LogonBox is pleased to announce the immediate availability of LogonBox SSPR 2.4.5.
This release includes significant performance improvements to some database calls, greater control over when you can sync your users and changes to OTP email storage.
This release also introduces the ability to purchase licenses directly from within the product and now supports recurring subscriptions on a monthly or annual basis.
ACTION REQUIRED: You must review the OTP section below if you currently use the One-Time Password over email feature.
Significant UI performance improvements
By necessity, a busy LogonBox server will make several database calls, many of which are duplicate queries.
We have improved our database caching for these repeated queries, which has boosted UI responsiveness by roughly 500-600% in some instances (most notably on the Users page).
User Synchronization/Reconcile changes
User synchronization times are now more flexible than before. Previously, you could only configure x minutes between each partial sync and how many partial syncs there are before running a full one.
The scheduler now allows more flexibility for some often asked-for use cases (for example, only running a full sync once per day).
To do this, LogonBox now uses quartz cron expressions for the reconcile periods and has split this into two separate configurations, one for the partial syncs and the other for the full.
The default reconcile time is still every 4 hours, but with a cron expression, you now have much more control over your reconciles. (for example, if you wanted the syncs at the top of the hour or at a set time of day, this is now easy).
These new settings are available in User Directory->Configure User Database->Advanced->Schedule.
The default for the partial syncs (Reconcile Schedule Expression) is 0 0 0/4 * * ? (every 4 hours at the top of the hour)
The default for the full syncs (Full Reconcile Schedule Expression) is 0 0 20 * * ? (at 8 pm every day)
For more information on formatting a cron expression, please see here: https://www.quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html.
Changes to OTP via email
|Use Directory Email
|Save Email to Directory
|Will use the user’s email from your user directory. The system will ask for a user to enter an email if no email exists, but it will never save this email. Therefore, the user cannot set up their profile if no email is in the directory. We do not recommend using this combination.
|Will use the user’s email from your user directory; the system will ask a user to enter an email if no email exists and save it back to the directory. This combination is the most common use case.
|Will not use email from the directory. Instead, the service will prompt users to set an email and save it locally in LogonBox. This combination is the second common use case.
|This combination of settings does not make sense, and we do not recommend this combination.
New installations can now buy, upgrade and manage an ongoing subscription from within the main UI. Existing licenses will not immediately be synchronised, if you want to manage a license previously purchased from us via this new method please contact us and we can get your box connected to the new license server
When you need to upgrade, our system will automatically calculate the upgrade price, applying any upgrade discount automatically for a hassle-free upgrade.
You can directly upgrade from the web UI or the operating system.
To upgrade from the web UI, log on with your admin account, navigate to Server Status from the main dashboard and click Update. You may also be prompted automatically on login if you have Updates, Features & Licensing->Update Prompt turned on.
To upgrade from the operating system:
On Windows – download the new installer, run the installer, and follow the prompts.
On a LogonBox VM – from a shell, type in:
apt update apt upgrade
If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:
Our support team will upgrade Cloud customers over the coming week.
Here is a summary of the changes in this release.
- Various libraries updated to address vulnerability reports (commons-io, apache-tika, spring-framework, PostgreSQL (driver), metadata-extractor).
- Improvements to remote realm synchronization. Now scheduled to run at certain fixed times (using cron expressions) instead of intervals. Active directory has two schedules, one for partial and one for full.
- Significant performance improvements, mainly more database caching and fixing faulty caching (e.g. broken negative caching).
- There is a new cache status page on System Configuration->Caches.
- Sessions are now transient. If you restart a server, all sessions will be invalidated.
- Improvements to the job status page with meaningful job names.
- ON/OFF switch element changed to a different library to address a vulnerability scan report.
- Added a new task for Start Reconcile for use in Automations and Triggers.
- One Time Password configuration has been pulled into a single realm setting rather than per authentication module.
- Password expiry notification jobs can now be turned off by disabling the template (previously, the job still checked all users but didn’t email if disabled).
- When editing an AD user, searching in the Manager field now searches all users.
- Server now caches some calls from the Credentials Provider to improve performance/reduce load.
- Browser was not caching user icons on the User Database page.
- Show user status dates in the system or user-configured timezone.
- Fixed start-up order of encryption services, which may fail, particularly on 2.3 -> 2.4 upgrades.
- Delegated access to users now shows the correct users when using the “Users not logged on in 30 days” filter.
- Could not edit non-AD attributes when AD was in read-only mode.
- Various missing text localization keys added.
- Removed Excessive popup notification messages when sessions are invalidated.
- Fixed a problem with the Azure login module integration.
- SMS delivery was broken in some places; now fixed.
- Fixed a database cascade issue with shared password resources.
- Could not change graph type in perfmon extension dashboard.
- Some “flash” error notifications were being incorrectly suppressed.
- Fixed issue with firstName missing in message when sent to additional contact.
- Account linking messages were not working.
- Fixed an issue where a user could register only one Yubikey on a system from the user profile completion wizard.
- If configuration help text contained hyperlinks, changing the associated field would turn the link text back into raw HTML.
- Password last changed time now displayed in local server timezone.
- Reconcile hashes should no longer get out of sync and cause unnecessary full reconcile cache rebuilds.
- Fixed an issue where a group ID was being used in place of a user ID on reconciles, which would invalidate the cache.
- One Time Password authentication should now correctly save email addresses to the directory if the option Save to Directory is turned on.
- Create Password task now works as expected.
- Linux Secure Node clients are now showing again in the UI.
- Appearance menu now shows again when logged on to a cloud tenant as the tenant admins.
- Fixed an issue with a low default channel count in Secure Node.