UAA 3.4.0 Release Announcement

Sree Tummidi


On behalf of the entire Identity team I am pleased to announce the release
of UAA 3.4.0 <>
The UAA bosh release based on this version can be found here

New Features

Permanent home for UAA API Docs @
Identity Provider Discovery

UAA now supports Identity Provider discovery when multiple SAML or OpenID
Connect Identity Providers are enabled for any given identity zone. The
right identity provider is discovered based on the email domain associated
with the provider. The login experience has been updated to prompt the user
for the email based on which the right identity provider is discovered and
the user is redirected to the same.

The discovery flow can also be used for OAuth Clients which are associated
with more than one allowed providers. The OAuth enabled application can
also send a login hint containing the email domain so that the right
Identity Provider can be discovered without the user having to enter the
email address on the login page.

In order to enable IDP discovery for the default zone , you can set the
property below.

description: "IDP Discovery should be set to true if you have
configured more than one identity provider for UAA. The discovery
relies on email domain being set for each additional provider"
default: false

For other identity zones, this property can be updated via the Identity
Zone API <>.
The property isconfig.idpDiscoveryEnabled and the default is false.
Related Stories

- Redirect to IDP Discovery Login Page if IDP Discovery is enabled
- Support login_hint as specified in the OpenID Spec
- Zonify idp discovery

Other minor features

- Support MySQL 5.5.7
- Optimize authz authentication query
- Support Allowed Providers Policy for External OIDC Provider per OAuth
Client <>
- Implement invitation acceptance flow with external OIDC provider
- Remove need for admin to have old client secret in order to change the
password <>

Bugs Fixes

- Unable to call /oauth/token/revoke using opaque token
- password prompt now says "Email>"
- Include timestamp on response from client create
- Zone Name not displayed under the Password entry page for IDP Discovery
- /Groups/External null pointer exception on trim()
- Fix is user token condition
- Support chinese characters in LDAP user name
- Incorrect error message during client credentials

Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

Join to automatically receive all group messages.