1.0.123

Release 15.09.2023 | Links Showcase Panel

New

• Links Showcase Panel was added. Now you can define URLs to be presented on the main page of your self-service portal instance.
  Use the following section to describe a link showcase on the portal:

   <linksShowcase>
      <link url="http://multifactor.ru" title="multifactor" image="logo.svg"/>
   </linksShowcase>

  A link entry have three required properties:
  1. url: please specify an URL where the link should target, the url must be unique;
  2. title: an arbitrary string;
  3. image: place an image into site's Content/images/ folder and write down it's name. Image will be scaled down to 50px and should have the svg format.

1.0.121

Release 26.07.2023 | Captcha verification fixes

Bugfixes

• Fixed: Remove unwanted captcha verification attempts on prefixed base URLs.

1.0.119

Release 25.07.2023 | SSO Login takes into account the "UPN as Identity" flag.

Bugfixes

• Fixed: Identity calculation during SSO in case a second factor bypassed.

1.0.117

Release 19.07.2023 | Added Yandex SmartCaptcha Support

New

• Yandex SmartCaptcha support was added. Now you can choose between Google ReCaptcha and Yandex SmartCaptcha
  providers. New captcha settings were added in the configuration file a the captcha. Use this new format to set up
  your captcha. See the description below:

  <!-- Enable captcha validation -->
  <add key="enable-captcha" value="false"/>
  <!-- Google/Yandex switch -->
  <add key="captcha-type" value="Google"/>
  <!-- Site Key from a captcha management panel -->
  <add key="captcha-key" value="key"/>
  <!-- Secret Key from a captcha management panel -->
  <add key="captcha-secret" value="secret"/>

• Old format for a captcha setup is considering obsolete now. But it still works.

• Now you can specify a proxy to communicate with a captcha server. Use the following key:

  <add key="captcha-proxy" value="http://proxy:3128"/>

1.0.115

Release 26.05.2023 | Vulnerability fix

1.0.113

Release 12.05.2023 | App's Text fixes

Bugfixes

• Fixed: Renamed all TOTP-authenticator mentions from "Google Authenticator" to "Yandex.Key"

1.0.111

Release 06.04.2023 | SAML/OIDC fix

Bugfixes

• Fixed: incorrect SAML/OIDC session IDs mapping.

1.0.109

Release 14.03.2023 | Forgotten Password Recovery

New

• Password recovery. This functionality allows to reset current user password via the "Forgotten your password?" link on the Login form.
  Preconditions for functionality activation:
  - Our Mobile Application has been configured as a second authentication factor for the current user.
  - Captcha has been configured for the Portal. To choose captcha display mode you can use the <add key="require-captcha" value="mode" />. The mode value can be one of the following: Always, PasswordRecovery.
  To enable the functionality you need to add the <add key="enable-password-recovery" value="true" /> setting to the Web.config file.
  NOTE: make sure that enable-password-management setting is true.

1.0.107

Release 20.02.2023 | Change PWD after 2FA

New

• New behavior when trying to access disabled functionality: now the user is redirected to the home page. Warning log is written with information about the disabled functionality.

• Handling cases where a user logged in with an expired password. Before changing the expired password, the user is redirected to the the second factor confirm page. And only after confirming the second factor, the user will be returned to the expired password change form. Main steps:

  1. Submit login page. If password is expired, go to step 2.
  2. Confirm 2FA.
  3. Create a 2 minute password changing session. If during this session you go to any existed page of the SSP, each time you will be redirected to the password change page. If session is expired or if authentication token is invalidated, go to step 1.
  4. Redirect to the password change page. Set new password and submit form.
  5. Redirect to the login page.

• Password changing session. To configure session options you can specify the following settings in the configuration file:

  • pwd-changing-session-lifetime (optional) - session lifetime in hh:mm:ss format (00:02:00 by default).
  - `pwd-changing-session-cache-size` (optional) - session storage size in `bytes` (5 242 880 by default).

• Extended logging:

  • warning if the login/password are correct, but the password is expired.
  • warning if user was redirected to the change password page but the password management is not enabled.

• 404/unhandled Error catching: now in case of unhandled error technical page will be displayed and the error log will be written.

1.0.101

Update Web.config

commented sign-up-groups setting