Migration guide from LTS-2019 to LTS-2021
This guide provides a high level overview for migrating the latest nevisAuth LTS 2019 release to the new LTS 2021 release. For additional details, refer to the technical documentation of the component.
Deployment Type - Standalone
Only standalone deployment is supported. If your instances still use adnjboss, adnwildfly or any other non-standalone deployment type, the instances need to be recreated and the configuration migrated. The [technical documentation] contains information of how new instances can be created.
SHA256 default sign algorithm for SAML
SHA256 is now the default and recommended sign algorithm for SAML AuthStates. This could be a breaking change if no sign algorithm has been defined in the Auth State. In the rare event that the upgrade to SHA256 does break your environment, do not downgrade back to SHA1. Instead, investigate how you can upgrade your environment to support SHA256.
Updated 3rd party libraries
The content of /opt/nevisauth/plugin/thirdparty/oauth/ has changed due to the library upgrade. If you use the contents of that library in custom AuthStates, you may need to change the classPath setting of that specific AuthState and include the old libraries. Several other 3rd party dependencies have been upgraded as well. Existing custom AuthState or Groovy ScriptState implementations may break if your custom AuthStates or ScriptStates rely on specific 3rd party libraries or versions shipped with previous versions of nevisAuth.
Updated Groovy Version
Groovy has been updated to 2.4.21. This can affect Groovy scripts used in ScriptStates. If this upgrade poses a problem that you cannot fix in the Groovy scripts, supply the desired Groovy version as described in the section "Installing a specific Groovy version" of the chapter "Writing scripts in Groovy" in the nevisAuth reference guide.
For more information on the available Groovy versions, refer to http://mvnrepository.com/artifact/org.codehaus.groovy/groovy-all.
CompatLevel flag "none" by default
The compatLevel flag is set to none by default. Compat level can still be enabled by setting the flag to compatLevel="full" in the esauth4.xml file. As it can lead to unintended side-effects, for example: incompatible HTTP 1.1. header fields, this is not recommended.
With the flag disabled, the following outargs will no longer be set by nevisAuth:
- isiwebcurrent
- isiwebmethod
- isiwebauth_failed
- isiwebguidel
- isiwebgui
- isiwebappid
- isiweburl
- isiweburi
- isiweblocation
- isiwebargs
- ISI-Authenticate
The IdentityProviderState requires whitelisting for AssertionConsumerServiceURLs
The [IdentityProviderState] requires the property acsUrlWhitelist.uris for security reasons. This could be a breaking change if acsUrlWhitelist.urishas not been set.