| Table of Contents |
|---|
Please review these release notes before upgrading your system. You should review all the versions subsequent to the one you're running prior to upgrade.
3.2.3.1 (August 2, 2021)
A new version of the Windows installer was released to patch a couple of minor issues and regressions within the IIS module.
3.2.3 (July 6, 2021)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
This is a patch update that fixes a regression in the RequestMap implementation introduced in V3.2.0. Earlier versions are not impacted by this bug but are of course subject to critical vulnerabilities so this is now the only safe version to use.
3.2.2.2 (June 22, 2021)
A new version of the Windows installer was released updating the IIS module to correct a critical security vulnerability.
All WIndows deployers on IIS should review the advisory and should update to this release at the earliest opportunity.
3.2.2.1 (May 26, 2021)
A new version of the Windows installer was released updating libcurl to the latest releases to address a security advisory fixed in curl 7.77.0.
3.2.2 (April 25, 2021)
This is a patch update that fixes a couple of bugs and addresses the security vulnerability described in this advisory.
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
3.2.1.1 (April 6, 2021)
A new version of the Windows installer was released updating OpenSSL and libcurl to the latest releases to address non-impactful security advisories associated with those updates.
3.2.1 (March 16, 2021)
This is a patch update that fixes a couple of bugs and addresses the security vulnerability described in this advisory.
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
3.2.0 (December 14, 2020)
This is a minor update that includes some minimal new functionality and addresses some bugs.
...
A few configuration settings have been renamed as part of the project's broader push to eliminate insensitive language from the code and some new deprecation warnings may be observed.
3.1.0.2 (August 31, 2020)
A new version of the Windows installer was released containing a Windows-only fix to the IIS module to address a security issue.
3.1.0.1 (April 14, 2020)
The version of the Windows installer was bumped to 3.1.0.1 to correct an issue with the initial installer and matches the code in the 3.1.0 release.
3.1.0 (April 13, 2020)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
Additional changes have been appllied to the default configuration (NOT upgrades) to harden the redirection behavior of the system to limit the use of the SP as an open redirector. A redirectLimit setting of exact has been added to the <Sessions> element.
Attribute Filtering Changes
...
The XML Schema for the core configuration was tightened to properly reject content such as empty XML Attributes. This was leading to crashes in some cases instead of being caught properly at startup. Some invalid configurations may have accidentally loaded successfully in prior versions but will be properly caught as invalid now.
3.0.4 (March 11, 2019)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
A patch has been released to fix a number of minor issues and to address a security issue.
3.0.3 (December 19, 2018)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
A patch has been released to fix a few more minor issues and to address a security issue.
3.0.2 (August 2, 2018)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
Finally, the Windows installer includes an update to the xml-security-c library to 2.0.1.
3.0.1 (July 18, 2018)
A patch has been released to address a couple of serious regressions and a few minor nits. The xmltooling library was also updated to 3.0.1 as part of this release, and subsequently to 3.0.2 to correct a linking issue in the makefiles on non-Windows platforms.
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
3.0.0 (July 17, 2018)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
SAML 1.1 support is not enabled by default; add back the string "SAML1" inside the <SSO> element to enable it.
Support for Attribute Queries is not enabled by default to eliminate a common source of confusion. This will impact behavior when interacting with out of date Shibboleth IdPs relying on SAML 1.1 without pushed attributes. Such systems should be migrated to SAML 2.0, but query support can be re-enabled if necessary by adding <AttributeResolver type="Query" subjectMatch="true"/> to the <ApplicationDefaults> element.
The default <TrustEngine> configuration (when nothing is specified, as in most cases) is now ExplicitKey-only and does not enable PKIX support.
...
In addition to these changes, some settings have different default settings based on whether the configuration file is an upgraded V2 file or a newly installed V3 file, based on the XML namespace of the file (further explained below).
The
cacheAssertionsdefault in the StorageServiceSessionCache has changed from true to false when the V3 namespace is used.
Configuration Format and Compatibility
...
Thus, it is a relatively simple matter to "upgrade" one's configuration:
With the original configuration, verify a working system, and check the log(s) for any DEPRECATED warnings.
Fix any settings causing those warnings until they're gone.
Update the namespace at the top of the file.
Restart, test, and fix any straggling errors.
Most of the changed defaults noted above will not apply to such a migrated system since they depend on actual changes to the configuration, and the vast majority of deployments can simply do a bit of testing, make the bump, and be good to go.
...
Some syntax has been deprecated in V3. As a rule of thumb, if something is documented in this SP3 wiki space, then it is not deprecated. Otherwise a warning will usually be found in the log when the original configuration is used, and an error may occur if the configuration namespace is bumped.
Time permitting, a summary of deprecated options will be provided here.
Various plugins relying on external XML files or resources used to support a number of equivalent settings (e.g.,
file,uri) for specifying the local or remote resource, and these have been eliminated, with onlypathandurlremaining. Sometimes the error messages can be obscure if you don't fix these up, but the warnings are clear when the V2 namespace is used, so always review those first.
Significant New Functionality
...
A new IIS plugin is available for recent (IIS7+) versions of IIS. This is a significant improvement on the older module:
It supports Server Variables rather than relying on HTTP Headers for the presentation of attributes, which eliminates a range of concerns and preventative overhead regarding header spoofing/smuggling.
It is significantly easier and less error prone to integrate into IIS.
It supports the optional preservation of post data.
It supports REMOTE_USER properly, and can be configured to support native IIS Role-based Authorization.
Stateless Clustering
A form of session recovery across clustered SP nodes using encrypted cookies is available. While making clustering much simpler, it does affect the behavior of logout in some cases, but it offers more flexibility for deployers willing to make trade-offs.
...