Version 3.26 (August 2024)
  • 03 Oct 2024
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Version 3.26 (August 2024)

  • Dark
    Light
  • PDF

Article summary

New features and enhancements

New policy setting to avoid initial authenticator time synchronization

When an authenticator is used for the first time, OneSpan Authentication Server calculates the initial deviation between the authenticator time and the server time. A new policy setting (POLICYFLD_AVOID_INITIAL_SYNC) has been added to skip the initial time shift initialization on the server side. This can be useful, because the time shift is usually handled by the mobile app, so it can be omitted on the server side.

The policyExecute and policyQuery commands have been updated accordingly to handle the new policy setting.

Returned list of assigned authenticators is now sorted by default

When you execute a user command (userExecute, userQuery) that returns the list of assigned authenticators (USERFLD_ASSIGNED_DIGIPASS), the returned list is now alphabetically sorted in ascending order by default. In previous versions, the list was returned in arbitrary order as retrieved by the database query.

DSAPP/DSAPP-SRP registration now allows to specify serial number

When you perform a provisioning registration operation using DSAPP or DSAPP-SRP, you can now specify the serial number of the authenticator to use:

  • provisioningExecute:PROVISIONCMD_DSAPPREGISTER accepts PROVFLD_SERIAL_NO as optional input attribute (via attributeSet).

  • dsappSRPRegister accepts serialNumber as new optional input parameter.

This allows you to register additional authenticator instances if an authenticator is already activated and assigned to the respective user. In previous versions, you would receive a RET_DENIED error and a STAT_TOO_MANY_DIGIPASS status code in such cases.

Surrounding whitespaces trimmed from input parameters

When you create a new user account, domain, or organizational unit any trailing or leading whitespaces are removed from the respective ID fields. This affects the following commands and attributes:

  • domainExecute:DOMAINCMD_CREATEDOMAINFLD_DOMAIN

  • orgunitExecute:ORGUNITCMD_CREATEORGUNITFLD_ORGANIZATIONAL_UNIT

  • userExecute:USERCMD_CREATEUSERFLD_USERID, USERFLD_USERNAME

  • userExecute:USERCMD_MOVEUSERFLD_NEW_USERID

Surrounding whitespaces are not removed when these attributes are used with other commands, such as queries, to avoid issues with existing user, domain, or organizational unit records.

It is generally not a good practice to use whitespace characters in user names, user IDs, domain names, or organizational unit names.

Improved exception handling in SOAP wrappers

By default, the SOAP handlers ignore underlying exceptions, and always return a generic "Service is not available" error message. You can now configure the SOAP wrappers, so that underlying exceptions are re-thrown (as IdentikeyConnectionException) and can be properly handled by the application.

For the Java wrappers, this behavior can be configured with the ConfigurationBean.setRethrowOnConnectionError() method.

For the .NET wrappers, this behavior can be configured via the RethrowOnConnectionError setting in the application configuration file (app.config).

Jakarta EE support

The SDK now fully supports the Jakarta EE platform. The package includes project files and artifacts for the SOAP client and the SOAP wrapper that are compliant with Jakarta EE 9 and provide Java 11 target compatibility.

Fixes and other updates

Issues OAS-21802, OAS-21529: Missing or incorrect input/output attributes (Documentation)

Description: The OneSpan Authentication Server SDK SOAP Reference does not list all attributes supported by the digipassExecute:DIGIPASSCMD_ASSIGN and offlinedataExecute:OFFLINEDATACMD_DELETE commands. Moreover, some of the listed attributes are incorrect.

Affects: OneSpan Authentication Server SDK 3.21–3.25

Status: The documentation has been updated.

Issue OAS-21228: authUser does not return used authenticator instance

Description: Authentication and signature validation commands return the serial number of the used authenticator (CREDFLD_SERIAL_NO). In case of MDL, this field contains the authenticator instance number, e.g. VDS1000120-1. This was not the case for the authUser command.

Affects: OneSpan Authentication Server SDK 3.21–3.25

Status: This issue has been fixed. The authUser command now correctly returns the authenticator (instance) serial number as CREDFLD_SERIAL_NO. Note that this attribute is not returned if a static password was used for the authentication.

Issue OAS-19748: Response indicates success despite database error

Description: When a SOAP operation fails due to a database or ODBC connection issue, it correctly returns an error code (RET_FAILURE) whereas the status code indicates success (STAT_SUCCESS). Furthermore, the error stack in the SOAP response includes database/ODBC-specific error messages that can expose critical information to potential attackers.

Affects: OneSpan Authentication Server SDK 3.21–3.25

Status: This issue has been fixed. All SOAP operations now correctly return STAT_COMMS in case of database connection issues and don't include low-level database error messages in the SOAP response anymore.

Issue OAS-9099 (Support case CS0061534): Signature validation uses incorrect authenticator application and succeeds

Description: In some environments where more than one signature authenticator application is used, the authSignature command may use an incorrect authenticator application to process the request and still create a valid signature.

Consider a scenario where two signature authenticator applications exist on an authenticator, SG1 that accepts exactly one data field and SG2 that accepts two data fields. Now assume that a user attempts a transaction signature validation for a business application that requires two data fields, but mistakenly selects the authenticator application that is accepting only one data field. The signature validation can still be successful, because it uses SG1 to successfully process the request (ignoring the second data field).

Affects: OneSpan Authentication Server SDK 3.21–3.25

Status: This issue has been fixed.

  • The data field handling in the authSignature command was improved, any authenticator application that cannot process as many data fields as required by the request will be ignored.

  • The attribute handling in the authUser command was changed to ignore Response-Only authenticator applications if the CREDFLD_CHALLENGE attribute is specified.

Issues OAS-6841 (Support case CS0048717): isSessionAlive() does not clear session (SOAP wrapper)

Description: The AdministrationBean.isSessionAlive() method (Java) and the AdministrationHandler.isSessionAlive() method (.NET), respectively, do not clear the session from the session storage when the session has already expired on the server. This causes unnecessary additional server calls to verify the session status.

Affects: OneSpan Authentication Server SDK 3.21–3.25

Status: This issue has been fixed.

Deprecated components and features

PDF documentation (Deprecated)

You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/docs, and we plan to shift exclusively to online documentation.

This means that PDF documentation will be completely removed in future major releases of OneSpan Authentication Server SDK (currently planned for 3.27).

Known issues

Issue 44570: New client components for multi-device licensing (MDL) not automatically created (OneSpan Authentication Server Configuration Wizard)

Description: When running the Configuration Wizard and registering the SDK as part of an advanced installation, the client components for the new multi-device licensing (MDL) functionalities are not created automatically.

Affects: OneSpan Authentication Server SDK 3.7–3.26

Status:  Before using the sample websites, the client components for MDL must be created manually.

Issue 38548: Incorrect casing for domain attribute results in decryption error

Description: When using SOAP API commands to manipulate an authenticator record (moving, updating, etc.) the domain name is considered case-sensitive. If the domain name provided uses a different casing than the name of the actual Active Directory (AD) domain, the operation fails. This is indicated by a "Fail to decrypt data with the supplied key" error message in the audit log.

Affects: SOAP API on OneSpan Authentication Server 3.6–3.26 with AD data store

Status: No fix available. Ensure that you use correct casing for the domain name.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant