Trivore ID 3 changelog

Version 3 of Trivore ID is an older production ready version. It should be upgraded to version 4.

Release 3.24

Initial release

Released 2021-08-04.

Notable changes

Environment variable JAVA_HOME has been removed from /etc/sysconfig/oneportal and added directly to systemd unit file. Usually there is no need to change its value and this modification makes upgrades easier even if sysconfig file has been locally modified. If you have this variable in sysconfig file, recommendation is to remove it. Use trivore-jetty version 4.4 or later to ensure that JAVA_HOME works as expected.

Bugs fixed

ONEP-2312 User was left signed in after using Change Password pages

ONEP-2309 Customer specific bugfix

ONEP-2307 Update to latest jackson and fix related dependency conflicts

ONEP-2301 Fix customer module dependencies

Improvements made

ONEP-2313 Move JAVA_HOME to systemd service file

ONEP-2311 Parse Basic authorization headers without using regex

ONEP-2306 Update to latest Ignite (2.10.0)

ONEP-2308 Make personal identity code parsing more lenient

ONEP-2304 Remove any javascript usage from ant build.xml

ONEP-2303 Remove maven install target from ant build.xml

ONEP-2302 Use exact version/release numbers for rpm dependency definitions

ONEP-2300 Refactor database credential configuration

ONEP-2298 Support ID-token parameter in changePassword form

ONEP-2297 Add webtheme support for changePassword form

ONEP-2296 Add logos to changePassword form

Tasks

ONEP-2291 Improve docker build

ONEP-2288 Replace maven ant tasks with maven artifact resolver

Database configuration

This version has new database configuration properties. New configuration is backwards compatible and therefore no changes are required. Future versions may drop deprecated properties so it is recommended not to use those anymore.

Property	Description	Default value
mongo.addr	Primary MongoDB database URI. Full MongoDB URI recommended. Legacy <host>:<port> still supported for backwards compatibility. Uses replica set oneportal by default when legacy mode is used. Use full URI without replica set parameter if connecting to single node MongoDB which does not have replica set defined.	mongodb://localhost:28017/?replicaSet=oneportal
mongo.dbname	Primary database name. Defaults to oneportal.	oneportal
mongo.dbname.aux	Auxiliary database name. Deprecated in favour of mongo.aux.dbname.	oneportal_aux
mongo.writeconcern	Primary database write concern.	ACKNOWLEDGED
mongo.readpreference	Primary database read preference.	PRIMARY_PREFERRED
mongo.timeout	MongoDB server selection timeout value in milliseconds. Applies to all databases.	30000
mongo.cluster.key	Pointer to a file which contains cluster-wide cryptographic key material. Must have same value on all server nodes in the cluster. If file does exist, this option is ignored.	/etc/oneportal/cluster_key
mongo.auth.enabled	Primary database authentication enabled/disabled. Value is either true or false.	false
mongo.auth.provider.enabled*	If true, uses legacy authentication credential computation for primary database. Value is either true or false. Legacy mechanism always uses username oneportal and password computed from salt material (see properties below). Legacy mode authentication database (source) is the same as primary database (mongo.dbname)	true
mongo.auth.salt.file	Input material for credential computation when legacy authentication mechanism is used. Must point to a file.	/var/lib/oneportal/node_salt
mongo.auth.salt.url	Input material for credential computation when legacy authentication mechanism is used. Must point to an URL.	https://keymgmt.t5.fi/.suolaa
mongo.auth.source*	Authentication database (source) when connecting to primary database. Not used when legacy authentication mode is enabled.	oneportal
mongo.auth.username*	Primary database authentication username. Not used when legacy authentication mode is enabled.	oneportal
mongo.auth.password*	Primary database authentication password. Not used when legacy authentication mode is enabled.	Undefined
mongo.aux.addr*	Auxiliary MongoDB database URI.	Undefined (defaults to mongo.addr)
mongo.aux.dbname*	Auxiliary database name.	Undefined (defaults to mongo.dbname.aux)
mongo.aux.writeconcern*	Auxiliary database write concern.	Undefined (defaults to mongo.writeconcern)
mongo.aux.readpreference*	Auxiliary database read preference.	Undefined (defaults to mongo.readpreference)
mongo.aux.auth.enabled*	Auxiliary database authentication enabled/disabled.	Undefined (defaults to mongo.auth.enabled)
mongo.aux.auth.provider.enabled*	If true, uses legacy authentication credential computation for auxiliary database. Legacy mode always uses auxiliary database itself as authentication source.	Undefined (defaults to mongo.auth.provider.enabled)
mongo.aux.auth.source*	Authentication database (source) when connecting to auxiliary database. Not used when legacy authentication mode is enabled.	Undefined (defaults to mongo.auth.source)
mongo.aux.auth.username*	Auxiliary database authentication username. Not used when legacy authentication mode is enabled.	Undefined (defaults to mongo.auth.username)
mongo.aux.auth.password*	Auxiliary database authentication password. Not used when legacy authentication mode is enabled.	Undefined (defaults to mongo.auth.password)
mongo.log.addr	Logging MongoDB database URI.	Undefined (defaults to mongo.aux.addr)
mongo.log.dbname	Logging database name.	Undefined (defaults to mongo.aux.dbname)
mongo.log.writeconcern	Logging database write concern.	W1 (defaults to mongo.aux.writeconcern)
mongo.log.readpreference	Logging database read preference.	NEAREST (defaults to mongo.aux.readpreference)
mongo.log.auth.enabled	Logging database authentication enabled/disabled.	Undefined (defaults to mongo.aux.auth.enabled)
mongo.log.auth.provider.enabled*	If true, uses legacy authentication credential computation for logging database. Legacy mode always uses logging database itself as authentication source.	Undefined (defaults to mongo.aux.auth.provider.enabled)
mongo.log.auth.source*	Authentication database (source) when connecting to logging database. Not used when legacy authentication mode is enabled.	Undefined (defaults to mongo.aux.auth.source)
mongo.log.auth.username*	Logging database authentication username. Not used when legacy authentication mode is enabled.	Undefined (defaults to mongo.aux.auth.username)
mongo.log.auth.password*	Logging database authentication password. Not used when legacy authentication mode is enabled.	Undefined (defaults to mongo.aux.auth.password)

Release 3.23

Initial release

Released 2021-07-01.

Bug fixes

ONEP-2289 Fix mock object initialization in EtbRolesClaimPluginTests

ONEP-2283 SchoolService failed to load school names from file

ONEP-2281 Wallet info window does not check for "read access to all wallets" permission

Improvement

ONEP-2286 Support setting user's consents with API Client credentials. Add new required permission for it.

ONEP-2280 Scheduled Tasks view's table shows info about the latest log entry, to assist in finding issues

ONEP-2279 Prevent queuing new webhook call if identical to already queued call

ONEP-2278 Include browser user-agent in automated error email reports

New Feature

ONEP-2294 Add Prometheus metrics endpoint

ONEP-2293 DVV-API-Client: Support X-Road-Client header in VTJ call

ONEP-2251 Add APIs: Create accounts with 'hetu' and retrieve legal info from VTJ

Sub-task

ONEP-2265 Add API for creating or updating user with only hetu

Customer specific

ONEP-2290 New "reload product" endpoint

ONEP-2292 Pusatec credit API calls fail with PATCH related error

Release 3.22

Initial release

Released 2021-06-01.

Bug fixes

ONEP-2268 Wallet API: Checking write access via default-wallet-type's accesscontrol seems to fail

Improvement

ONEP-2269 OIDC management UI: Can filter by owner

ONEP-2271 Update legalinfo's lastUpdatedAt when updated with DVV data

ONEP-2264 Support receiving huoltajatiedot from VTJ

Customer specific

ONEP-2272 APIs: Add "get single catalog" endpoint as per issue W20-49

Release 3.21

Initial release

Released 2021-05-04.

Version 3.21 adds the following major new features:

• Support for storing user’s Push Notification Service tokens (Firebase registration tokens)
• Automatic deletion of accounts of deceased users
• Improvements to Wallet management APIs

The full list of changes is below.

Bug fixes

ONEP-2266 Ignite Cluster setup fails on some systems

ONEP-2249 RevealablePasswordField improve accessibility (ARIA labels)

ONEP-1636 Product, Catalog, PricingPlan views: Double click to edit

Improvement

ONEP-2262 Make revealable password field's reveal-button's caption accessibility-compatible

ONEP-2259 Correct links in Digi and väestötietovirasto config pages

ONEP-2258 Admin UI Contexts have an icon to help identification in menus

ONEP-2257 Password Reset: Add option to hide username in "enter new password" view

ONEP-2256 Data export window (accounts view, others) supports re-downloading if download failed

ONEP-2247 Webhook editor: More help text, including example of HTTP POST body.

ONEP-2245 Add description field to Management API client editor, show description in client list view

ONEP-2242 Make pricingplans easier to browser in product & catalog item editor layouts

New Feature

ONEP-2260 Delete dead users automatically (data received from official source)

ONEP-2237 FCM (Firebase Cloud Messaging) Push Token Storage API

ONEP-2244 Wallet API: Get access control via wallet type configuration

ONEP-2236 Wallet API: Transactions should store info about API caller ID

ONEP-2235 Wallet API: Add "can read+list all wallets" permission

ONEP-2229 Wallet API: Add minimum, maximum balance limit config (wallet types)

Customer specific

ONEP-1997 Waltti Travel Account and Travel Card info storage

ONEP-2255 Waltti Travel Account data: Add simple data browser to Accounts view's info menu

Update 3.21.1

Improvement

ONEP-2286 Support setting user's consents with API Client credentials. Add new required permission for it.

Release 3.20

Initial release

Released 2021-04-01.

Bug fixes

• [ONEP-2240] - Opening UserEditor sometimes fails with NullPointerException error

New Feature

• [ONEP-2214] - ETB: Add capability to optionally allow HSL ID to fetch ETB related userinfo data from ETB backend
• [ONEP-2230] - Separate permissions for User CustomFields access
• [ONEP-2231] - Add management UI view for browsing namespace consent definitions
• [ONEP-2233] - Maintenance tool for migrating User customfield "AvatarName" to screen name field

Improvement

• [ONEP-2220] - Waltti Sale API: If no validityStarts/ends provided, generate them based on product data
• [ONEP-2226] - Log index update steps better during startup
• [ONEP-2222] - Wallet API: balance and amount fields use number value instead of string
• [ONEP-2223] - Wallet API: Add locking support
• [ONEP-2224] - Wallet API: Add "tvv" field to Wallet
• [ONEP-2225] - Wallet API: Add 'events' endpoints, move from wallet doc to separate docs.
• [ONEP-2232] - Wallet API: Add 'travel account' field
• [ONEP-2234] - Wallet API: Find wallet by 'matkakorttinumero' (Waltti module)
• [ONEP-2238] - Wallet API: Update Pusatec after wallet changes
• [ONEP-2239] - Wallet API: Add more storable data fields to transactions

Update 3.20.1

Released 2021-04-09.

Bug fixes

ONEP-2243 Volume parameter handled incorrectly when evaluating prices

Update 3.20.2

Released 2021-04-19.

Bug fixes

ONEP-2252 OAuth2 editor and other features may break after Email template editor is used (json mapper config issue)

ONEP-2248 Webhook is called even though group limitation should prevent it

ONEP-2246 Password field with reveal button doesn't show "required" error message correctly

Improvement

ONEP-2254 Refactor webhook call maker structure to simplify testing

Update 3.20.3

Released 2021-04-23.

Fixes issue which affects versions 3.20 - 3.20.2.

Bug fixes

ONEP-2261 Scheduled tasks were not being run automatically. Error always displayed when updating task scheduling settings.

Release 3.19

Initial release

Released 2021-03-03.

Minor, yet important upgrade. This version contains preliminary changes for Java 11 support. Java 8 is still used as runtime environment but build process in the back-end is compatible with Java 11. Production build process still uses Java 8.

Something to think about

This version introduces sysconfig variable JAVA_HOME. This variable is used to control which Java installation is used as runtime environment. This variable is mandatory for smooth upgrade to version 4.0 which requires Java version 11 (earlier versions use Java 8).

When upgrading to version 3.19 make sure that file /etc/sysconfig/oneportal contains JAVA_HOME variable.

JAVA_HOME=/usr/share/oneportal/java

Bug fixes

• [ONEP-2175] - Fix event log related webhooks

• [ONEP-2199] - Updating screen name with update-user-profile API doesn't update it

• [ONEP-2200] - Clicking "password forgotten" button in OIDC login form fails when no namespace is selected

• [ONEP-2212] - 2FA: TOTP setup image and code sometimes doesn't show on screen

New Features

• [ONEP-1161] - Cloud File (onePortal File) REST

Improvements

• [ONEP-2174] - Use SYSTEM sms message type when sending verification messages

• [ONEP-2195] - Connect to only Ignite cluster with exact same version

• [ONEP-2196] - Re-introduce support for cluster domain (as partition)

• [ONEP-2197] - Use load-time weaver instead of compile-time weaving

• [ONEP-2198] - IDE support for newer aspectj:compile

• [ONEP-2201] - Fix NPE in CollectionColumnGenerator

• [ONEP-2206] - Improve configuration for selecting Java installation

• [ONEP-2207] - Optional build process support for Java 11

• [ONEP-2208] - Import all Azure groups (not only security enabled)

• [ONEP-2209] - Check consent migration when changing namespace

• [ONEP-2210] - Improve SAML attribute model for JSON based synchronization

• [ONEP-2211] - Make Azure group securityEnabledOnly configurable

• [ONEP-2213] - Waltti: After-sale operations should retry "code getting" for 30 secs due to Pusatec internal delays

• [ONEP-2215] - Login, registration, reset password fields have an integrated "Reveal" button.
  To modify custom webthemes to use it, see the default layouts. For example, the default layout for openid login has the following line for the password field: <uic-revealable-password-field style-name="login-password-field field-main" _id="passwordField" width-full />

Update 3.19.1

Released 2021-03-14.

Improvement

• [ONEP-2220] - Waltti Sale API: If no validityStarts/ends provided, generate them based on product data

Release 3.18

Initial release

Released 2021-01-27.

Bug fixes

• [ONEP-2171] - Updating consents with user-profile API fails to save consent changes due to order of save ops

• [ONEP-2172] - ETB: Company purchase statisctics end date should be inclusive

• [ONEP-2178] - Password reset message is not sent if given email has spaces at start/end

• [ONEP-2179] - Restyle post-logout spinner view HTML

New Feature

• [ONEP-2173] - Webhook can be configured to ignore events caused by selected Mgmt Api Clients

Improvement

• [ONEP-2169] - Remove parental consent question from hslid-module's AdultOrMinorComponent

• [ONEP-2170] - Permission selector in API client editor allows selecting permissions the owner doesn't yet have, highlights them as "unavailable"

• [ONEP-2176] - Customer specific improvements

• [ONEP-2177] - Restyle post-login spinner view HTML

• [ONEP-2182] - Implement Azure domain_hint parameter

Update 3.18.1

Released 2021-02-01.

This release contains some minor customer specific improvements and fixes. Additionally, acr_values parameter handling has been fixed for persistent and token login use cases.

Improvement

• [ONEP-2183] - Customer specific improvements
• [ONEP-2184] - Check preferred ACR values when performing token login

Update 3.18.2

Released 2021-02-03.

This release contains one customer specific bugfix.

Bug fixes

• [ONEP-2192] - Customer specific bugfix

Update 3.18.3

Released 2021-02-17

Bug fixes

• [ONEP-2199] - Updating screen name with update-user-profile API doesn't update it

Improvement

• [ONEP-2204] - Fix user directory authentication bug
• [ONEP-2205] - Use IP address instead of hostname for cluster connections

Release 3.17

Initial release

Released 2021-01-14

Bug fixes

• [ONEP-2165] - Encrypted value that doesn't match encryption key causes reading of parent object to fail

• [ONEP-2166] - Implement Wilma SSO

• [ONEP-2167] - Fix log file rotation

Improvement

• [ONEP-2153] - Allow OAuth 2.0 clients to read user's own legal address without "view legal address" permission

• [ONEP-2158] - Ensure that User CustomFields APIs write necessary log event markings

• [ONEP-2159] - Support arrays and objects in User CustomFields API

• [ONEP-2162] - The Namespaces-View updates URI fragment to support back/forward browser buttons

• [ONEP-2163] - Users view uses URI fragments to support back/forward buttons

• [ONEP-2164] - Allow webhook cancel http status code configuration

Update 3.17.1

Released 2021-01-14

Improvement

• [ONEP-2168] - Improve Wilma Query URL configuration

Release 3.16

Initial release

Released 2020-12-17.

Various improvements and bugfixes.

Bug fixes

• [ONEP-2124] - Data storage data is deleted when metadata is updated

• [ONEP-2129] - ID token lost auth_time value after using refresh token to refresh it

New Feature

• [ONEP-2131] - Show generic error codes in API documentation

• [ONEP-2139] - Namespace icon as alternative to logo (VaadinIcons)

• [ONEP-2140] - Add new User field 'screen name' and add requirements configuration

• [ONEP-2144] - List all internal permissions with their codes and names under /apidoc/permissions

Improvement

• [ONEP-2074] - Fix discount campaign warning

• [ONEP-2122] - Improve cache header support with sign-in-background and namespace logo downloads

• [ONEP-2134] - Replace @PermissionsRequired(anyAllowed=true) parameter with @AuthorizationRequired annotation

• [ONEP-2143] - REST APIs no longer prevent saving user if an unchanged value does not meet changed requirements

• [ONEP-2146] - ADFS groups via synchronization

• [ONEP-2148] - Manually edit user directory link ID

• [ONEP-2149] - Add support for extra attributes for Azure AD

• [ONEP-2151] - ETB: add proper validity area to billing attachments

• [ONEP-2155] - Add option to list non-valid prices for items in Waltti Catalog list API

Update 3.16.1

Released 2020-12-18

Bug fixes

• [ONEP-2156] - Fix MPASSid data model parsing

• [ONEP-2157] - Customer specific bugfixes and minor improvements

Release 3.15

Initial release

Released 2020-11-18.

Event log has been moved to separate database.

Breaking changes

Event log has been moved to separate database and this requires new configuration options to /etc/oneportal/oneportal.conf

mongo.log.addr=mongodb://localhost:28017/?replicaSet=oneportal mongo.log.dbname=oneportal_log mongo.log.writeconcern=W1 mongo.log.readpreference=NEAREST

If these new configuration options are not specified, backwards compatibility mode is used and event logs will use oneportal_aux database (previous default).

Additionally, database configuration now recommends full MongoDB URIs for database address, including possible replica set name. If database does not have replica set defined (standalone mongodb), it should be excluded from MongoDB URI. By default, backwards compatibility exists but it only works when MongoDB has replica set with name oneportal.

Recommended database configuration with replica set:

mongo.addr=mongodb://localhost:28017/?replicaSet=oneportal

Recommended database configuration for standalone MongoDB:

mongo.addr=mongodb://localhost:28017

Bug fixes

• [ONEP-2119] - Admin UI: Disabling the delete-confirmation of something also disabled delete confirmation of everything else

• [ONEP-2120] - Customer care: Removing student identification doesn't seem to work, displays still as "student" but without dates

New Feature

• [ONEP-2113] - Header namespace selector: Show a selectable list of additional namespaces if they are accessible and current user can grant management access to self

Improvement

• [ONEP-2026] - Move eventlog to separate database

• [ONEP-2072] - Replace event log grace period with more efficient implementation

• [ONEP-2075] - Support non-legal student/pupil information

• [ONEP-2076] - New customer specific OpenID scope/claim

• [ONEP-2081] - New customer specific REST API

• [ONEP-2096] - Allow system to start without log database

• [ONEP-2097] - Implement user directory synchronization via REST

• [ONEP-2099] - Rename Identifiable (and related interfaces) methods

• [ONEP-2104] - Add parameter to auto-redirect to external login

• [ONEP-2105] - Add support for selecting user directory by acr_values parameter

• [ONEP-2106] - Investigate acr usage in federation scenario

• [ONEP-2108] - Use oneportal_aux database when oneportal_log is not available

• [ONEP-2109] - ETB: use global oneportal mongo authentication settings by default

• [ONEP-2111] - Add support for configuring conflict policy for soft deleted user when signing in via external user directory

• [ONEP-2112] - Allow optional directory link authId encryption

• [ONEP-2115] - Show namespace's general logo in namespace selector

• [ONEP-2116] - Allow configuring multiple acr values for directory and require only one to be satisfied

• [ONEP-2117] - Add support for importing groups from Azure AD

• [ONEP-2118] - Import group id values from user directory

• [ONEP-2121] - Add index for personal identifiers field and make it searchable.

Update 3.15.1

Released 2020-11-18.

Patch release that contains non-invasive bugfixes.

Bug fixes

• [ONEP-2125] - Fix null pointer exception in SAML authentication when NameID is missing

Update 3.15.2

Released 2020-11-25.

Patch release that contains non-invasive bugfixes.

Bug fixes

• [ONEP-2127] - External authentication bugfixes

• [ONEP-2128] - Fix MPASSid attribute mappings

• [ONEP-2133] - View user directory ID in user interface

Update 3.15.3

Released 2020-12-10.

Minor release that contains one new user directory.

New Feature

• [ONEP-2126] - Waltti: Support getAccountMonetaryEvents API

• [ONEP-2135] - Implement Opinsys authentication

Release 3.14

Released 2020-11-16.

Major user search functionality improvement. This helps especially large installations with millions of users.

Breaking changes

Web themes

Login layout has new error labels for username and password fields. They need to be added to any web themes that customise this view:

// Add these after username and password fields (see default layout for context)
<vaadin-label style-name="failure" plain-text _id="usernameErrorLabel" />
<vaadin-label style-name="failure" plain-text _id="passwordErrorLabel" />

Technical notes

MongoDB text search index usage for user search was replaced with heuristic approach to search by interpreting the search input and building multi-key search query based on it. This can leverage MongoDB index intersection functionality for improved speed.

Group membership indexing was improved. This will cause some indexes to be rebuilt.

Bug fixes

• [ONEP-1836] - Text search bug when matching email addresses on free-form search

• [ONEP-2064] - Deleting a namespace should delete related User Directory definitions

• [ONEP-2082] - Reset password internal user directory detection doesn't work in rare cases

• [ONEP-2083] - Password Reset link token code should not invalidate until user interacts in page

• [ONEP-2085] - Password Reset user search should ignore soft-deleted users

• [ONEP-2087] - Deleting namespace should delete related user directory links

• [ONEP-2098] - User consent api onlyExplicit=false parameter returns always an error

New Feature

• [ONEP-1934] - Add /user/{userId}/consent APIs to make user-specific consent jobs easier

• [ONEP-2023] - Add API to send the "welcome" email to user

• [ONEP-2100] - Automated User Consent migration tool after server upgrade

Task

• [ONEP-2068] - Update Finnish municipality list, link in About dialog

Improvement

• [ONEP-1924] - Improve SMS sending resiliency with intelligent gateway switch-over

• [ONEP-2015] - Set user consent to false if "granted": false is given when creating new consents

• [ONEP-2017] - Prevent use of Password Reset if user is from external User Directory

• [ONEP-2018] - Add permission for switching primary directory

• [ONEP-2019] - Automatic consent synchronization between old and new

• [ONEP-2020] - Investigate possible conflict with educationProviderId and educationProviderName

• [ONEP-2025] - Change log configuration: do not use stdout for everything

• [ONEP-2035] - Improve user search speed

• [ONEP-2037] - Drop deprecated User indexing

• [ONEP-2039] - Replace @Indexed annotations with Indexer

• [ONEP-2042] - Fix SMSUISender check methods

• [ONEP-2044] - Add searchText support to user REST search

• [ONEP-2060] - Import encrypted personal id from user directory

• [ONEP-2061] - Import groups from user directory

• [ONEP-2062] - Add employee info to User

• [ONEP-2063] - Improve user directory permission handling

• [ONEP-2065] - Improve openid login view's error messages

• [ONEP-2069] - Implement hard-coded directory attributes

• [ONEP-2070] - New customer specific module

• [ONEP-2071] - Review test-case logging and profiles

• [ONEP-2073] - Allow admin to change user's directory links

• [ONEP-2078] - UI Groups view: Display related roles in list to improve group-role relationship understanding

• [ONEP-2079] - Update ClusterNode started timestamp even if cluster is not active

• [ONEP-2080] - Removing groups is very slow on large installations

• [ONEP-2086] - Waltti sales: During sales add companyId value to salePlace as well

• [ONEP-2088] - Disable changing password for users from external directory

External modules

• [ONEP-2022] - Pricing plans with invalid custom field value types break catalog list operation

• [ONEP-2091] - Monetary event proxy API

• [ONEP-2089] - Update sales-history-api-client to 1.1.0.2

• [ONEP-2027] - Add parental consent confirmation to user registration page

• [ONEP-2095] - ETB: Fix possible error when accepting admin invite using /api/rest/v1/etb/invite/{inviteId}/accept endpoint

Update 3.14.1

Released 2020-12-02.

Improvement

• [ONEP-2114] - ETB: fix purchases mongo query

• [ONEP-2136] - ETB: Add benefit zone to benefit change email

• [ONEP-2137] - ETB: Add ticketProductId and validityArea to purchases

• [ONEP-2138] - ETB: Add validityArea to xlsx and csv reports

Update 3.14.2

Released 2020-12-21.

Bug fixes

• [ONEP-2150] - Searching for user with lastname does not work with "heuristic search"

Improvement

• [ONEP-2151] - ETB: add proper validity area to billing attachments

• [ONEP-2153] - Allow OAuth 2.0 clients to read user's own legal address without "view legal address" permission

Update 3.14.3

Released 2021-01-20.

Bug fixes

• [ONEP-2171] - Updating consents with user-profile API fails to save consent changes due to order of save ops

• [ONEP-2172] - ETB: Company purchase statisctics end date should be inclusive

Improvement

• [ONEP-2169] - Remove parental consent question from hslid-module's AdultOrMinorComponent

Update 3.14.4

Released 2021-01-22.

Bug fixes

• [ONEP-2178] - Password reset message is not sent if given email has spaces at start/end

Release 3.13

Release

Released 2020-10-14.

This version brings major improvements to user directories which enable login from external services, such as Apple, Microsoft, Google and Facebook. All technologies are OpenID or SAML, where OpenID is preferred, as it is also the native protocol of TIS.

Breaking changes

Web themes

• Login layout has new components for signing in via external user directory. They need to be added to any web themes that customise this view:

<vaadin-label style-name="divider" width-full _id="externalLoginDivider">
    <hr>
</vaadin-label>
<vaadin-label plain-text _id="externalLoginLabel" />
<vaadin-button style-name="external-login-button" plain-text width-full _id="externalLoginButton" />
<vaadin-vertical-layout style-name="external-login-layout" plain-text width-full _id="externalLoginLayout" />

New features

These social, and other sign-ins are currently in status “early release” meaning they are fully functional, but have not yet been extensively regression tested. Later in separate release notes we will promote these new features as mature.

• [ONEP-1796] - Add dynamic group UserCondition for "strongly identified"

• [ONEP-2002] - Implement Facebook sign-in (OpenID)

• [ONEP-2003] - Implement Google sign-in (OpenID)

• [ONEP-2006] - Implement Azure AD login (OpenID)

• [ONEP-2008] - Implement improved ADFS user directory (SAML)

• [ONEP-2009] - Implement MPASSid login (OpenID, not SAML)

• [ONEP-2012] - Implement Microsoft sign-in (OpenID)

• [ONEP-2013] - Implement Apple sign-in (OpenID)

Improvements

• [ONEP-1884] - Separate SAML user directory for suomi.fi-tunnistus (SAML)

• [ONEP-1972] - Implement OpenID user directory and refactor external sign-in processes

• [ONEP-2004] - Update authorisation collection indexes

• [ONEP-2005] - More customisable external sign-in policy for OpenID login dialog

• [ONEP-2010] - Refactor user directory authentication

• [ONEP-2011] - Implement autentication error codes

• [ONEP-2014] - Major authentication error message refactoring

Bug fixes

• [ONEP-1966] - Suspected incident in suomi.fi-tunnistus successUri

Release 3.12

Release

Released 2020-09-29.

This was a slightly larger release as the new themed OpenID Connect sign-in, new user creation, and related features got lots of new features and maturity updates.

New Feature

• [ONEP-1896] - External Permissions can now be granted to Users via Roles.

• [ONEP-1918] - Added more configuration options for Password Reset pages. Namespace question can be made completely hidden.

• [ONEP-1937] - The active WebTheme can now also be selected in login and other similar pages by adding query parameters wtid (ID of theme), wtsn (name of style).

• [ONEP-1940] - Removed all “hidden user” functionalities from UI and API.

• [ONEP-1941] - Removed “Namespace” button from main menu, same function can be accessed from “Namespaces” view. from Moved the “namespace’s default group policy” editor from the Group Policies view to the Namespaces view. It can be opened by selecting a Namespace and clicking Configure > Default Group Policy.

• [ONEP-1950] - Text Messages view export filtered entries

• [ONEP-1957] - Added a tool to read selected user’s Wallet information in Accounts view >Info menu.

• [ONEP-1959] - Added a new User Webhook option to call it when user’s legalinfo-address is updated.

• [ONEP-1964] - Added Import and Export options to Group and Roles views.

• [ONEP-1968] - Added a new tool to view and manage a single User’s group memberships in the Accounts > Info menu.

• [ONEP-1973] - Added new OIDC claim ‘https://oneportal.trivore.com/claims/user\_namespace’ which tells more information about user’s namespace.

• [ONEP-1980] - Added a test button which sends a UI Error Report in Email Settings view, to test error reporting.

• [ONEP-1982] - Added a debugging tool for displaying MongoDB collections, indexes and their stats into System Preferences > Maintenance view.

• [ONEP-1985] - Pressing the browser’s Back button in User Registration Form now returns to the login view, instead of previous site.

• [ONEP-1986] - HSL-ID module: Adds the “are you at least 15-years-old” component to the User Registration Form.

• [ONEP-1987] - ETB: Add endpoint to generate purchase report as xlsx

• [ONEP-1989] - Added a language selector to the User menu in administration pages. Admins no longer need to go to their user editor to do this.

• [ONEP-1990] - ETB: Add endpoint to get purchase report as a csv file

• [ONEP-1999] - Added import and export functions to WebTheme view.

• [ONEP-2001] - Added tool to view single selected User’s custom properties into Accounts > Info menu.

Improvement

• [ONEP-1938] - Improvements to WebTheme editor. For example, shows probable errors in selection table.

• [ONEP-1952] - Added configuration options which enable “Suggest email/mobile verification with a link during login” to OIDC client configuration.

• [ONEP-1954] - Added a customisable label to oauth2 login form. It can be enabled with custom WebTheme layouts and the text customised with translation tools.

• [ONEP-1955] - Custom WebTheme layouts are validated before they are applied. If found invalid, the default layout is used instead. This prevents the login page and similar pages from completely breaking when a custom layout is missing required components.

• [ONEP-1958] - Added css classes to all error labels in New User Registration Form to assist in WebTheme customisation.

• [ONEP-1961] - Customisation assisting changes to OIDC login and registration view. All fields have a custom “required” error message. Logging in with empty values now produces custom error message.

• [ONEP-1962] - Optimised the mass-update of DVV basic infos

• [ONEP-1965] - Management API Client view and OpenID Client view now show “created” dates

• [ONEP-1974] - Reorganised the Accounts menu in the Accounts view.

• [ONEP-1976] - Accounts > Export file format now has less fields, is less likely to break.

• [ONEP-1977] - ETB: Add company statistics endpoint for start and end dates

• [ONEP-1978] - ETB: Change beneficiary invite token to four numbers

• [ONEP-1979] - UI errors titled "Connection reset by peer" are ignored, no longer automatically reported.

• [ONEP-1981] - Added a "send test message with selected email gateway" tool to Email Settings

• [ONEP-1984] - Logout endpoint now supports the "ui_locales" parameter.

• [ONEP-1988] - Added back select-all and send-messages to Accounts > Actions menu (removed in ONEP-1974)

• [ONEP-1991] - Accounts view: Filter fields no longer cause the table contents to reload, until user presses enter or leaves field.

• [ONEP-1992] - Trim apartment numbers from “001” to “1” and “000” to null, when DVV MUTP/basic info queries return such values.

• [ONEP-1998] - The date-of-birth field added in ONEP-1986 now accepts date only in format dd.MM.yyyy, regardless of selected language.

Bug fixes

• [ONEP-1943] - OpenID and Management API Client were previously not not accessible even if had VIEW permission. Now they are!

• [ONEP-1947] - On servers with custom database indexes that prevented user registration (for example due to unique email requirement) the user registration sometimes broke without clear error message. Now an error message is shown in this case.

• [ONEP-1970] - ETB: User legal addresses are not visible to ETB module

• [ONEP-1995] - Logging in with soft-deleted user’s credentials no longer returns a "disabled user" error message. Now behaves as if user doesn’t exist.

• [ONEP-2000] - Search APIs with the parameter count=0 now return zero results, instead of disabling limit and returning unlimited amount of results.

Update 3.12.1

Released 2020-10-14.

Minor update, one customer specific bugfix.

Update 3.12.2

Released 2020-10-16.

Minor update, few customer specific improvements.

Update 3.12.3

Released 2020-10-22.

New Feature

• [ONEP-1934] - Add /user/{userId}/consent APIs to make user-specific consent jobs easier

Improvement

• [ONEP-2015] - Set user consent to false if "granted": false is given when creating new consents

• [ONEP-2019] - Automatic consent synchronization between old and new

• [ONEP-2029] - Implement fault-tolerant method for saving UserConsents

• [ONEP-2030] - Implement migrateLevel field for User object

• [ONEP-2031] - Automatic consents for new Users

• [ONEP-2032] - Fix NamespaceConsent indexing

• [ONEP-2034] - Change consent save operations to use the new fault-tolerant method

• [ONEP-2036] - Replace migrateLevel with migrated-field

• [ONEP-2041] - Remove nsCode from UserConsent and NamespaceConsent (db layer)

• [ONEP-2045] - Implement upsert method for saving user consents

• [ONEP-2050] - Review default consent values based on specification

• [ONEP-2051] - Use NamespaceConsents when determining output from UserConsent REST endpoint

• [ONEP-2052] - Do not save consent to database if default value is false

• [ONEP-2053] - Unit test for automatic consent registration process

• [ONEP-2054] - Check namespace consents before creating user consents automatically

• [ONEP-2055] - Remove ns/user consents on ns/user remove

• [ONEP-2056] - Fix consent migration and default values to match specification

Update 3.12.4

Released 2020-10-28

Bug fixes

• [ONEP-2083] - Password Reset link token code should not invalidate until user interacts in page
• [ONEP-2085] - Password Reset user search should ignore soft-deleted users

Update 3.12.5

Released 2020-11-04.

Bug fixes

• [ONEP-2098] - User consent api 'onlyExplicit=false' parameter returns always an error

Release 3.11

Initial release

Released 2020-08-17.

Breaking changes

The Web Theme feature means custom styles may break. Some CSS class names have been changed. If no custom styles have been used, no changes need to be performed.

Changes to CSS class names in the “openid” theme:

Previous name	New name	Element description
login-root	page-root	Root component in UI
login-wrap	page-content-container	Wraps page content, used to center it
login-form	interaction-container	Contains the main content (fields, continue button) which may change dynamically.
login-buttons	continue-button-group	A group of important buttons (Continue, Cancel, …)
login-field	field-main	A single important button
login-divider	divider	Wrapper label for a <hr> tag

Bug fixes

• [ONEP-1935] - Role editor regression

New Feature

• [ONEP-1909] - OAuth2 login UI layout configurability

• [ONEP-1931] - Show all student status details in separate window

• [ONEP-1932] - Move "view info" actions from Accounts view Actions menu to separate menu

• [ONEP-1933] - Store info about student's education provider and edu level

Improvement

• [ONEP-1929] - Possible fixes to disabling of Protection Order via MUTP

• [ONEP-1930] - Move namespace access/multi-ns editing from ns editor to separate window

Update 3.11.1

Released 2020-08-21.

Bug fixes

• [ONEP-1945] - MUTP update doesn't handle "ajanTasalla" field, should make multiple updates if necessary.

Update 3.11.2

Released 2020-08-21.

Bug fixes

• [ONEP-1945] - GroupMembership API does not work with access tokens

Update 3.11.3

Released 2020-08-27.

Bug fixes

• [ONEP-1944] - MUTP update doesn't handle "ajanTasalla" field, should make multiple updates if necessary

• [ONEP-1945] - GroupMembership API does not work with access tokens

• [ONEP-1946] - Searching user by Personal ID in customer care accounts view is very slow

Update 3.11.4

Released 2020-09-11.

Improvement

• [ONEP-1967] - On call to Sale endpoint on Ticketing backend, include resellerCode from Mgmt API Client settings

Update 3.11.5

Released 2020-09-15.

Bug fixes

• [ONEP-1970] - ETB: User legal addresses are not visible to ETB module

Release 3.10

Initial release

Released 2020-08-04.

Improvements

• [ONEP-1588] - SysPref > SMS routing > Gateways: status check improvement

• [ONEP-1589] - SysPref > SMS settings > Core settings > Queue: clarify instructions

• [ONEP-1809] - Logging sent SMSes to user's own namespace

• [ONEP-1819] - Use 4 decimals instead of 2 on SMS billing

• [ONEP-1820] - Relaxed SMS SenderID settings

• [ONEP-1923] - Better image upload component in /ui, use in Openid client logo upload

• [ONEP-1925] - OpenID registration form field "required" not working

Update 3.10.1

Released 2020-08-04.

Bug fixes

Minor fix on Group.additionalProperties.

Release 3.9

Initial release

Released 2020-06-26.

New features

• [ONEP-1914] - Customise oauth2 login page caption

• [ONEP-1915] - Show client logo in oauth2 login page

• [ONEP-1916] - Oauth2 login logos optional

• [ONEP-1919] - OAuth2 client logo upload (in addition to icon)

Improvements

• [ONEP-1921] - OAuth registration move field captions above fields

Bug fixes

• [ONEP-1920] - OAuth user registration required fields not all checked thoroughly enough

• [ONEP-1922] - OAuth user registration date field shows sometimes "null" texts

Update 3.9.1

Released 2020-06-26.

Bug fixes

Small customer specific regression fix.

Release 3.8

Initial release

Released 2020-06-24.

New features

• [ONEP-1908] - OAuth2 auth configuration refactoring: Configurable at system and client levels

Improvements

• [ONEP-1910] - Change Password UI: Add return URL parameter

Bug fixes

• [ONEP-1903] - Access token introspection should detect deleted user's tokens as invalid

• [ONEP-1911] - Username checks ignore softdeleted status

• [ONEP-1912] - Autoincrementing username generator does not increment next username counter

Update 3.8.1

Released 2020-06-24.

Bug fixes

• [ONEP-1911] - Username checks ignore softdeleted status

• [ONEP-1912] - Autoincrementing username generator does not increment next username counter

Update 3.8.2

Released 2020-06-24.

Bug fixes

• [ONEP-1913] - Autoincrementing username feature fixes

Release 3.7

Initial release

Released 2020-06-11.

New features

• [ONEP-1891] - Customisation of email address verification message

• [ONEP-1892] - Admin ability to access all product items

• [ONEP-1895] - Import+export External Permission definitions (partially)

• [ONEP-1897] - List group members without opening editor

• [ONEP-1901] - User grid limited to 500 rows at a time

Improvements

• [ONEP-1890] - Show error view instead of trying to navigate to Dashboard view in UI navigator's ErrorView

• [ONEP-1902] - Strong Identification Servlet can be run with valid ID token as well

Bug fixes

• None

Update 3.7.1

Released 2020-06-11.

Bug fixes

Fix small legal info API related authentication regression fix.

Release 3.6

Initial release

Released 2020-05-26.

New Features

• [ONEP-1702] - Add capability to create custom permissions to be consumed by external applications or microservices

• [ONEP-1858] - Biz extension: New API end-point for external sales orders

• [ONEP-1866] - API for setting user's student state (student status scraper)

• [ONEP-1870] - Add optional 'id' field to User's addresses

• [ONEP-1872] - Use email template to configure email-address-verification message

• [ONEP-1874] - Find wallet by user's PersonalID

• [ONEP-1877] - Discount Campaign to apply discounts to multiple products

• [ONEP-1880] - Support embedding login in iframe with top=true parameter

• [ONEP-1882] - Wallet API: Add an externally generated 'referenceNumber' field to deposit/withdraw transactions

• [ONEP-1885] - API for reading User's event log

Improvements

• [ONEP-1862] - Use email templates to verify email addresses

• [ONEP-1867] - User list API filter supports searching by PersonalIdentityCode

• [ONEP-1883] - Improve SAML User Directory usability

Bug fixes

• [ONEP-1853] - Incorrect handling of 'claims.value' and 'claims.values' during OIDC auth

• [ONEP-1868] - Logout servlet should not work as an open redirector

• [ONEP-1871] - OpenID client frontchannel URLs not called with iframe during /ui logout

• [ONEP-1886] - Datastorage API: delete single key sets value to null instead of deleting key

Release 3.5

Initial release

Released 2020-04-28.

Noteworthy new features are:

• Email templates: User interface for creating Velocity Template Language based email messages, and an API for sending messages to users based on preconfigured templates.

• Styling for OpenID Connect authorisation page and other similar small sub-sites can be modified by configuring CSS styles in System Preferences / Branding / Styles.

• In the commerce module, quotas can be specified for discount codes. They can be used to limit how many times a specific discount code can be used within a specific Product Catalog.

More detailed list of changes is below.

New Feature

• [ONEP-1799] - Discount-code specific quota

• [ONEP-1829] - Email template management

• [ONEP-1834] - Add PATCH support to subscriptions API

• [ONEP-1837] - Discount code quota API: Increment usage

• [ONEP-1838] - Accounts view: filters in grid should have toggleable exact/partial filter option

• [ONEP-1840] - Add an option to automatically create a wallet for new users

• [ONEP-1845] - Catalog API that returns all product+pricingplan details without need to read more from other endpoints

• [ONEP-1848] - Branding: Custom Style allows injecting CSS to Openid login + other pages

• [ONEP-1859] - Add webhook events for user email address and phone number verification

• [ONEP-1861] - Suomifi-based strong identification should write personal ID code to generated strong identification info

Improvement

• [ONEP-1831] - Add tags to Addresses

• [ONEP-1835] - Product UI: Selection improvements

• [ONEP-1842] - Show icon meanings as tooltips in dashboard cluster nodes panel

• [ONEP-1852] - SAML/Suomi.fi session management resiliency

• [ONEP-1855] - UI Error Emails for same error should be in same email thread

Release 3.4

Initial release

Released 2020-03-20.

New Features

1. User Consent feature has been refactored to allow for per namespace free-form consents to be defined and used. The user json may now include new consents. For API v1 the old consents remain where they are, but in the future on API v2 both old and new will be merged together.

2. Groups now have dynamic capabilities. As per customer purchased features, more or less of these capabilities are enabled. One example grouping are age groups. Multiple overlapping ages may de defined to segment users to correct groups. Another example is the strong identification. As there are several ways and LoAs to do it, users may be easily segmented to correct group to receive appropriate services.

3. SAML IdP. In addition to earlier being able to authenticate users from external SAML IdPs, we can now also be a SAML IdP. This is implemented as a layer on top of OpenID Connect Provider, so the technical back-end does not change. This new feature expands compatibility with legacy systems with no OIDC support. Technical implementation: External micro service.

4. Email systems have been improved to make it easier to add external email service providers such as SendGrid. Additionally, the email REST API has improved support for email attachments and custom email headers.

5. New claim locality, which prefers the locality or domicile from non-authoritative sources.

6. OAuth 2.0 Client view now has another view, which allows administrators to see info on the tokens clients have requested using the client credentials grant flow.

Improvements

1. Added OAuth 2.0 Client creation wizard

2. OAuth 2.0 Clients can have secret set even if set as non-confidential

3. Improve UI consistency throughout the portal

4. Object IDs are shown in editors along with the date of creation

5. Entities can now be locked for accidental modifications more consistently throughout the UI

6. Other smaller UI improvements

Bug fixes

1. Various UI bug fixes

2. Fixed an issue with email subject prefixes

Other changes

1. Multi-Namespace admin role / permission is no longer valid to access other namespaces. Instead all users listed as administrators in a namespace (role a.k.a. Namespace admin) can access that namespace.

2. Direct permission and role assignment to users is now deprecated. Direct roles and permissions continue to work for now, but permissions should be granted through roles attached to groups.

Business extension: Product management / ETB / other

1. Product Management: Added flexibility and multiple minor features.

2. ETB: Support for multiple physical addresses for employer locations, and support employee home address. These are required for further future service automation.

3. ETB: Customer id for reports can be configured in the System Preferences → Employee Travel Benefit

Release 3.3

Initial release

Released 2019-12-18.

All relevant changes are listed below.

New Features

1. REST API for managing (enforcing) student state.

2. REST APIs for password validation and requirements.

Improvements

1. Added some missing translations.

Bug fixes

1. Censor domicile if personal Protection Order is active.

2. Fix dependency issue with nimbus-jose-jwt.

Business extension: ETB

1. ETB financial reports.

2. ETB related bugfixes.

Update 3.3.1

Released 2019-12-18.

Bug fixes

• [ONEP-1755] - Personal data request management window fails to open

Update 3.3.2

Released 2020-02-03.

Improvements

• [ONEP-1793] - Add SameSite=None to JSESSIONID cookies (when secure)

Release 3.2

Initial release

Released 2019-11-26

Still on track with both adding new features, improving current ones, and fixing any bugs found. The relevant changes are listed below.

This list below is for the latest release.

New Features

1. Added the option to disallow identical values in users' name fields. The new option can be found in the namespace settings in the “core” tab. When enabled, user’s are disallowed from entering identical values to first name, middle name and last name fields.
2. Contacts REST API: add support for “memberOf” attribute (contacts can now be added to groups via REST API), interpret empty or blank “nsCode” and “locationSite“ values as not provided and silently ignore them.
3. Add support to either allow or deny changing Personal ID via interactive self-service strong indentification (namely suomi.fi-tunnistus in Finland). By default do not allow this change to protect the first strong identification. Shall there ever be a change to the Personal ID, it must come in the system either via automated master route, or via interactive managed strong identification.
4. HPA/YPA (henkilön/yrityksen puolesta asionti) confirm dialog confirm and cancel redirect URLs can be configured in the system preferences.
5. HPA/YPA can now be enabled for specific namespaces in the system preferences.

Improvements

1. Log new user account creation time initial data for easier troubleshooting. We got bit by this on one site. With this improvement, we have this seldom needed, but necessary data point. Sensitive data is not saved, of course.
2. Datastorage to and UI in Management UI to review existing datastorages. This is an important tool for troubleshooting, and auditing purposes.
3. Added auto-generated authorisation types for suomi.fi-valtuudet YPA in use in Finland.
4. Added more Lock settings boxes to protect from human errors.
5. Internal code refactoring to gain more speed.
6. Center all views under OpenID authorisation endpoint (incl. user creation, password forgotten view, error views etc.).
7. Add support for forced authentication for SAML user directories. This ensures that autentication is performed every time user uses SAML user directory authentication and no previous session information is used. Previous behaviour was to cache authentications for a while (time is dependent on external user directory).
8. Add support for electronic identification number (SaTu) via SAML user directory at Finnish suomi.fi-tunnistaminen. This is an supplemental unique personal ID.
9. Add support for multiple email addresses in MyData export JSON.
10. Add a button to role editor’s “groups” tab create a new group with the same name as the role. This makes role management slightly easier.
11. Authorisations with user as the object or subject are deleted when the user is deleted.
12. Authorisation types and sources are deleted when their owner namespace is deleted.

Bug fixes

1. Related to JWKS servlet, some duplicate and unnecessary dependencies (code regression) were removed. This bug never reached production, as it was catched in-flight during development cycle.

Business extension: Product management

1. Refactoring end-points before feature launch. This was the last time we could do it. Practically /sales was just changed to more descriptive /products. Note, /products is primarily for those who want to define their own WebUI to the product management engine we provide.
2. Added filtering and data searchabilty.
3. Added /sales end-point to better support web-shops ant other similar channels to quickly retrieve all permitted products and prices.

Update 3.2.1

Released 2019-11-26

Bug fixes

• Internal cache element regression-related fix.
• Finland: VRK PETP and MUPT related regression fixes.

Release 3.1

Initial release

Released 2019-09-11

After certification, this release got us back to track with both adding new features, improving current ones, and there was also a bug which got fixed. The relevant changes are listed below.

New Features

1. By default, hide Personal ID Code in User Editor, viewing requires confirmation step. This is a requested control to minimise unnecessary viewing of most sensitive personal information. Same hiding will be added to other fields later, if deemed necessary.

2. Artificial API request slowdowns (for account create), configurable per client. This is both an control and a mitigation to prevent excess number of new accounts created by malfunctioning client. Malfunctioning could also happen in certain network error situations.

3. Subscription webhook support. I.e. trigger external application on change. We already had this for Contracts, and now added it for Subscriptions. This way any changes are notified instantly to external apps, and they do not have to poll anything.

4. Product Catalog webhook support. I.e. trigger external application on change. Changes are notified nearly instantly. This is related to the optional/external Commerce and Product Management module.

Improvements

1. Webhooks Enable and Lock settings checkboxes to editor. Enable is for easier admin control, if a webhook must be disabled for service or troubleshooting. Lock is to protect from human editing errors.

2. Show default max access token and refresh token validity times in openid connect editor. This is for informational purposes mostly, yet it is an important information for developers.

3. To assist troubleshooting, add test connection button to "suomi.fi valtuudet" settings view

Bug fixes

1. Prevent duplicate emails through SAML IdP if duplicate emails are not allowed in namespace. This was a nasty one to find.

Update 3.1.1

Released 2019-09-25

Updated trivore-common utility library to improve text message sending resiliency.

Update 3.1.2

Released 2019-09-27.

Improvements

• [ONEP-1657] - OpenId post-login-redirect script sometimes calls callback twice; added a check to cover some corner cases

Release 3.0

Released 2019-09-05.

This release was a landmark release which got us OpenID Connect certification from OpenID Connect Foundation for 4 OP profiles. See details at <https://openid.net/certification/#OPs>.

We also started moving from the original name onePortal to more descriptive Trivore Identity Service (TIS) as of software version 3.0. This change is a process, which will take some time, as we are doing it organically. For sure onePortal will remain under the hoods permanently in some places. That is part of the platform’s history, we are not denying it.

Other than that, the following new features were added:

1. Strong Identification history endpoint. The very first initial identification is always stored permanently. Also the latest identification is stored. Some industries may require storing the full chain for compliance. It is now possible to do just that. As strong identifications are not done very often, the default is to store them all. It is however possible to limit the amount in Group Policy. By having this setting in GP, you get better control by having one setting for other group of people and another setting for another group. This setting is also per namespace, which gives more flexibility.

2. Filter by user ID in user account view “Accounts”. User ID is the internal technical ID which is not shown. If you know is, you get very fact access to that user account.

3. Utility for storing personal UI preferences in browser cookie. This makes using management UI more fluent as it remembers your settings more. Please remember this is per browser.

4. Custom Style definitions. In this system wide setting, it is possible to fine-tune the default behaviour of UI. This is perhaps most prominent in tuning the sign-in and related UIs.

The following bugs were fixed:

1. Open redirect vulnerability in post-oauth-login servlet query parameters. A recent regression, which does not exist in any released production version.

2. SMS Billing: Details view not using all available screen estate. A cosmetic change. This is part of the built-in SMSC capability used most often for mobile number verification for user accounts. As SMSes cost, we have billing built-in.

As many know, we also have integrated, yet optional line-of-business features (implemented as modules) available for TIS. Those features got small improvements, too. Remember, these modules are customer specific and available only for limited number of parties.

Business extension: Commerce and Product Management

1. Add shortName to UI and REST.

Business extension: Employee Travel Beneficiary

1. REST API: Return forbidden status code instead of Unauthorized when permissions inadequate