4.0.0-M1 (March 7th, 2025)

This additional milestone release brings a few improvements and features, code polishing and some fixes for the new major series Syncope 4.0 Notturno.

What's new

All the Syncope components are now based on Spring Boot 3.4.
Syncope Web Access is now based on Apereo CAS 7.2-RC6.

New feature: OpenFGA integration

OpenFGA is an open-source authorization solution that allows developers to build granular access control using an easy-to-read modeling language and friendly APIs.

A new extension is available. providing seamless integration with an OpenFGA server.

When this extension is enabled:

  • all AnyType and RelationshipType instances are transparently mirrored to OpenFGA’s authorization model

  • all Users, Groups and Any Objects and their Memberships and Relationships are transparently mirrored as OpenFGA’s tuple objects

As a result, you can transparently configure an OpenFGA deployment to reflect the object model in Syncope.

Issues

Bug

  • [SYNCOPE-1849] - NullPointerException when logging into Console
  • [SYNCOPE-1850] - Concurrent execution of a given task shall not be allowed
  • [SYNCOPE-1851] - NullPointerExeption for Date fields in Macro execution forms
  • [SYNCOPE-1853] - Deprovision is wrongly fired on group delete
  • [SYNCOPE-1856] - Administrator can update and delete realms outside of the granted subtree
  • [SYNCOPE-1857] - Unwanted Oracle persistence context enforce when Oracle driver is in classpath
  • [SYNCOPE-1858] - Macro operation with dropdown form property without default value generates stacktrace
  • [SYNCOPE-1860] - Standalone WAR artifacts duplicates JAR dependencies
  • [SYNCOPE-1862] - Attribute release policy does not show up in the actuator endpoint registeredServices
  • [SYNCOPE-1864] - Unwanted password propagation after update on pull
  • [SYNCOPE-1867] - Prevent NPE when fetching realm entitlements to enforce authorization

New Feature

Improvement

  • [SYNCOPE-1854] - propagation not triggered after user updated while in status "updateApproved"
  • [SYNCOPE-1855] - Refactor database search to use less nested queries
  • [SYNCOPE-1859] - SearchPanel displays the schema keys and doesn't consider translations
  • [SYNCOPE-1865] - Allow to specify signing and encryption algorithms for OIDC client application

Task

4.0.0-M0 (December 27th, 2024)

More than 2 years and about 900 commits after Syncope 3.0 Maggiore, here it comes the first milestone release from the new major series Syncope 4.0 Notturno.

Syncope 4.0 Notturno is a full-fledged IAM system covering provisioning, reconciliation and reporting needs, access management and API management.

What's new

The codebase was completely reviewed to take advantage of the new features and standard coming with Java 21 and Jakarta EE 10.

All the Syncope components are now based on Spring Boot 3.3.
Syncope Web Access is now based on Apereo CAS 7.1.

New feature: Live Sync

Some use cases were reported where Syncope was requested to import users by subscribing to some sort of queue, like as Apache Kafka / ActiveMQ, Google PubSub, etc.

A more general mechanism was implemented to generate pull events from messages received via queue subscription.

Persistence Layer

The persistence layer was completely restructured to work under Spring Data JPA.

As part of such a review process:

  • the former non-JSON JPA flavors were removed: JSON is now the only option available on all supported DBMSes
  • H2 is not supported any more and PostgreSQL is the default option, even for embedded mode

Experimental: Neo4j

Persistence support for Neo4j Graph Database was built on top of Spring Data Neo4j.

Not production-ready

While completely functional, the code is not considered stable for production environments.

Issues

Bug

  • [SYNCOPE-1686] - relationship refering to object itself
  • [SYNCOPE-1725] - Error when searching with high number of OR or AND conditions with Elasticsearch
  • [SYNCOPE-1726] - WA does not always get configuration from Core on startup
  • [SYNCOPE-1727] - Elasticsearch cannot find anything under given Realm in case of parent update
  • [SYNCOPE-1728] - Unable to create LDAP authentication module from console
  • [SYNCOPE-1730] - Standalone on Windows: Console Topology page does not show any Connector or Resource
  • [SYNCOPE-1731] - Performance issue with multiple any type classes
  • [SYNCOPE-1734] - Elasticsearch not updated for uidOnCreate
  • [SYNCOPE-1735] - Can't retrieve all policies during Realm create and update
  • [SYNCOPE-1736] - Templates do not set the latest additions to Users and Groups
  • [SYNCOPE-1737] - Cannot specifiy attribute mapping for AttributeRelease policies
  • [SYNCOPE-1739] - Wrong volume mapping for source code in fit docker profile
  • [SYNCOPE-1742] - Exception in console when defining a date for delegation
  • [SYNCOPE-1749] - Incorrect Dynamic Group Membership Condition save from Console
  • [SYNCOPE-1750] - Password policy not enforced if password is not stored in Syncope
  • [SYNCOPE-1755] - NullPointer exception during PULL delete operation in case of NO_MATCH
  • [SYNCOPE-1757] - Misalignment between SyncTokenSerializer and SyncTokenDeserializer in case of token given as a clear string
  • [SYNCOPE-1761] - As admin, searching Users, Groups or Any Objects performs full Realm tree traversal
  • [SYNCOPE-1763] - Constant increase of open files after upgrade to CXF 3.6.0
  • [SYNCOPE-1764] - Connector capabilities and/or configuration are not updated in cluster environments
  • [SYNCOPE-1767] - When searching Groups with GROUP_MEMBER condition only Users are considered
  • [SYNCOPE-1770] - Errors upon Core restart after adding domain
  • [SYNCOPE-1774] - Admin console does not recognize parameter type
  • [SYNCOPE-1777] - DelegatedAdministrationException is occasionally thrown during Pull Task execution
  • [SYNCOPE-1778] - Reset password requires double click in order to provide username
  • [SYNCOPE-1779] - Missing support for underscore in queries
  • [SYNCOPE-1785] - Display rows changes not effective until reload
  • [SYNCOPE-1790] - Swagger filtered GET returns multiple Users/AnyObjects instead of one
  • [SYNCOPE-1791] - Unable to save audit config for CUSTOM event in the console
  • [SYNCOPE-1792] - Error in console while editing conf parameter with values containing numbers
  • [SYNCOPE-1793] - A logged in user cannot associate/deassociate a resource to himself
  • [SYNCOPE-1794] - SAML: Authentication issue instant is too old or in the future
  • [SYNCOPE-1798] - Incorrect descendant Realms found by Elasticsearch / OpenSearch
  • [SYNCOPE-1800] - FIQL comparison espressions with single quote cause JSONB search to fail
  • [SYNCOPE-1803] - Can't remove multivalue membership plain schema value from console
  • [SYNCOPE-1806] - Overlapping dynamic realms don't get updated
  • [SYNCOPE-1808] - Wrong location for group in ResourceTypes SCIM service
  • [SYNCOPE-1812] - Can't perform case-sensitive search using MariaDB
  • [SYNCOPE-1813] - Wrong provisioning result shown after batch operation
  • [SYNCOPE-1817] - Standalone: components not available
  • [SYNCOPE-1818] - Wrong status value propagated to external resources if changed while pulling
  • [SYNCOPE-1820] - Console label not working with multivalue schema
  • [SYNCOPE-1824] - Password policies are not always enforced on linked account password while updating account
  • [SYNCOPE-1826] - Search fails if search condition contains four digits at the end of the value
  • [SYNCOPE-1828] - Can't open the profiles tab in WA page if one of the fields is null
  • [SYNCOPE-1831] - SCIM general configuration can not be updated
  • [SYNCOPE-1837] - Resources, Relationships and AuxClasses are deleted after SCIM PUT method invocation
  • [SYNCOPE-1838] - Group owners cannot log into Console
  • [SYNCOPE-1839] - In Console Commands cannot be removed from Macro Tasks
  • [SYNCOPE-1840] - Cannot define the same form property for different Macro tasks
  • [SYNCOPE-1846] - Cannot create more than one relationship at a time from the console
  • [SYNCOPE-1847] - Propagation task audit throws exception during serialzation
  • [SYNCOPE-1848] - Can't read user memberships with SCIM search endpoint

New Feature

Improvement

  • [SYNCOPE-1719] - Remove limitations for memberships and relationships
  • [SYNCOPE-1720] - Switch persistence identifiers to UUID version 7
  • [SYNCOPE-1721] - Allow for more Access Policy types
  • [SYNCOPE-1722] - Allow password fields to reveal their value to the end-user
  • [SYNCOPE-1723] - remove some non-reproducible bits
  • [SYNCOPE-1724] - Provide health status for Elasticsearch
  • [SYNCOPE-1729] - Configure Maven Build Cache Extension
  • [SYNCOPE-1732] - Console does not support custom Access Policy Configuration
  • [SYNCOPE-1733] - Support OAUTH20 authentication module in WA
  • [SYNCOPE-1738] - Refactor Report management
  • [SYNCOPE-1740] - Allow to specify UsernameAttributeProvider for Client Applications
  • [SYNCOPE-1743] - Add support for Ticket Expiration Policies into ClientApp
  • [SYNCOPE-1745] - Allow to manage ConnId bundles with more Connectors
  • [SYNCOPE-1747] - Provide controls to refresh WA client applications from Console
  • [SYNCOPE-1748] - SCIM 2.0 Implement PATCH operations
  • [SYNCOPE-1751] - Improve password auto generation on propagation
  • [SYNCOPE-1752] - Support large number of Realms
  • [SYNCOPE-1753] - Extend changes' history management to most relevant WA configuration objects
  • [SYNCOPE-1759] - REST endpoint to evaluate account and password compliance with policies
  • [SYNCOPE-1760] - Align Core Spring Boot actuator endpoint security with other components
  • [SYNCOPE-1762] - Enrich actuator info with JPA provider information
  • [SYNCOPE-1765] - allow WA to decrypt properties during the configuration bootstrap phase
  • [SYNCOPE-1768] - Improve internal storage export feature
  • [SYNCOPE-1769] - Allow the same name to be used across different Any Object types
  • [SYNCOPE-1771] - WA: support delegated authentication for Google, Keycloak and Apple ID
  • [SYNCOPE-1773] - Support configuration for multi-nodes Elasticsearch clusters
  • [SYNCOPE-1775] - It should be possible to set logoutType to WA services
  • [SYNCOPE-1776] - Let Elasticsearch re-index use bulk requests
  • [SYNCOPE-1780] - Password policy allows a minimum length less than the number of characters needed
  • [SYNCOPE-1784] - Allow you to use other OIDCScopes in addition to those currently defined
  • [SYNCOPE-1786] - Self Keymaster improvements
  • [SYNCOPE-1787] - Support deployments with large number of Realms
  • [SYNCOPE-1788] - Allow to insert JWKS value in OIDC Client Applications
  • [SYNCOPE-1795] - JWT_SSO_PROVIDER and AUDIT_APPENDER should not be Implementations
  • [SYNCOPE-1797] - Compatibility of SCIM 2.0 requests from Microsoft Entra
  • [SYNCOPE-1799] - Introduce Spring Data JPA
  • [SYNCOPE-1802] - Missing delegated SAML2 IdP configuration parameters
  • [SYNCOPE-1807] - Status propagation on resource doesn't happen from the SCIM extension
  • [SYNCOPE-1809] - Cleanup of uid-on-create attribute on resource unassignment
  • [SYNCOPE-1811] - Missing Bypass MFA properties
  • [SYNCOPE-1815] - Macro improvements
  • [SYNCOPE-1816] - Provide the possibility to add a JcifsSpnegoAuthenticationHandler
  • [SYNCOPE-1822] - SCIM: support user extension
  • [SYNCOPE-1823] - SCIM: support search by extension attributes
  • [SYNCOPE-1830] - Add support for membership attributes on elasticsearch and opensearch searches
  • [SYNCOPE-1832] - Replace number input method for UI
  • [SYNCOPE-1835] - Support Credential Criteria for LDAP authentication
  • [SYNCOPE-1836] - Password propagation on resource doesn't happen from the SCIM extension
  • [SYNCOPE-1842] - Support Credential Criteria for JAAS, JDBC and Syncope authentication
  • [SYNCOPE-1843] - Support Azure AD authentication and attribute resolution
  • [SYNCOPE-1844] - Support Okta authentication and attribute repository
  • [SYNCOPE-1845] - Support doubleclik on data tables rows

Task

  • No labels

Questions? Just send an e-mail to user@syncope.apache.org