AuthorisationService Release Notes [C OG]

The following items on the list encompass breaking changes, features, and fixes that are relevant for the major release.

Release 23.1.17

General

With release 23.1, AuthService for Enterprise and VidiNet joined into one release. This version uses KeyCloak to manage users and groups and sync with different identity and user federation providers like LDAP oder VidiCore.

KeyCloak brings its own database and synchs users and groups regularly with the user federation provider. The time for synchronization can be configured in ConfigPortal. A manual sync process can also be triggered from CP or via the AuthService API.

Both the AuthService and the KeyCloak service can be deployed in multiple redundant instances for failover scenarios.

KeyCloak is used in version 18.

Changed login behavior with LDAP connection

The previous version of AuthService had the option to automatically fill in the domain suffix on the login screen. The user had to add the username and the password to log in.

With AuthService 23.1 it is no longer supported to inject the domain suffix into the login screen. If the user needs to specify a domain, it has to be typed in. But on the other hand, it is possible to just enter a username (without domain suffix) and password and AuthService tries to match this user to all configured ADs. If the user is found with a matching password, then the domain is automatically used.

Multiple LDAP environments

AuthService 23.1 support connecting to more than one LDAP environment for authentication authorization. This can be configured in ConfigPortal.

Be aware that users and groups are always uniquely assigned to an Active Directory and are never used across AD.

Multiple search bases for Active Directory

Users and groups to be synched with AuthService can be organized in different areas of the AD. To avoid the whole AD tree having to be synched, it is possible to configure multiple search bases.

Fixes