Release Notes for Helix Authentication Service (HAS) Version 2022.1 Introduction The Helix Authentication Service is a Node.js application that facilitates the integration of identity providers supporting either the OpenID Connect or SAML 2.0 authentication protocols. Perforce numbers releases YYYY.R/CCCCC, for example 2002.2/30547. YYYY is the year; R is the release of that year; CCCCC is the bug fix change level. Each bug fix in these release notes is marked by its change number. Any build includes (1) all bug fixes for all previous releases and (2) all bug fixes for the current release up to the bug fix change level. Important Notes Logging out of a Helix Core or Helix ALM client does not invoke a logout with the identity provider (IdP). Depending on the IdP, subsequently starting a Helix Core or Helix ALM client might result with the user being logged in again without the user being prompted to provide credentials. Supported Platforms Linux (x86_64) RHEL 7, 8 CentOS 7, 8.0 Ubuntu 16.04, 18.04, 20.04 The above platforms are tested and subject to regression testing on a frequent basis. Errors or bugs discovered in these platforms are prioritized for correction. Any platform not listed above is not actively tested by Perforce. The 2021.1 release of Helix Authentication Service will be the last one to provide a package for Ubuntu 16.04. Windows (x86_64) 10 Pro Server 2019 HAS is known to work on the Windows systems listed above. Requirements Node.js v16 (LTS) Documentation The HAS Administrator's Guide is publicly available on perforce.com. The guide details the steps for installation, upgrade, and configuration of the authentication service. Installation Linux 1. From the download page, select the appropriate Linux distribution option. For Linux, HAS is packaged in DEB and RPM formats. 2. To install, use the appropriate package install command for the system, such as `yum` or `apt` for CentOS and Ubuntu respectively. Upgrade The names of the configuration files for IDP_CONFIG_FILE and LOGGING in releases prior to 2022.1 ended with the .js extension. With release 2022.1 the names must now be changed to end with the .cjs extension. Package upgrades from releases prior to 2022.1 on CentOS/RHEL systems will result in a missing systemd service definition file. To avoid this problem, it is necessary to remove the old package and then install the new package. After the 2022.1 release, this will not be necessary. Known Limitations No known limitations with the currently released products. Third Party Licenses See the docs/licenses directory for a complete set of third party licenses. Changes in every release: Bugs Fixed, New Functionality ---------------------------------------------------------------------- New functionality in 2022.1 HAS-146 (Change #2196429) Support for SCIM-based user and group provisioning. HAS-235 (Change #2209698) Install script and package install will create a 'perforce' user and group to own the files and run the service. HAS-273 (Change #2234881) Support for client certificates when connecting to Redis. ---------------------------------------------------------------------- Bugs fixed in 2022.1 HAS-261 (Change #2205539) Updating the yum package will no longer remove the systemd service definition from this version onward. HAS-274 (Change #2232214) Logging to a file will continue even if an uncaught exception occurs. ---------------------------------------------------------------------- New functionality in 2021.2 HAS-217 (Change #2148535) Allow using [] for setting multiple values for SAML_AUTHN_CONTEXT in the .env configuration file. HAS-218 (Change #2147565) Support PFX certificate files as well as a passphrase for the private key component of the TLS certificate. ---------------------------------------------------------------------- Bugs fixed in 2021.2 HAS-225 (Change #2162386) Use latest version of node-saml library to prevent configuring the service in such a manner as to allow a SAML MITM attack. HAS-226 (Change #2168428) Configure script now recommends setting IDP_CERT_FILE when configuring for SAML to avoid a possible MITM attack. ---------------------------------------------------------------------- New functionality in 2021.1 HAS-187 (Change #2090469) New setting SAML_IDP_METADATA_FILE to specify IdP metadata from a file, as an alternative to the SAML_IDP_METADATA_URL setting. ---------------------------------------------------------------------- Other changes in 2021.1 HAS-164 (Change #2082598) Use systemd to manage the HAS instance instead of pm2. Configure script and packages will install and start HAS as a service unit. HAS-181 (Change #2075199) Single binary build of HAS for Linux packages, no need for Node.js. ---------------------------------------------------------------------- New functionality in 2020.2 HAS-21 (Change #2041029) Scripts are now available to install and remove HAS as a Windows service. HAS-79 (Change #2035660, 2035664, 2035665) You can now run HAS behind a proxy, with the option of storing session information in Redis to enable failover, with the addition of rule-based routing without Redis. HAS-141 (Change #2037047) You can now run HAS in a Docker container, which is available on Docker Hub (https://hub.docker.com/r/perforce/helix-auth-svc). ---------------------------------------------------------------------- Bugs fixed in 2020.2 HAS-162 (Change #2035660, 2035664, 2035665) Fixed issue with SameSite cookie policy enforcement in newer browsers by enabling load balancer support (see also HAS-79). ---------------------------------------------------------------------- Other changes in 2020.2 HAS-168 (Change #2037742) Upgrade Node.js requirement to version 14 (from 12). ---------------------------------------------------------------------- New functionality in 2020.1.1 HAS-153 (Change #2020849) Package for Ubuntu version 20.04. ---------------------------------------------------------------------- Bugs fixed in 2020.1.1 HAS-43 URL not sent to user logging in to edge server. Caused by P4-19549 in Helix Core Server, fixed in 2019.1.11, 2019.2.8, 2020.1.1, and 2020.2 releases. HAS-154 (Change #2020788) Swarm integration broken by browser content security policy. ---------------------------------------------------------------------- New functionality in 2020.1 HAS-143 (Change #2014015) Linux-based configuration script supports Amazon Linux 2. ---------------------------------------------------------------------- Bugs fixed in 2020.1 HAS-106 (Change #2000728, 2000731) Certificate message digest caused extension connection to fail. ---------------------------------------------------------------------- New functionality in 2019.1.1.000002 HAS-91 (Change #1991037) Linux-based configuration script to assist in configuring HAS. ---------------------------------------------------------------------- Bugs fixed in 2019.1.1.000002 HAS-111 (Change #2001802) The install.sh starts pm2 as the current user, not as root on CentOS. HAS-118 (Change #2003138) Login error in browser: request identifier must be defined HAS-119 (Change #2003163) Remove color codes from auth service log output. HAS-121 (Change #2003544) Exception when CA_CERT_PATH directory contains an empty directory. ---------------------------------------------------------------------- New functionality in 2019.1.1.000001 HAS-23 (Change #1876368) Support file patterns for finding certificate authority (CA) files. HAS-24 (Change #1875394) Allow specifying the bind address for the server. HAS-25 (Change #1876395) Permit specifying the SAML identity provider certificate. HAS-26 (Change #1899075) Support specifying a CA path in addition to a single file. HAS-35 (Change #1910276) Added the OIDC_CLIENT_SECRET_FILE setting because we discourage the use of OIDC_CLIENT_SECRET. HAS-36 (Change #1914136) Support logging to syslog rather than plain file. HAS-40 (Change #1917932) Support filtering client requests by certificate common name. ---------------------------------------------------------------------- Bugs fixed in 2019.1.1.000001 HAS-29 (Change #1884852) Azure login blocked with error regarding authn context value. HAS-34 (Change #1907004) Throws EISDIR error when reading certificates. HAS-46 (Change #1954444) OIDC needs to support Authorization Code with PKCE. HAS-50 (Change #1956618) Auth via SAML and Swarm fails validation in core extension. HAS-51 (Change #1958835) Updated SAML validate endpoint should require client certs. ---------------------------------------------------------------------- 2019.1 Initial release