Skip to main content
Version: 4.32.x.x LTS

Migration guide from LTS-2019 to LTS-2021

This guide provides a high level overview for migrating the latest nevisAuth LTS 2019 release to the new LTS 2021 release. For additional details, refer to the technical documentation of the component.

Deployment Type - Standalone

Only standalone deployment is supported. If your instances still use adnjboss, adnwildfly or any other non-standalone deployment type, the instances need to be recreated and the configuration migrated. The [technical documentation] contains information of how new instances can be created.

SHA256 default sign algorithm for SAML

SHA256 is now the default and recommended sign algorithm for SAML AuthStates. This could be a breaking change if no sign algorithm has been defined in the Auth State. In the rare event that the upgrade to SHA256 does break your environment, do not downgrade back to SHA1. Instead, investigate how you can upgrade your environment to support SHA256.

Updated 3rd party libraries

The content of /opt/nevisauth/plugin/thirdparty/oauth/ has changed due to the library upgrade. If you use the contents of that library in custom AuthStates, you may need to change the classPath setting of that specific AuthState and include the old libraries. Several other 3rd party dependencies have been upgraded as well. Existing custom AuthState or Groovy ScriptState implementations may break if your custom AuthStates or ScriptStates rely on specific 3rd party libraries or versions shipped with previous versions of nevisAuth.

Updated Groovy Version

Groovy has been updated to 2.4.21. This can affect Groovy scripts used in ScriptStates. If this upgrade poses a problem that you cannot fix in the Groovy scripts, supply the desired Groovy version as described in the section "Installing a specific Groovy version" of the chapter "Writing scripts in Groovy" in the nevisAuth reference guide.

For more information on the available Groovy versions, refer to

CompatLevel flag "none" by default

The compatLevel flag is set to none by default. Compat level can still be enabled by setting the flag to compatLevel="full" in the esauth4.xml file. As it can lead to unintended side-effects, for example: incompatible HTTP 1.1. header fields, this is not recommended.

With the flag disabled, the following outargs will no longer be set by nevisAuth:

  • isiwebcurrent
  • isiwebmethod
  • isiwebauth_failed
  • isiwebguidel
  • isiwebgui
  • isiwebappid
  • isiweburl
  • isiweburi
  • isiweblocation
  • isiwebargs
  • ISI-Authenticate

The IdentityProviderState requires whitelisting for AssertionConsumerServiceURLs

The [IdentityProviderState] requires the property acsUrlWhitelist.uris for security reasons. This could be a breaking change if acsUrlWhitelist.urishas not been set.