Critical changes in this release

Edit online

This topic highlights changes that are made that might impact compatibility with an earlier version in IBM Security Verify Access version 10.0.6.

Advanced Access Control (AAC)

  • Streamlined FIDO user experience on Safari

    When a FIDO registration or authentication was performed, Safari used to require that the WebAuthn JavaScript API calls were user initiated, the result of a button click. This requirement was removed, so the default FIDO HTML and JavaScript files were simplified to remove any existing browser checking for the Safari requirement. Now, the WebAuthn JavaScript calls are initiated on page load for all browsers.

  • FIDO2/WebAuthn Attestation and Assertion timeout

    The default timeout for FIDO2/WebAuthn attestation and assertion requests was changed from 60 to 300 seconds. This value can be changed in the relying party configuration. For more information, see FIDO2 Configuration.

  • FIDO U2F Specification Deprecation

    General support for the FIDO U2F specification is being deprecated in favor of the new FIDO2/WebAuthn specification, which includes support for U2F devices. As a result, the ability to register new devices by using the U2F Registration mechanism was removed, and various user self-care pages no longer contain a U2F register button. The ability to authenticate by using the U2F Authentication mechanism was also removed.

  • RTSS XACML engine error handling

    The RTSS XACML engine was changed to return HTTP status code 400 with a JSON payload that contains translated messages in certain error cases when called directly by REST API. Previously, these errors were returned as HTTP status code 500 with text content. For more information about calling the RTSS XACML engine, see Invoking the RTSS XACML engine.

  • Java™ update impacts java.util.regex.Pattern processing of Unicode characters
    Previously, the Java Regex Pattern implementation did not always treat surrogate pair Unicode characters as a pair. Instead it processed the code points separately. A surrogate pair is a combination of two Unicode code points to allow extra characters to be defined beyond the limitations of the maximum value stored in 16-bit. Now, the Pattern implementation correctly processes surrogate pairs as a single character. This change impacts:
    • Advanced configuration knowledge.questions.AnswerValidationRegEx and knowledge.questions.QuestionValidationRegEx
    • Custom Java Extensions
    Also impacted are the following configuration items, which are still correctly validated in the UI, but are incorrectly accepted when created by REST API. These are known issues:
    • FIDO2 Relying Party configuration ID
    • Federation name
    • Custom Java Extension bundle name

Federation

  • Change in behavior when a SOAPMessage is nested within another SOAPMessage.

    When a nested SOAPMessage is sent to the SecurityTokenService, only the inner SOAPMessage is evaluated by Federation runtime.