Skip to main content
Version: 7.2405.x.x LTS

Migration guide from LTS-2021 to LTS-2024

nevisAdapt + nevisDetect

  • Major and minor versioning scheme changed: 1.8.x.x to 7.2405.x.x
  • Required Java version increased to 17
  • Both applications now support PostgreSQL
  • New Bash scripts were introduced in the RPM for ExecStart. Their names end with <component>-server
  • New property added to prevent some RCE attacks: spring.jndi.ignore=true

nevisAdapt

  • New observation type: Browser Fingerprints - deterministic (similar to Device Fingerprints) but take more input parameters into account during generation
    • More diverse values than Device Fingerprints
    • Breaking change: Fingerprint Sharing Analyzer focuses on Browser Fingerprints only (if they match, the Device Fingerprints would also match)
  • New IP geolocation service supported: MaxMind
    • Property nevisadapt.ipToLocation.service.class must be set to maxMindService
    • The other two options are:
      • ipToLocationCsvService: primarily for less detailed data (country code/name)
      • ipToLocationBinService: permitting more details (e.g. GPS coordinates, city, etc.)

Stand-alone nevisAdapt (deployed through nevisAdmin4)

  • Introduced template for stand-alone nevisAdapt
  • New operation mode: Stand-alone score-based decision
    • Breaking change: Base observation risk scores are different from classic ones when deploying through nevisAdmin4 (primarily aimed at stand-alone use case) - for details see Default pattern configurations
    • nevisAdapt makes a decision based on the login's aggregate risk score reaching various thresholds
      • LOW: score < mediumThreshold
      • MEDIUM: mediumThreshold <= score < highThreshold
      • HIGH: score >= highThreshold
      • each decision can be directed to its own next step in the authentication flow
    • Risk profiles: they adjust the weights to enable the desired behaviour
      • Balanced: default profile
      • Strict: higher weight settings make it easier to reach the various thresholds
      • Custom: customer sets all the weights
    • For technical details see Risk weight profiles
  • New operation mode: Stand-alone event-based decision
    • Instead of deciding based on the aggregate score, this step contains a list of rules, each with its own condition and next step
    • The rules are ordered - whichever evaluates to true first will decide the rest of the authentication flow
    • The rules are checking for the presence of various risk events. If all are accounted for, the condition is considered true
    • If none of the rules match, the default step will be the next (it usually means successful login)
    • Example risk events:
      • unknown-device : this is the first time for this device cookie
      • unknown-country : this is the first time for this geolocation (country)
      • unknown-fingerprint : this is the first time for this browser fingerprint
      • suspicious-country : the login request came from a prohibited country
      • high-ip-velocity : the current geolocation is physically too far to be reachable since the last login
      • ip-reputation-blacklisted : the login request came from an IP address with low reputation
    • For technical details see Event-based configuration
  • New function: Remember Me - a token that provides all data required for updating the database on nevisAdapt side during login, which allows skipping the username/password step (if present)
    • In order to set it up, nevisAdapt Remember Me Step has to be inserted before the current first authentication step (probably IDM login) then redirect to it through Original Authentication Flow.
    • New property nevisadapt.rememberme.cookie.name
    • New property nevisadapt.rememberme.token.lifetime.days (default value 30)
  • New function: Feedback for suspicious logins
    • If the authentication flow contains this step, a link with a Feedback Token will be generated and sent out to the user
    • Following the link allows deleting the reported session and related observations immediately (if used within the token's deprecation timeframe)
    • The deletion has multiple levels:
      • session: only the reported session's observations are removed
      • device: (default option) removes all observations for the reporting user that are related to the same device as the reported session
      • all: removes all observations for the reporting user
    • New property feedback.redirect.url - the page to navigate to after the reporting is done
    • New property feedback.generation.key - JWE key for encrypting/decrypting the feedback token
  • New AuthStates during logout
    • RememberMeTokenDeletionAuthState: removes the generated token as the session cannot be interrupted anymore
    • NevisAdaptSessionTerminationAuthState: nevisAdapt has to finalize the session details in its database (e.g. session end date)

nevisDetect

  • NodeJS upgraded to v18.18.2
  • ActiveMQ upgraded to v6.1.0
    • brokerURL has an extra parameter: verifyHostName=<boolean>