids/Users endpoint by @adrianhoelzl-sap in #2702
• Revert "Ignore failing integration test" by @peterhaochen47 in #2731

Misc

• refactor: split test by @swalchemist in #2725
• Misc SAML tests refactors by @peterhaochen47 in #2727
• Maintain tomcat version by @strehle in #2721
• refactor: use non-deprecated saml configs in uaa.yml by @peterhaochen47 in #2732

Dependency Bumps

• build(deps): bump versions.springFrameworkVersion from 5.3.31 to 5.3.32 by @dependabot in #2733
• build(deps): bump versions.springSecurityVersion from 5.8.9 to 5.8.10 by @dependabot in #2734
• build(deps): bump versions.tomcatCargoVersion from 9.0.85 to 9.0.86 by @dependabot in #2736
• renovate: update dependency org.mariadb.jdbc:mariadb-java-client to v2.7.12 by @strehle in #2740
• build(deps): bump org.postgresql:postgresql from 42.7.1 to 42.7.2 by @dependabot in #2739
• build(deps): bump jasmine-core from 5.1.1 to 5.1.2 in /uaa by @dependabot in #2720
• build(deps): bump versions.braveVersion from 6.0.0 to 6.0.1 by @dependabot in #2726
• build(deps): bump k8s.io/api from 0.29.1 to 0.29.2 in /k8s by @dependabot in #2728
• build(deps): bump k8s.io/client-go from 0.29.1 to 0.29.2 in /k8s by @dependabot in #2730

Known Issues

• During the upgrade to this version from UAA v76 or below with canary deployment (where briefly both new and old UAA servers could be running), UAA delete user endpoint might respond with an error even though the user deletion is successful. Mitigation: Delete users after the canary deployment finishes. But if you do run into this issue, you can ignore the error and check whether the user has been successfully deleted after the canary deployment finishes.

Full Changelog: v77.0.0...v77.1.0

77.0.0

What's Changed

⚠️ Breaking Changes

• Remove UAA's ability to act as a SAML identity provider by @hsinn0 in #2638
  • feat: clean up unused DB table service_provider used by UAA-as-SAML-IDP feature by @peterhaochen47 in #2701
• Remove: deprecated native MFA feature by @peterhaochen47 in #2717
• Please note that upgrading to this release will clean up all persisted data related to the removed features mentioned above, so please proceed with caution.

Misc

• Import refactor for SAML by @swalchemist in #2689
• Refactor BouncyCastleProvider to BouncyCastleFipsProvider by @strehle in #2693
• Refactor saml dependencies 186822654 by @bruce-ricard in #2700
• fix: check origin of user by @klaus-sap in #2688
• Sonar recommendation by @strehle in #2708
• refactor: remove a SAML dependency by @bruce-ricard in #2699
• Inconsistent Update Behavior for SCIM "/Users/{userId}" by @adrianhoelzl-sap in #2712
• Alias ID and Alias ZID for Identity Providers by @adrianhoelzl-sap in #2637
• fix: Duplicate Version Numbers in Flyway Migrations for IdP Alias Columns by @adrianhoelzl-sap in #2723
• refactor: reduce test dependency on EOL lib by @peterhaochen47 in #2719

Dependency Bumps

• Bump Gradle to 8.6 by @strehle in #2707
• renovate: update dependency nokogiri to v1.16.2 by @strehle in #2713
• build(deps): bump org.json:json from 20231013 to 20240205 by @dependabot in #2714
• build(deps): bump org.apache.directory.api:api-ldap-model from 2.1.5 to 2.1.6 by @dependabot in #2715
• build(deps): bump com.google.zxing:javase from 3.5.2 to 3.5.3 by @dependabot in #2698
• renovate: update dependency middleman-syntax to v3.4.0 by @strehle in #2706
• renovate: update dependency nokogiri to v1.16.1 by @strehle in #2709
• build(deps): bump joda-time:joda-time from 2.12.6 to 2.12.7 by @dependabot in #2710
• Bump json path from version 2.7.0 to 2.9.0 by @strehle in #2686
• build(deps): bump actions/dependency-review-action from 3 to 4 by @dependabot in #2685
• build(deps): bump github.com/onsi/gomega from 1.31.0 to 1.31.1 in /k8s by @dependabot in #2687

Known Issues

• During the upgrade to this version from UAA v76 or below with canary deployment (where briefly both new and old UAA servers could be running), UAA delete user endpoint might respond with an error even though the user deletion is successful. Mitigation: Delete users after the canary deployment finishes. But if you do run into this issue, you can ignore the error and check whether the user has been successfully deleted after the canary deployment finishes.

Full Changelog: v76.31.0...v77.0.0

76.31.0

What's Changed

• Dependabot cleanup by @swalchemist in #2669
• Refactor: remove spring security jwt and use nimbus jose by @strehle in #2624
• Post jwt token library refactoring by @strehle in #2679
• remove spring-security-jwt license statement by @strehle in #2678
• minor: add maxUsers to sample configuration by @klaus-sap in #2680

Dependency Bumps

• build(deps): bump k8s.io/client-go from 0.29.0 to 0.29.1 in /k8s by @dependabot in #2684
• build(deps): bump github.com/onsi/gomega from 1.30.0 to 1.31.0 in /k8s by @dependabot in #2682

Full Changelog: v76.30.0...v76.31.0