Hello everyone,
In this sprint, we made it possible to authenticate personal and work accounts separately with Microsoft Azure Active Directory using tenants. Furthermore, Indicium now supports authentication by Amazon Simple Notification Service (Amazon SNS for short) to receive messages published by Amazon SNS. Finally, we support a new quarter standard computation.
You can read more about Indicium's features in the Indicium user manual.
We will keep you updated regularly about Indicium's progress.
Contents of this release
Breaking changes
Windows users can no longer be impersonated as Database Pool User
In this version, it is no longer allowed to configure a Windows account as Database Pool User in the appsettings.json configuration file. This support is removed because it caused performance issues and is considered a potentially dangerous security practice. You can easily circumvent this by configuring the IIS Application Pool Identity property, or by configuring an RDBMS user as a Database Pool User. See also: Configuring pool users .
Indicium Universal
Authenticating users in Microsoft Azure Active Directory using tenants
One of the limitations of our support for authenticating against Microsoft Azure Active Directory via OpenID was that each configuration would only work on one specific tenant. In the case of multiple tenants, you would need to configure multiple OpenID servers, which would also result in multiple login buttons. In addition, the common (all Microsoft accounts) and organizations (all work and school accounts) tenants were not supported at all. In this Indicium Universal release, we have added two new settings for OpenID server configurations that enable the use of these two global tenants. You can now define multiple valid tenants within your organization. Furthermore, you can now completely disable issuer validation. This allows you to use the common and organizations tenants to accept logins from Microsoft accounts that do not belong to a tenant under your control.
When using Microsoft Azure Active Directory to authenticate your users, it is now possible to explicitly specify one of the following:
- Both personal Microsoft accounts and work or school accounts can log in to the application.
- Only users with work or school accounts can log in.
- Only users with personal accounts can log in (this was already possible in earlier versions by using the
consumerstenant) - User accounts in a specific tenant can log in (possible in earlier versions).
In all cases, the Microsoft account that tries to log in must already be available in IAM. Otherwise, Indicium will not accept the authentication. We will be working on a user provisioning feature that removes this necessity in the near future by creating IAM accounts for unknown users automatically.
Aside from each company-specific tenant identified by a GUID, Microsoft defines the following 'global' tenants:
organizations(this is an umbrella tenant for all organization tenants)consumers(this can be seen as a singular company-specific tenant where the company is Microsoft and it encapsulates all personal accounts)common(all organization tenants and Microsoft's tenant for personal accounts)
For more information, refer to the Microsoft OpenID Connect documentation.
The base configuration for OpenIDConnect for Microsoft is:
"Microsoft": {
"MetadataEndpoint": "https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration",
"ClientId": "client-id",
"ClientSecret": "client-secret",
"ButtonIcon": "windows_64px.png",
"ButtonText": "Sign in with Microsoft",
"SignOutButtonIcon": "windows_64px.png",
"SignOutButtonText": "Sign out of Microsoft",
"IncludeEmailScope": true,
}
To support the common and organizations tenants:
- If you want to allow everyone with a Microsoft account to log in, specify
commonfor <tenant>. - If you want to allow all work and school accounts to log in, specify
organizationsfor <tenant>. In both cases, disable the issuer validation because the tenant that issues the token is not known in advance:
"ValidateIssuer": false
If your organization has multiple Azure AD's but you want a single sign-in button then you can also use the organizations tenant, but you don't need to turn issuer validation off. Instead, you can use the ValidIssuers settings to supply a list of tenants corresponding to all of your Azure AD's. This way, accounts of other organizations will not be able to sign in.
"MetadataEndpoint": "https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration",
"ValidIssuers": [
"https://login.microsoftonline.com/<tenant-one>/v2.0",
"https://login.microsoftonline.com/<tenant-two>/v2.0"
]
To enable users to sign in with personal accounts, specify consumers for <tenant>. ValidateIssuer does not need to be turned off for this to work.
Amazon SNS authentication support
Indicium now supports authentication by Amazon Simple Notification Service (Amazon SNS for short) to receive messages published by Amazon SNS. To use Amazon SNS to send notification messages, subscribe to Amazon SNS topics on one or more HTTPS endpoints. You still need to confirm your subscription by going to the SubscribeURL, either with the HTTP Connector or manually from the browser.
The endpoint can for example be an Indicium Process Flow API endpoint. This makes it possible to create custom logic to handle the message.
Please refer to the Amazon documentation for full details on how to subscribe
New: quarter standard computation
Indicium now supports a quarter standard computation. This computation calculates the quarter of the year (1, 2, 3, or 4).
Syntax: $apply=compute(quarter(*column name*) as *alias*))
Minor fixes and tasks
- When uploading a file with an extension that was not allowed, the readability of the error message was poor. The file extensions are now separated by slashes and displayed without single quotes.
- We fixed an issue with document preview in combination with an Excel file in the Windows Server 2019 Datacenter Edition.
- The $apply operation could return an empty object ( {} ). These records will now be removed from the result.
- When calling a task or report in the context of a table that uses context logic, the call failed if the context logic output parameter for that task or report was disabled. This has been fixed and also fixes some issues with calling certain Software Factory tasks via the API, such as the task to copy a project version.