2025-03-20

GUI

• Fixed an issue where sorting collaborations on unit did not work

Organisations

• Labels can now be applied by default per organisation or unit for collaborations created from now on
• Organisation admins and managers can now invite multiple email addresses for multiple collaborations using a CSV file, found in the profile menu
• Details & settings for applications now have sections
• Invitations can now have a default message and sender name set, under the 'messaging' section of details & settings
• Organisation admins and managers can now become member of a collaboration from the GUI straightaway

Improvements

• Fixed miscellaneous minor security issues found by the yearly security audit

2025-02-06

2025-01-30

Improvements

• Fixed a long standing issue where changed attributes from the user's IdP were not updated in their profile on the platform (released on 2025-01-30 and as previously attempted in the 2024-11-21 release)

GUI

• Collaboration admins and members (if they can view other members) can now search for members
• Collaboration member's group memberships are now listed in the member tab of the collaboration page
• Application groups are now shown on the about section of an application card

Organisation API

• The organisation API now can be scoped on units. For more information, see the documentation.
• The organisation API now includes the collaboration_memberships object under each collaboration
• The organisation API now includes an array of user IDs which represent group membership under each group

LDAP

• Fixed an issue where the sramInactiveDays attribute could differ between LDAP and SCIM

SCIM

• Fixed an issue where the sramInactiveDays attribute could differ between LDAP and SCIM

2024-11-21

Improvements

• The decision proces for authorization when logging in to a web application or the GUI was rewritten
• Fixed a long standing issue where changed attributes from the user's IdP were not updated in their profile on the platform
• On the requests tabs, the yellow exclamation mark is now consistently only shown for open requests
• Suspension and deletion emails now clearly describe which action is going to be taken if a user doesn't respond
• Fixed an issue where the 10 minute grace period for the fallback TOTP also applied to all of a user's browsers and devices
• Fixed a regressive issue where new users, on trying to log in to a web application, were shown a HTTP 404 error page, instead of a page explaining why they have not access and help how to get it
• Fixed an issue where if an institute has a domain name that is a subdomain of another institute, all the institute name could be displayed incorrectely

• Fixed an issue where on the error screen for a user not a member of a collaboration connected to the application, creating a collaboration is suggested even if it cannot be connected to that application

• Fixed an issue where in exceptional cases it was impossible to disconnect an application from a collaboration

Organisation API

• On sending an invitation, the organisation API now allows setting a sender name, which defaults to the organisation name
• Fixed a typo in the curl output that broke the command of post_api_collaborations_v1 in the API documentation
• The organisation API now supports resending an invitation

LDAP

• The sramInactiveDays attribute is now available in LDAP

SCIM

• The sramInactiveDays attribute is now available in SCIM
• Fixed an issue where on enabling SCIM push to application and changing the token at the same time, an error occured in the GUI

2024-10-17

GUI

• The create/request collaboration form was improved by clarifying the labels, removing the 'motivation' field and only showing 'make me admin of this collaboration' when applicable
• The information page shown to user unauthorized to log in to an application was improved:
  
  • If a user is authorized to create or request a collaboration, and the application can be connected to that collaboration, the user is invited to do so
  • The user is shown contact information, an email address or URL, to get help getting access if the application admin has enabled this
  • Some of the text was rewritten

Application admin

• At the contacts section, the option to show contact information to unauthorized users was added
• For applications verified to be provided by an organisation on the platform, it is now possible to allow all users from the organisation (identified by the organisation domain) to access the application, without membership of a connected collaboration

Minor improvements

• The fallback TOTP verification code is now pasteable

Organisation API

• The organisation API now disallows adding logos as URL, because fetching unverified URLs is regarded unsecure
• Invitations sent via the organisation API now allow showing the organisation name as sender in the message, instead of one of the organisation admins

2024-09-19

Suspension

• Fixed an issue where users suspended for inactivity could not reactivate their profile by logging in, although the suspension email claimed it would
• The fallback TOTP key is now revoked after too many attempts, instead of suspending the user

GUI

• Renamed 'service' to 'application' ('applicatie' in Dutch), because this is much clearer to end users
• Invitation emails for a collaboration now list the applications a member can access
• The membership request link for a collaboration was moved to the invite members page
• A clear error page is now shown when trying to accept an invitation that was already used or had expired
• Fixed an issue where when using a join request, the application AUPs would not have to be accepted
• Fixed an issue where in some cases an application AUP would have to be reaccepted on joining a collaboration
• The last accessed date, PAM web login last login date and last used date were removed from the user history screen
• Improved performance of many pages for admins

Application admin

• Renamed 'service' to 'application' ('applicatie' in Dutch), because this is much clearer to end users
• For some applications, the providing organisation is now shown as subtitle
• OIDC redirect URLs must now be HTTPS, unless they point to localhost or 127.0.0.1
• Fixed an issue where the login URL and website URL were converted to lower case
• Fixed an issue where at application registration a non-functional OIDC client secret was shown

Organisation admin

• Fixed an issue where if an organisation admin is affiliated with another organisation, they could not request a collaboration for the other organisation

PAM web login

• Fixed an issue where collaboration membership was not checked directly before authenticating with PAM web login. Only applications where the access rules were set to 'No one' were affected.
• Fixed an issue where sometimes the first line of the QR code was indented by existing terminal content

Documentation

• Moved the documentation to a separate space: https://servicedesk.surf.nl/wiki/display/IAM. Existing links should be redirected, or suggest the new location.

2024-08-15

GUI

• Collaborations now have an optional user support contact that, if set, replaces the administrators' email addresses on the about tab
• When setting up two factor authentication, the shared secret can be revealed in case scanning the QR code doesn't work
• Mandatory fields now have a small asterisk

Service admins

• Service admins can now enable and disable SCIM themselves
• SCIM server has been renamed 'SCIM push to service' and SCIM client to 'SCIM pull by service' to avoid confusion about perspective
• The collaboration logo and website URL are now available in SCIM
• Fixed an issue that showed the 'reset AUP' button to service managers, while they cannot reset it
• Collaboration admins can now disable auto provisioning on instances of service groups, and hence manage the group membership

2024-06-20

GUI

• Collaboration labels may now contain a larger set of unicode characters, including Asian language characters and emoji
• Collaboration members tables can now be sorted by name
• Unused and old collaboration labels are no longer shown in suggestions when creating new labels
• Fixed a bug where suspended users who had not agreed to the latest platform AUP would end up in a login loop

Service admin

• Connections to collaborations are now correctly filtered in the service history
• Fixed a bug where a service registration requests couldn't be submitted
• Service admins are now able to remove themselves as admin for the service

LDAP

• People in LDAP have a new attribute sramInactiveDays, which indicate how long the user has not logged in the SRAM. Services might use this information to force users to log in via their home institution periodically.
  The new schema is described on the LDAP reference page.

PAM web login

• The text shown to a user when logging in on the command line has been improved
• After a user has finished logging on on the console, this is now shown in the web interface
• The weblogin API provides additional details in the response, to the server, which allows to server to show a customized message to the user in the login flow

Other

• Improved the text of the mails that are sent when a user is suspended for inactivity; make explicit that users need to contact SRAM support to reeanble their account.
• The stability of the platform during background maintenance tasks has been improved

2024-05-16

GUI

• History now has filters for users, services and organisations
• Service registration requests are now listed in the 'my request' tab
• Suspension emails now list the user's collaborations and accessible services
• On trying to accept an already accepted invitation, a short message is now shown, instead of an error bar
• It is no longer possible to send an invite to an email address that already has an open invite for the same role (resending is still possible)

Minor improvements

• Collaboration, organisation and service admins are now reminded weekly by email about open requests
• Fixed an issue where in a specific situation, a user was not shown a link to their requests
• Fixed an issue where a collaboration admin was shown a link to a service they could not access
• Fixed an issue where in some email clients, attached images were not displayed
• Fixed an issue where multiple instances of the same label could exist within an organisation
• Fixed an issue where on Safari the collaboration logo was invisible on and after editing

Service admin

• History now has filters for users, services and organisations
• Approved and denied service connection requests are now visible in the service's history
• Collaboration, organisation and service admins are now reminded weekly by email about open requests
• Sirtfy, CoCO and R&S compliancy is no longer administered on the platform
• Service admins who are not member of any collaboration, are now shown the services tab by default
• Fixed an issue where the help text for the LDAP IP addresses wasn't displayed properly

Organisation admin

• History now has filters for users, services and organisations
• The domain based permission of users to request or create collaborations, now also works for subdomains
• Collaboration, organisation and service admins are now reminded weekly by email about open requests

Organisation API

• Units are now represented as an array in the organisation API

2024-03-21

Minor improvements

• Inactive users are now suspended after a year of inactivity, and deleted after three more months (this was implemented earlier, but not switched on)
• Users with open invitations are now reminded by email once
• User suspension and deletion emails now correctly explain whom to email for support
• Search in the GUI is now case insensitive
• Fixed an issue where an organisation admin who is also a service admin had the collaborations tab and table doubled
• Favicons were improved

Service admin

• Accepted and rejected connection requests now remain visible for a while

• The user token introspection endpoint is now listed in the API documentation

Organisation API

• When creating a collaboration, the organisation API now validates the email address of the admin

LDAP

• All available organisation units are now listed at the organisation, and assigned units are listed at the collaboration

2024-02-20

GUI

• Fixed an issue where a service admin was not shown any of their collaborations on the home page

2024-02-15

GUI

• The request membership modal now displays a few common options for applying, in addition to the text field
• Collaborations that have join requests enabled, now show connected services to non-members
• Groups provisioned by services no longer display the superfluous 'provision by…' in their description
• Units are no longer displayed in badges, to decrease clutter, especially when multiple units are assigned
• The group history page now shows more clearly what happened
• Fixed an issue where (mainly new) services did not show up at collaborations to connect

Service admins

• A new role for services is introduced: the service manager, who can manage connection requests and connected collaborations, but not other service properties

Organisation admin

• An organisation can now set an AUP to be presented to users outside of their organisation when first joining one of the organisation's collaborations 

Organisation API

• The organisation API now allows deletion of an invite for collaboration membership

LDAP

• The expired or active status of a collaboration is now available in LDAP

PAM web login

• The security of PAM web login was improved slightly by invalidating a challenge link after it is first opened, even before authenticating

2024-01-18

GUI

• A users who is member or admin of up to five collaborations, but not an admin of a service or organisation, now has a friendly landing page
• The error page shown to a user trying to log in to an application without the required membership has been clarified
• On error pages, the mailto link now contains information about the error
• The screen to request a reset code for the second factor fallback now explains the process more clearly and groups admins by collaboration if applicable
• The group details page is now formatted more clearly
• Word wrapping has been improved in some table cells
• Fixed an issue where a unit manager who is also manager of an organisation without units, could not select a unit while creating a collaboration in the first organisation of the list
• Fixed an issue where a unit manager could view all their organisation's history

2023-12-14

Service admins

• The connection to a SCIM endpoint can now be tested from the SCIM server section
• A short name is now suggested when creating a collaboration or registering a service

Organisation admin

• An organisation manager's units are now displayed in the tab 'organisation admins'

Organisation API

• The organisation API now generates a short name if none is specified while creating a collaboration
• The organisation API now returns an error when invalid characters are removed from the specified short name
• The organisation API now returns an HTTP 404 error when an object is not found, instead of HTTP 403
• The organisation API now supports updating group properties

LDAP

• Services that are unconnected to any collaboration now are a provisioned an empty list
• New services now get a unique identifier for use in the base DN, instead of using the entity ID
• A direct link to the collaboration page is now provided

PAM web login

• Fixed an issue that broke the experimental smart shell

Minor improvements

• The header on the collaboration page has been cleaned up, some information was moved to the 'about' tab
• The header on the organisation page has been cleaned up
• Fixed an issue where a page switched to another tab when data updated
• Improvements to the content security policy (CSP)

2023-11-16

GUI

• A collaboration's short name is now displayed in the header
• Yellow exclamation marks on member/admin tabs are now only displayed for expired invitations, not for open invitations
• The profile page has been improved to make the username more discoverable

Service admins

• It is now possbile to request deletion of a service
• Fixed a bug where upon approval of a service registration, some properties were erroneously inherited from a different service
• Services configured to allow access for users without collaboration membership can now be connected to a collaboration anyway, so attributes for authorisation can be provided to the service. This feature can only be enabled in special cases and when a proper data processing agreement is in place.

Organisation admins

• Organisations now can have organisation units, allowing an organisation admin to divide an organisation into smaller parts. Organisation managers can be assigned to only manage (e.g., approve requests for new collaborations) one or more units, instead of the entire organisation.
• It if now possible, but not straightforward, to move a collaboration to a different organisation. Please contact us at sram-support@surf.nl if you want to move a collaboration.
• The organisation API now supports listing which services are connected to which collaboration

SCIM

• Improved the performance of the SCIM sweep

2023-10-17

GUI

• It is now possible to resend an identical copy of an invitation before it expires
• A collaboration admin now cannot remove a group that was provisioned by a service group from a connected service
• Icons and counters are removed from tabs, in line with the SURF Design System, for a more restrained user experience
• All tables now have a title, most including a counter of the number of rows
• Web page titles now show the page title
• The message set by an organisation for their users, is now displayed at the user's request/create collaboration screen, instead of the welcome page
• Fixed a bug where the user's role was displayed on the profile menu as 'user'
• Fixed a bug where input of invalid URLs was silently ignored instead of showing an error

Service admins

• The tab for managing which collaborations can connect to a service is renamed to 'access rules' and the tab 'collaboration access' is now 'connected collaborations'
• The service token tab is no longer displayed on the service page. It was visible for a service admin who is member of a connected CO
• Fixed a bug where sorting on short name didn't work on the service admin's 'connected collaborations' tab
• Services can now specify a broader set of login urls (e.g., ssh://-urls)

Organisation API

• The organisation API now supports disconnecting a service from a collaboration
• The organisation API now disallows sending invitations containing invalid group names
• The organisation API now returns an error message when a new collaboration's short name is too long, instead of truncating to 16 characters

SCIM

• SCIM now identifies as media type application/scim+json

PAM web login

• After authentication, the PAM web login endpoint now returns the user's collaborations – connected to that service – to the PAM module as groups, containing the collaborations' shortname and displayname
• The experimental smart shell now supports scp
• Fixed a bug where SBS would return in internal server error instead of a permission denied error when the user would enter their pin before loggin into SRAM.

2023-09-26 (was: 2023-09-21)

GUI

• The collaboration page header has been redesigned to more clearly show relevant information for both members and admins
• All the user's requests for collaborations, membership and services, are now displayed on a single tab
• Pages with service cards now have a search box
• The history of a collaboration is now searchable, easier to read, has some filters and can be exported
• The welcome page for authenticated users without any memberships or admin roles now more clearly explains what users can do
• Users associated by login with an institution that can create collaborations, now can request/create a collaboration in every situation and the request/create page is titled correctely
• On the collaboration page, the suggestion to email us about missing services has been removed

Service admins

• Registering your service is now possible from the GUI, making the service connection form obsolete
  • It is not yet possible to change SAML metadata or OIDC credentials from the GUI. Please contact us at sram-support@surf.nl for changes.
• On the service edit form, adding a token or resetting the LDAP password is now easier to find
• A privacy policy URL is no longer mandatory for services, because leaving that field empty more clearly communicates to users the service lacks a privacy policy
• The tab for managing which organisations' collaborations can connect to your service has been redesigned, again
• It is now possible to delete service groups directly from the service groups tab
• A service's page is now only accessible for the service admin. For all other users it has been replaced by the service card.
• SCIM tokens can now be very long and multi line, e.g., a JSON web token

Organisation admins

• The mandatory service feature has been removed. If your organisation uses the mandatory service feature, it will remain functional and we will contact you about a solution.
• The on-boarding message for new users of your organisation has been moved from the welcome page to their request/create collaboration form

Organisation API

• On creating a collaboration, the organisation API now validates the logo
• The organisation API now supports requesting and specifying the intended role and groups of an invitation
• The organisation API now supports managing collaboration invitations created from the GUI
• The organisation API now supports changing user collaboration roles, i.e. member or admin

2023-08-17

GUI

• Services are displayed as cards to collaboration members and admins to distinguish them as usable objects
• A history of all their actions is now listed to users on their profile page
• A collaboration admin can now view the history of new and removed memberships, so they can see who has had access to its data in the past
• A collaboration's labels are now displayed on the collaboration page to its admins
• All collaborations' labels are now displayed on the collaboration tab of an organisation, visible to the organisation manager and admin
• On the page of a soon to expire collaboration, a button has been added to the alert bar to change the expiry date
• For a member with soon to expire membership, a button is shown on the alert bar to email the collaboration's admins
• Groups can now be (multi) edited in the same way as collaborations and memberships
• Fixed an issue that the edit screen of a group showed a broken link for a membership request instead of the group's shortname
• Reinstated the link to the documentation in the footer
• Multiple improvements were made in and adopted from the SURF Design System
• Collaboration admins can retract Service connections requests

Service admins

• In addition to an email address, a URL can now be set as service contact, to refer users to a support website or ticketing system
• Newly generated LDAP passwords will no longer contain "strange" characters; the allowed characters are limited to A-Za-z0-9@%=+_-

PAM web login

• New release v2 including binary packages for CentOS7, Fedora 37 and 38, Rockylinux 8 and 9, Debian 10, 11 and 12, and Ubuntu 22.04.
• A dockerized demo environment is now available
• File permission on pam-weblogin.conf is now set to 600 on installation
• Minor improvements to the documentation

Organisation API

• The organisation API now supports listing open invitations for a collaboration
• The organisation API now fully supports groups, including creating and editing it, and adding and removing members
• The organisation API now supports refering to the collaboration by the collaboration_identifier when inviting members

Documentation

• Documentation was moved to https://servicedesk.surf.nl/wiki/display/WIKI/SURF+Research+Access+Management

Minor improvements

• New nomenclature for tokens and keys was introduced, now each token has a clear and easy to understand name
• Trailing spaces are now removed from a 2FA reset token
• Collaborations now also have a URL with their unique identitfier, used by default, in addition to their database ID
• Fixed an issue that the activity date of a collaboration was not updated when its properties, including memberships, were changed
• Fixed an issue that a collaboration admin could approve their own request to connect a service to the collaboration

2023-06-22

GUI

• When creating a CO, a number of pre-defined logos are available to choose from. Uploading a custom logo is still possible
• Service admins can no longer create user tokens, unless they are member of a CO connected to their Service
• The AUP is now shown for services which are accessible without CO membership
• Improved error message in the case that a step-up MFA via SURFsecureID fails
• Fixed small bugs in the UI
• Minor translation updates

Minor improvements

• Improved heuristics to determine what the user's home institution is
• Fixed a bug where COs could not be deleted via the Organisation API
• Removed use of Google Fonts for the API documentation
• Fixed a bug where the name of a random institution would be shown if SBS doesn't know the user's home institution

LDAP

• Allow Services to disable LDAP for their Service when it's not used
• When a Service has no connected CO's, keep its LDAP-tree intact (but empty) instead of removing access altogether
• Correctly disable LDAP-password for Services which have LDAP set to disabled

Behind the scenes

• Use stronger cryptographic hashing for storing passwords internally
• Improved security of the website
• Improved the back-end connection with SURFsecureID
• Improved stability of the platform
• Improved monitoring of LDAP
• Improved HTTP caching of static images

PAM web login

• Bearer token in config file is now optional
• PAM web login can show QR-code in addition to URL
• Moved confgurations file to /etc/security/pam-weblogin.conf

2023-05-16

Two factor authentication: mandatory per 1 June 2023 for all users

• Starting 1 June, all users must use a second factor to authenticate, both for the SRAM GUI and for all connected web services
• Administrators of IdPs in SURFconext have been asked if their SRAM users already use their IdP's MFA. If so, they will be required to use that. Users without MFA will not be able to authenticate.
• For eduID.nl, either use of the eduID.nl app or the TOTP fallback will be required. Which one will be determined in May.
• For other IdPs, namely those connected via eduGAIN, a fallback second factor will be presented to the user. This second factor is an unvetted TOTP, which must be set up the first time a user logs in.
• For a limited period, users setting up TOTP will be asked if they already have used a second factor before logging into SRAM, in an attempt to detect unnecessary usage of the fallback TOTP

Minor improvements

• A CO admin can now remove service groups after their service has been disconnected from the CO
• The organisational name of the IdP the user authenticated with is no longer shown, as this could be confusing because it was only displayed on some pages. (On others the user's role is displayed.)
• Fixed a bug where on joining a CO users were asked to accept service AUPs when there were none
• Fixed a bug where it seemed a CO could be configured to show user's email but not their names
• Some further improvements of the implementation of the SURF Design System
• Some textual improvements were made

LDAP

• Improved LDAP monitoring by also checking if the content is as expected, not just if the LDAP service is responding

SCIM

• Service admins can now administer SCIM settings, but not yet enable of disable the experimental SCIM
• Fixed some bugs with the experimental SCIM provisioning

2023-04-20

GUI

• Support for additional formats of email addresses in invitation input fields for easier copy-and-pasting
• When an invalid email address is entered in the invite field, an error is now shown
• Using backspace while entering a new email address no longer removes previously entered email addresses
• A number of translations have been improved
• The use of checkboxes and radiobuttons has been made more consistent
• When a Collaboration is created though the API, it now shows up in the UI without reloading the page
• A more descriptive error message if shown to unregistered users who try to log into a Service without prior invitation to a Collaboration
• The MFA/TOTP input page no longer scrolls to the bottom on small screens
• Users who are updating their TOTP token no longer have to finish the process before their old code expires
• Sorting Groups in a Collaboration by Service now works correctly
• Service permissions are now updated in Collaborations without reloading the page
• Tooltips are now more easily visible of they overlap other UI elements
• The headers for Collaborations, Organisations and Services have been improved according to the SURF Design System
• Compatibility with old Safari versions has been improved

Organisations

• Organisation Managers are no longer allowed to remove outstanding invitations for other Organisation Managers or Admins
• The Organisation API now return a correct error (401) if an unknown Organisation API key was used

Service admins

• The Details tab for Service Admins has been reorganised to make the different settings easier to find
• It is now possible to click through to connected Collaborations and Organisations in the list of connected entities, if you have the proper permissions
• The Organisational Access page voor Service admins no longer scrolls to the top when a setting is changed
• The layout of the Organisational Access tab has been improved on narrow screens.
• The "Always allow" and "Manually approve" radiobutton on the Organisational Access tab now works correctly.

SCIM

• Stop pushing data to remote SCIM endpoint when a remote error occurs
• Remote timeouts are handled more gracefully
• Fixed a bug causing not all SCIM sweeps to be run if one fails

Minor improvements

• Further improved internal monitoring of LDAP
• Further improved internal monitoring of SAML/OIDC logins
• Platform admins can more easily reactivate a user who has been suspended after entering too many wrong TOTP codes
• Users who have logged in to SRAM, but have not done anything and are not member of a Collaboration, Organisation or Service, are automatically purged form our systems after two weeks
• Expiry dates for Collaborations and Memberships can be set beyond April 30th, 2023 again
• Fixed a bug which caused Collaboration Admins to not be able to request a connection to a Service in some cases
• The TOTP reset functionality during login to SBS itself has been fixed.

2023-03-21 (was: 2023-03-16)

GUI

• The user interface now follows the SURF Design System
• Items of the pull down menu under the user's role were moved to the user menu in the upper right corner, or to buttons on the object header
• A user's CO request now shows which organisation must approve the request
• In tables with user's name and email address, a column was added with the user's institutional domain (if it wasn't already there), so the user can be uniquely identified
• The user profile page was revised to display the information more clearly, and to explain the source of attributes
• The user profile page now nudges users towards uploading their SSH key, rather than copy pasting it, which we found error-prone
• A tooltip for a user's name/email table cell was added which shows the SRAM user name and the date the user joined the CO or became admin of the service or organisation
• Fixed an issue where the user token tab was not visible for regular members of a CO, if disclosing member and user information was disabled
• Fixed an issue where line wrapping would break words in long descriptions and other editable texts
• Fixed an issue where a CO admin was not shown a service AUP when connecting a service by a request

Service admins

• Redesigned the interface for managing COs from what organisations can connect to your service, and whether permission is required
• Service admins can now enable and disable PAM web login
• Fixed an issue where the SURF-organisation was visible for services unable to connect to SURF COs
• Fixed an issue where a service could not be edited if connected to a large number of COs

Service groups

• When creating a service group, it is now also created at COs that are already connected to the service
• On editing a service group, the properties are now also updated at the CO
• At the CO, it is now shown what service the service groups originates from

Minor improvements

• Fixed an issue where, instead of using the configured IdP's 2FA, the fallback TOTP could be used
• The obsolete /api/mfa/sfo endpoint was removed
• The organisation API now provides calls for manage collaboration members
• The organisation API now correctly returns a HTTP 403 error if permission is denied
• Removed the broken functionality from the API where a CO member could request the CO admin to connect a service
• Fixed an issue where a user could not delete their profile if it contained no name
• Fixed an issue where the link to the SRAM AUP did not open a new window
• Some textual improvements were made

SCIM

• Fixed several issues in the SCIM implementation

2023-02-16

Minor improvements

• Services tokens and API keys now show the creation date and the description is now mandatory
• When a collaboration expires, now only its admins will get a notification by email, not all its members
• Fixed that admins were invited with the text 'becoming member of' a collaboration, service or organisation
• Added a security.txt 
• Improved the (still experimental) support for SCIM provisioning
• Some textual improvements were made

LDAP

• The email address(es) for the CO admin(s) are now available in the CO information

PAM web login

• Added .deb and .rpm packages, for Debian 10 or Ubuntu 22.04, and CentOS 8 or Fedora 37 respectively, to release 2.0
• Fixed an issue where the submodule dependencies were not included in the source packages

• Added an experimental feature where the user logs in as a generic SSH user, and PAM changes the user based on the challenge(s) before entering the shell

2023-01-19

Minor improvements

• Gracefully handle the case that a page becomes unavailable if a user loses permissions
• Fixed a bug where trusted organisations could not be selected for a service if the service was available for all organisations
• Fixed a number of settings that would not show up in other users' sessions without reloading the page
• Improved the (still experimental) support for SCIM provisioning
• Fixes a number of layout issues
• Improve texts for invitation mails

2022-12-15

New features

• PAM web login released as version 1.0
• Added experimental support for SCIM, both for SCIM clients and SCIM servers
• Users can now download their personal data from their profile page
• Inactive users are now suspended after a year of inactivity, and deleted after three more months

GUI

• Changes to table content are now updated live, without refreshing the page
• The explainers displayed on the landing page are now also displayed on the welcome page, as shown to authenticated users without any membership or admin role
• A user friendly error page will now be displayed in case of incidents or maintenance resulting in downtime
• The WebP image format is now supported to upload as logo

Organisations

• Collaboration labels are now available in the organisation API

Services

• Service admins can now create and manage service groups
• An OIDC demo service and SAML demo service are now available that show the logged in user's claims and assertions, respectively
• It is now possible to allow COs from specific organisations to connect to your service without asking for approval
• It is now again possible to use port numbers in the service login URL
• A bug has been fixed that made it possible to edit a service's short name

LDAP

• LDAP is now updated more quickly in case of large numbers of users
• Special use IP addresses are now rejected for the LDAP whitelist

Minor improvements

• The membership request for a CO is now deleted when a user accepts an invitation for the same CO
• A bug has been fixed that resulted in form data loss when entering a URL ending in a space
• The file size of Javascript for the SRAM GUI has been reduced somewhat, resulting in faster loading
• Minor security improvements

2022-11-17

Users

• Profiles for users that never had any activity, e.g., requesting a CO, becoming a member or admin, are now removed after two weeks
• Updates to Organisation, Collaborations and Groups are now shown in real time, without having to refresh the page in your browser
• Some texts were improved

Organisations

• CO labels can now be up to 32 characters long, and may contain dashes and underscores

API

• Fixed a bug in the Organisation API which allowed creation of CO labels with incorrect syntax

LDAP/SAML/OIDC

• Fixed a problem were the voPersonExternalAffiliation attribute stored multiple values as a single value containing comma-separated values, it is now correctly stored as a multivalued attribute
• Labels of collaborations are now included in the SAML assertion and OIDC claims as eduPersonEntitlements. These labels are expressed as URNs in the format urn:mace:surf.nl:sram:label:<orgname>:<coname>:<label>. Note that the eduPersonEntitlement claim now both includes groups and labels.
• Suspended collaborations are no longer included in eduPersonEntitlement in the SAML assertions and OIDC claims

PAM web login

• Logins via PAM web login are now registered as regular logins for users, so the expiry timer is reset as for regular SAML/OIDC logins
• Added experimental support for an alternative SSH flow which doesn't require users to enter, or even know, their username in advance. See the smart shell documentation for more information.

2022-10-20

Users

• The layout of invitation emails was improved
• User accounts which after being created remained inactive, i.e., they did not become a member of a collaboration and did not accept any AUP, are deleted after two weeks
• Modern SSH keys (hardware-backed EC keys) are now accepted as valid
• Collaborations which are about to be or already are suspended can now easily be renewed by the collaboration admin via a button displayed on the collaboration page
• The table displaying all collaborations for an organisation can now be sorted using the membership status column
• Group names can no longer start with a non-ASCII character.

Services

• Services now can have multiple API access tokens
• Service connections requests are now sent to the service admin in addition to the configured administrative contact address
• Fixed a bug where expired collaborations were shown in OIDC claims

Organisations

• The information visible to organisation administrators is more limited
• It is no longer possible to create collaborations with an expiry date in the past via the API
• Fixed a bug where collaborations created via a collaboration request were assigned a broken logo

Minor improvements

• Updates to icons in the UI
• Fixed column layout in collaboration overview
• Checkboxes are now squares instead of rectangles
• Fixed a bug were some labels had their text wrapped
• Use British date formats (dd/mm/yyyy) instead of US formats (mm/dd/yyyy)

PAM web login

• Changed the terminology "PIN" to "verification code"

2022-09-15

Users

• The profile of users who remain inactive within 14 days after first logging is now removed so their personal information is not needlessly stored
• The login/landing page for unauthenticated users has been redesigned to explain SURF Research Access Management to end users more clearly
• The welcome page for authenticated users without any memberships or admin roles now better explains what users can do
• On the error page for users who try to login to a service without authorization, service ID, user ID and time have been added for the user to refer to when asking for help

Services

• Service admins now have a details tabs to view and edit service properties, including the buttons to reset the LDAP password, AUP and API token
• Service admins can now edit which COs are connected to their service and which organisations are allowed to connect
• The 'service URL' has been split into a 'service login URL', where the user can login to the service and a 'service website URL' for information about the service
• In the 'service login URL' the variables {CO_short_name} en {username} can now be used. They are replaced by the appropriate values in the member view of a CO.
• Fixed a bug where the OIDC entitlement claim contained expired COs
• Most texts written for the service admin were reviewed, including the service admin invite email

Service groups

• The service group prefix was changed from '_' to '-', to prevent collisions with the user available underscore
• Groups provisioned by service groups now have 'Provisioned by service <service name>' prepended to their description
• The service group's short name is now displayed in the overview table and details page of a service group

Organisations

• Organisation admins and managers can now filter the table of collaboration by label
• Organisation admins and managers can now search for members of their collaborations
• Organisation admins and managers of restricted organisations can now see which services are mandatory for their organisation
• The examples in the API specifications for the organisation API have been updated
• Fixed a bug where the organisation API responded with an HTTP 500 error on trying to connect a service with a CO without a CO admin

Security

• Several security issues were fixed, some of them found by a security audit

PAM web login

• The newly developed PAM web login feature is now available as a beta. It brings federated authentication with SURF Research Access Management to the CLI (command line interface), as explained in a SURF communities blog.
• It is released in beta, which means it works, has been audited for security but some functionality may change and you need to contact sram-support@surf.nl to enable it.

Minor improvements

• For users with sufficient privileges, names of collaborations (and organisations) are now links to their respective pages
• URLs in forms are now validated
• Buttons on tables that require a selection are now hidden until a selection is made
• Organisation admins/managers and service admins can now leave their organisation or service by the drop down menu under their role name
• Many textual improvements were made
• Fixed a bug where the steps to accept a membership invitation were interrupted by a prompt to accept a changed service AUP for an unrelated CO
• Fixed a bug where a collaboration of a restricted organisation could connect with services not allowed to connect to restricted organisations
• Fixed a bug where typing a number as a first character in the field for the CO short name froze the GUI
• Fixed a bug where an unknown institution was displayed as '[[UNKNOWN]]'
• Fixed a bug where the top left logo on an error page redirected to a broken AUP page
• Fixed a bug where an invitations for CO membership could have the membership's expiration date set in the past

LDAP

• The privacy policy URL is now available as labeledURI
• Fixed a bug where COs with over 2000 members stopped LDAP updating
• Fixed a bug where changed attributes (like a member's name) where not updated in LDAP

2022-06-23

Two factor authentication

Starting this release all users are required to use two factor authentication to login to all web services and the SURF Research Access Management GUI. This requirement will be enabled first per SURFconext IdP, and then for all other IdPs.

• SURF Research Access Management will try to make sure a user has authenticated using two factors at their IdP. Unfortunately, this is not always possible.
• Whenever it is not certain a user has already authenticated using two factors, a fallback second factor will be presented to the user.
• This second factor is an unvetted TOTP, which must be set up the first time a user logs in.

Refer to the second factor authentication documentation for more information.

API for organisations

Organisations can now automate some aspects of collaboration management with an API:

• List collaborations of the organisation,
• Create a collaboration,
• Get collaboration details,
• Connect a service to collaboration,
• Invite members to a collaboration,
• Get invitation details.

Full API specifications are available on release. Refer to the documentation for the API for more information.

Labels for collaborative organisations

Labels may be useful for administration of an organisation's COs, or indicating to a services that (a set of) COs has certain properties.

• Collaborative organisations (COs) can now be labeled.
• Organisation managers and organisation admins can label.
• Labels are scoped on the CO's organisation.
• Labels are passed on to connected services via LDAP.

Service groups

Application groups are predefined groups that are automatically created in a collaboration when the service is connected to the collaboration. They enable service admins to make sure the required groups are available in collaborations that use the service, for example groups that define roles in the service. Service group short names are scoped on the service.

Improvements

• Session length for the GUI is now 24 hours. There used to be no limit to session duration.
• Fixed an issue where the IP address ranges for a service were not applied to the firewall.
• Fixed an issue where an LDAP password reset for a service were not applied to LDAP.

Minor improvements

• When opening an already used invitation, an explanation is shown that the invitation has most likely already been used. This used to be an error page without explanation.
• On many pages in the GUI, links can be opened in a new browser tab.
• On the service page, a column with the scoped shortname is displayed with organisations and collaborations.
• On the service page, a service admin is shown which collaborations use the service and which organisations have made the service mandatory.
• Fixed that when a service admin's email address is the same as the administrative contact, the email address would be shown twice.
• Fixed an issue that service admins were shown they were 'member' of their service.
• Fixed the count of linked collaborations in the services overview table.
• Fixed the description on the count of organisation admins in the organisation overview table.
• Fixed a rare issue that caused a user to become member of a collaboration twice.

LDAP

• Accepted service AUPs are available in LDAP per user in the voPersonPolicyAgreement attribute. When a service resets its AUP, its acceptance is removed for all users.
• Labels for collaborations are expressed in LDAP using the businessCategory attribute. See LDAP directory structure for more information.

2022-02-03

Service administration

• Providing a privacy policy is now mandatory for every service
• Services can optionally provide a URL to an acceptable use policy (AUP): if they do so, users will be asked to accept it before they can access the service.
• A new role was made available: service administrator.
• A new page was created to manage services. On that page a service administrator can:
  • View the service's properties.
  • Edit properties like its name, URL, privacy policy and acceptable use policy.
  • 'Reset' the AUP: pressing this button means all users have to accept the AUP again before they can login to the service. Useful if the AUP has changed. Note: only for web services.
  • View which organisations can use this service (not editable yet).

  • View which collaborations are eligible use this service and approve and decline connection requests for collaborations.

  • View LDAP information and reset the bind password.
  • Edit ACL IP-ranges. Due to a bug, this has no effect yet.
  • View the service's LDAP information and reset its bind password.
  • Note: service administrators cannot create or remove services yet.
• Services now have email address fields for an administrative contact, security contact and support contact. When left empty, the service admins' email addresses are used.
• A new type of service is introduced: token-based services. Refer to the Connect a token-based application documentation for more information.
• SURF can define default groups for a service. Groups with these names are automatically created when a collaboration connects to the service.

Major changes

• The service consent screen was removed. It is replaced by requiring users to agree to the service's AUP.
• On becoming member of a collaboration, users must accept all AUPs of services connected to the collaboration, provided that a service configured an AUP URL in SRAM. Users cannot authenticate to the service before agreeing (note: only for web services)
• The collaboration description is now mandatory. This description will be shown on the 'accept AUPs' page so it should contain a brief and clear description of the purpose of the collaboration.
• Users will no longer be able to authenticate to services if they are not member of any collaboration the service is connected to. Before, this basic check was the sole responsibility of the service.
• For SAML and OpenID Connect, there will be a change in the attributes that are sent to services: the value of the eduperson_principal_name attribute will change from the long platform identifier (e.g., 08882904f025223135313de0b919cb3d67bf4fbc@sram.surf.nl) to the short platform identifier (e.g., user3@sram.surf.nl). The long identifier will remain available in the eduperson_unique_id attribute and in the SubjectId (SAML) and sub (OpenID Connect). Services using eduperson_principal_name will need to be updated to this new behaviour. Refer to Attributes in SRAM for a complete overview of attributes.

Logging in and invitations

• The user experience of the registration flow for new users and the login flow for all users has been improved.
• The landing page for accepting an invitation has been restyled.
• The error message when trying to an already accepted invitation has been clarified.

GUI

• The end date for a membership is now editable directly from the members table.
• Many tabs now have a count to show the number of elements in its table.
• Show a warning on the page of a soon to expire or expired collaboration.
• Show a warning on the page of a collaboration for a member whose membership will expire shortly or has expired.
• By selecting multiple expired invitations, they can now be resent in batches.
• The 'open' buttons that were displayed on clickable table rows have been removed. Clicking the table row still opens the item's details page.
• Buttons to add an element to a table are now left aligned, to make their placement more predictable.
• For organisation admins, the toggles at the screen for mandatory services for an organisation are easier to understand. They now have two states, not three.
• Many minor improvements.

Minor improvements

• For collaboration admins, a collaboration's platform identifier is now displayed at its edit page.
• Reminder emails were restyled to be consistent with the other emails.
• The SURF Research Access Management AUP is now hosted on the SURF wiki.
• A check to prevent uploading an invalid SSH key was added.
• Fixed that in some cases trying to send an invite resulted in a HTTP 500 error.
• Fixed that in some cases two identical emails were sent for an event.

LDAP

• LDAP is now updated every 2 minutes, instead of every 5 minutes.
• A collaboration's URL and the URL of its logo are now available in LDAP as LabeledURI attributes.
• A user whose membership has expired is removed from the collaboration's groups in LDAP.
• Fixed a bug updating LDAP with groups with 500+ members.
• Fixed a bug where on changing an organisation's name it remained available in the LDAP flat tree under its former name.

2021-09-28

Major features

• The SRAM GUI is now available on https://sram.surf.nl/. The old address https://sbs.sram.surf.nl/ is redirected to the new address and will remain working.
• Added an optional expiration date to collaborations and collaboration membership: Expiration of membership and collaborations
• Implemented the deletion of users and collaborations after a year of inactivity: Deletion of inactive users and collaborations
• Multiple SSH keys per user profile are now supported
• Implemented a new authorization interface for SAML/OIDC logins. Users will no longer be able to authenticate at services that are not connected any collaboration the user is a member of. Please contact us if your service depends on the old behaviour.
• Added initial support for multi-factor authentication; this feature is disabled awaiting improvements to the initial registration flow

GUI

• Improvements to make a number of buttons, tooltips and messages easier to read; for example the buttons for services as a member sees them are now actual buttons.
• Expose public overview screens for Services. This overview is linked from next to the service button as a member sees them.
• The expiration date of an invitation is shown in the invitation overview screen
• Removed the join requests elements for collaboration for which join requests are disabled
• Language and terminology in the interface are now more consistent
• Fixed a number of errors occurring if the GUI state had changed since loading the page (e.g., when viewing an invitation that has been accepted in the mean time)

Minor improvements

• Unix usernames are no longer reused; even when a user is removed their username will not be reissued to another user
• Collaboration admins can now resend service connection requests
• Logos are serviced from separate URLs, so they can also be referenced externally
• Gracefully handle the case when a user’s attribute set as received from their IdP is incomplete
• Return only groups and collaborations of which a user is actually a member of in SAML and OIDC responses to connected services

LDAP

• Added the attribute voPersonStatus. For now, only the values ‘active’ and ‘suspended’ are supported.
• Users whose membership is expired or who are inactive are given the ‘suspended’ status. After 90 days they will be removed.
• The performance of the LDAP synchronization interface was improved

2021-06-08

Minor improvements

• Usernames are now never reused
• Added infrastructure for centralised logging
• Fixed errors when viewing/editing/resending invitations which have already been accepted
• Fixed sending of spurious suspend mails to users
• Fixed bug that caused users without certain attributes to not be able to login
• Fixed rate-limiting on API endpoints.
• Made some text on buttons easier to read

LDAP

• Added dedicated endpoint for synchronising LDAP database