This topic describes the changes in this minor release of Single Sign‑On for VMware Tanzu Application Service.

For product versions and upgrade paths, see Upgrade Planner.

Long-term Support for Single Sign‑On for VMware Tanzu Application Service v1.14 and v1.15

Single Sign‑On v1.14 is a long-term supported (LTS) version. Single Sign‑On v1.14 is supported through April 2022.

Over the life cycle of Single Sign‑On v1.14, VMware releases security patches that occasionally include feature enhancements and maintenance updates.

For more information about Single Sign‑On v1.14 LTS, please contact your Account Team.

v1.14.16 (and v1.15.3 for Stemcell: Ubuntu Jammy)

Release Date: March 19, 2024

Maintenance Changes

Support changes:

  • None

Dependency upgrades in this release:

  • byte-buddy-1.12.23.jar
  • jackson-annotations-2.17.0.jar
  • jackson-databind-2.17.0.jar
  • jackson-dataformat-xml-2.17.0.jar
  • jackson-datatype-jdk8-2.17.0.jar
  • jackson-datatype-jsr310-2.17.0.jar
  • jackson-module-kotlin-2.17.0.jar
  • jackson-module-parameter-names-2.17.0.jar
  • json-path-2.9.0.jar
  • lang-tag-1.7.jar
  • nimbus-jose-jwt-9.24.4.jar
  • oauth2-oidc-sdk-9.43.3.jar
  • pring-aop-5.3.33.jar
  • spring-beans-5.3.33.jar
  • spring-context-5.3.33.jar
  • spring-core-5.3.33.jar
  • spring-expression-5.3.33.jar
  • spring-jcl-5.3.33.jar
  • spring-security-config-5.8.10.jar
  • spring-security-core-5.8.10.jar
  • spring-security-crypto-5.8.10.jar
  • spring-security-oauth2-client-5.8.10.jar
  • spring-security-oauth2-core-5.8.10.jar
  • spring-security-oauth2-jose-5.8.10.jar
  • spring-security-oauth2-resource-server-5.8.10.jar
  • spring-security-web-5.8.10.jar
  • spring-web-5.3.33.jar
  • spring-webmvc-5.3.33.jar
  • stax2-api-4.2.2.jar
  • tomcat-embed-core-9.0.86.jar
  • tomcat-embed-el-9.0.86.jar
  • tomcat-embed-websocket-9.0.86.jar
  • woodstox-core-6.6.1.jar

v1.14.15 (and v1.15.2 for Stemcell: Ubuntu Jammy)

Release Date: January 17, 2024

Maintenance Changes

Support changes:

  • None

Dependency upgrades in this release:

  • accessors-smart-2.5.0.jar
  • annotations-24.1.0.jar
  • checker-qual-3.37.0.jar
  • commons-io-2.15.1.jar
  • commons-logging-1.3.0.jar
  • commons-validator-1.8.0.jar
  • error_prone_annotations-2.21.1.jar
  • guava-32.1.3-jre.jar
  • jackson-annotations-2.16.1.jar
  • jackson-core-2.16.1.jar
  • jackson-databind-2.16.1.jar
  • jackson-dataformat-xml-2.16.1.jar
  • jackson-datatype-jdk8-2.16.1.jar
  • jackson-datatype-jsr310-2.16.1.jar
  • jackson-module-kotlin-2.16.1.jar
  • jackson-module-parameter-names-2.16.1.jar
  • jakarta.activation-1.2.2.jar
  • jakarta.activation-api-1.2.2.jar
  • jakarta.xml.bind-api-2.3.3.jar
  • jaxb-runtime-2.3.9.jar
  • json-path-2.8.0.jar
  • json-smart-2.5.0.jar
  • log4j-api-2.17.2.jar
  • log4j-to-slf4j-2.17.2.jar
  • logback-classic-1.2.13.jar
  • logback-core-1.2.13.jar
  • lombok-1.18.30.jar
  • micrometer-core-1.9.17.jar
  • prettytime-5.0.7.Final.jar
  • snakeyaml-2.2.jar
  • spring-aop-5.3.31.jar
  • spring-beans-5.3.31.jar
  • spring-boot-2.7.18.jar
  • spring-boot-actuator-2.7.18.jar
  • spring-boot-autoconfigure-2.7.18.jar
  • spring-boot-autoconfigure-2.7.18.jar
  • spring-boot-jarmode-layertools-2.7.18.jar
  • spring-context-5.3.31.jar
  • spring-core-5.3.31.jar
  • spring-expression-5.3.31.jar
  • spring-jcl-5.3.31.jar
  • spring-web-5.3.31.jar
  • spring-webmvc-5.3.31.jar
  • tomcat-embed-core-9.0.83.jar
  • tomcat-embed-el-9.0.83.jar
  • tomcat-embed-websocket-9.0.83.jar

v1.14.14 (and v1.15.1 for Stemcell: Ubuntu Jammy)

Release Date: November 06, 2023

Maintenance Changes

Support changes:

  • None

Dependency upgrades in this release:

  • bcprov-jdk18on-1.74.jar
  • jackson-annotations-2.15.3.jar
  • jackson-core-2.15.3.jar
  • jackson-databind-2.15.3.jar
  • jackson-dataformat-xml-2.15.3.jar
  • jackson-datatype-jdk8-2.15.3.jar
  • jackson-datatype-jsr310-2.15.3.jar
  • jackson-module-kotlin-2.15.3.jar
  • jackson-module-parameter-names-2.15.3.jar
  • lombok-1.18.30.jar
  • micrometer-core-1.9.16.jar
  • spring-aop-5.3.30.jar
  • spring-beans-5.3.30.jar
  • spring-boot-2.7.17.jar
  • spring-boot-actuator-2.7.17.jar
  • spring-boot-actuator-autoconfigure-2.7.17.jar
  • spring-boot-autoconfigure-2.7.17.jar
  • spring-boot-jarmode-layertools-2.7.17.jar
  • spring-context-5.3.30.jar
  • spring-core-5.3.30.jar
  • spring-expression-5.3.30.jar
  • spring-jcl-5.3.30.jar
  • spring-security-config-5.7.11.jar
  • spring-security-core-5.7.11.jar
  • spring-security-crypto-5.7.11.jar
  • spring-security-oauth2-client-5.7.11.jar
  • spring-security-oauth2-core-5.7.11.jar
  • spring-security-oauth2-jose-5.7.11.jar
  • spring-security-oauth2-resource-server-5.7.11.jar
  • spring-security-rsa-1.1.1.jar
  • spring-security-web-5.7.11.jar
  • spring-web-5.3.30.jar
  • spring-webmvc-5.3.30.jar
  • tomcat-embed-core-9.0.82.jar
  • tomcat-embed-el-9.0.82.jar
  • tomcat-embed-websocket-9.0.82.jar
  • woodstox-core-6.5.1.jar

v1.14.13

Release Date: August 24, 2023

Maintenance Changes

Support changes:

  • None

Dependency upgrades in this release:

  • spring-aop-5.3.29
  • spring-beans-5.3.29
  • spring-boot-2.7.14
  • spring-boot-actuator-2.7.14
  • spring-boot-actuator-autoconfigure-2.7.14
  • spring-boot-autoconfigure-2.7.14
  • spring-boot-jarmode-layertools-2.7.14
  • spring-context-5.3.29
  • spring-core-5.3.29
  • spring-expression-5.3.29
  • spring-jcl-5.3.29
  • spring-security-config-5.7.10
  • spring-security-core-5.7.10
  • spring-security-crypto-5.7.10
  • spring-security-oauth2-client-5.7.10
  • spring-security-oauth2-core-5.7.10
  • spring-security-oauth2-jose-5.7.10
  • spring-security-oauth2-resource-server-5.7.10
  • spring-security-rsa-1.0.12.RELEASE
  • spring-security-web-5.7.10
  • spring-web-5.3.29
  • spring-webmvc-5.3.29
  • bcpkix-jdk18on-1.73
  • bcprov-jdk18on-1.73
  • bcutil-jdk18on-1.73
  • micrometer-core-1.9.13
  • tomcat-embed-core-9.0.78
  • tomcat-embed-el-9.0.78
  • tomcat-embed-websocket-9.0.78

v1.14.12

Release Date: July 28, 2023

Maintenance Changes

Support changes:

  • By default, the Identity Service Broker deploys with the cflinuxfs4 stack. If that stack is not available, it deploys with cflinuxfs3.
  • cflinuxfs2 is no longer supported.

Dependency upgrades in this release:

  • None

v1.14.11

Release Date: July 14, 2023

Maintenance Changes

Dependency upgrades in this release:

  • Spring Boot is updated to v2.7.13.

v1.14.10

Release Date: March 29, 2023

New features

New features and changes in this release:

  • UAA Issuer URI exposed in the app’s VCAP_SERVICES environment variable: The identity service broker can now expose the UAA Issuer URI in the app’s VCAP_SERVICES environment variable. This feature is deactivated by default for backwards compatibility. You can enable it as part of the installation. For more information, see Install Single Sign‑On Using Tanzu Operations Manager.

Resolved Issues

This release has the following fix:

  • Configuring the clientAuthInBody attribute: You can now configure the clientAuthInBody attribute using the UI when configuring an OIDC identity provider. The checkbox in the UI is labeled Client Credentials in Request Body, and indicates that during a token request to the external identity provider, the client secret is sent in the body of the request. For more information, see client_secret_post in OpenID Connect Core 1.0, Section 9.

Maintenance Changes

No changes in this release.

Known Issues

This release has the following issue:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

v1.14.9

Release Date: February 24, 2023

Resolved Issues

This release has the following fix:

  • The clientAuthInBody attribute now remains persistent during client updates through the UI.

Maintenance Changes

Changes in this release:

  • Non-breaking changes to comply with VMware’s inclusive language effort.

Dependency upgrades in this release:

  • Spring Boot is updated to v2.7.8.

Known Issues

This release has the following issue:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

v1.14.8

Release Date: April 14, 2022

Maintenance Changes

Changes in this release:

NoteThis does not mean prior versions were vulnerable. The Single Sign‑On tile uses Java 8, which is not vulnerable to this CVE, so this update is not necessary for secure operation. However, VMware has produced this maintenance release in order to:

  • Avoid false positives in security tools
  • Enable maximum customer confidence
  • Update the affected Spring libraries to alleviate concerns

Dependency upgrades in this release:

  • Spring Boot to 2.5.12

Known Issues

This release has the following issue:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

v1.14.7

Release Date: January 14, 2022

Security fixes

Addresses log4j CVEs. The tile does not include log4j-core in supported versions, and all other log4j-related dependencies have been updated.

Dependency upgrades in this release:

  • Apache log4j-api to 2.17.1
  • Apache log4j-to-slf4j to 2.17.1

Known Issues

This release has the following issue:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

v1.14.6

Release Date: December 16, 2021

Security fixes

Addresses CVE 2021-44228. The tile does not include log4j-core in supported versions, and all other log4j-related dependencies have been updated.

Dependency upgrades in this release:

  • Apache log4j-api to 2.16
  • Apache log4j-to-slf4j to 2.16

Known Issues

This release has the following issue:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

v1.14.4

Release Date: November 8, 2021

Maintenance Changes

Dependency upgrades in this release:

  • Spring Boot

Known Issues

This release has the following issue:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

Resolved Issues

This release has the following fix:

  • The SSO service broker can handle apps without any environment variables in the Cloud Controller request payload.

v1.14.3

Release Date: July 13, 2021

Maintenance Changes

Dependency upgrades in this release:

  • Spring Boot
  • Apache Tomcat

Known Issues

This release has the following issues:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

  • The SSO service broker can crash if apps do not have any environment variables in the Cloud Controller request payload: The workaround is to give the app a dummy value in its app manifest file to prevent null values.

v1.14.2

Release Date: February 11, 2021

Resolved Issues

This release has the following fix:

  • The number of external group mappings that you can manage through the UI has increased from 100 to 500.

Known Issues

This release has the following issues:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

  • The SSO service broker can crash if apps do not have any environment variables in the Cloud Controller request payload: The workaround is to give the app a dummy value in its app manifest file to prevent null values.

v1.14.1

Release Date: December 23, 2020

Resolved Issues

This release has the following fix:

  • In Apps Manager, the Manage link for SSO service instances now links to the correct page for all instances. Previously, this link did not work for SSO service instances created with Single Sign‑On v1.8 or earlier.

    For an example of how the Manage link is used, see Monitor App Events.

Known Issues

This release has the following issues:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

  • The SSO service broker can crash if apps do not have any environment variables in the Cloud Controller request payload: The workaround is to give the app a dummy value in its app manifest file to prevent null values.

v1.14.0

Release Date: December 4, 2020

Features

New features and changes in this release:

  • Removes the following from the SSO Operator Dashboard:

    • The internal user store is no longer configurable from the SSO Operator Dashboard. However, you can manage internal users using the UAA Command Line Client (UAAC). For more information, see Configuring Internal User Store.
    • The toggle to the legacy SSO Operator Dashboard is no longer available.

  • Ability to specify buildpack: Adds the ability to specify the buildpack that Single Sign‑On uses when it pushes its component apps.

    For more information, see Install Single Sign‑On Using Tanzu Operations Manager in Installing Single Sign‑On for VMware Tanzu Application Service.

Known Issues

This release has the following issues:

  • Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes. Despite this limitation, you can still use Okta OIDC provider for authentication.

  • The SSO service broker can crash if apps do not have any environment variables in the Cloud Controller request payload: The workaround is to give the app a dummy value in its app manifest file to prevent null values.

Viewing release notes for another version

To view the release notes for another product version, select the version from the drop-down menu at the top of this page.

check-circle-line exclamation-circle-line close-line
Scroll to top icon