Versions Compared

Old Version 192

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 193

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Hide if
special@anonymous
groupconfluence-users

4.2.0 (Unreleased)

Logout Changes

This release contains a few new options and optimizations to improve logout behavior and quiet noise in the logs, and are worth a review if you operate an IdP with a lot of SPs that do not support logout.

It includes an automatic behavioral change that tracks the endpoint used to deliver an assertion when starting a session, and uses that URL when selecting a logout endpoint to use if there are multiple endpoints spanning different virtual hosts or paths. The endpoint selected will contain the longest matching sequence of characters starting from the beginning of the URL(s). This approach is notably more compatible with Shibboleth SPs that are virtually hosted with a single entityID.

Another automatic change eliminates attempts to issue logout requests to SAML 2.0 SPs whose metadata contains no logout endpoints. This should reduce the extra noise of EndpointResolutionFailed events in the log and improve performance.

A new property namedĀ idp.logout.assumeAsync can be enabled to handle SPs that can issue logout requests but do not properly handle inbound logout requests or responses. Enabling the option allows an IdP administrator who controls the SP's metadata to remove the broken logout endpoints from the metadata without preventing the handling of logout requests because of "unable to respond" failures.

A new property named idp.logout.propagationHidden can be enabled to hide the list of services and logout status during logout propagation. Enabling this will require other template changes to properly report the logout to the user but allows the logout propagation to be hidden without editing style sheets or changing system files.

Miscellaneous Changes

Display name and descriptive information associated with attributes used on the consent view is now determined in a just-in-time fashion. This reduces the processing needed for those flows and attributes which do not require consent. This change should be irrelevant unless you are using an externally-developed feature using the old (and now deprecated) APIs. Legacy behavior can be re-estabished by using theĀ idp.service.attribute.resolver.suppressDisplayInfo property.

New Properties

  • idp.logout.assumeAsync

  • idp.logout.propagationHidden

  • idp.service.attribute.resolver.suppressDisplayInfo

New Beans

  • shibboleth.PlaintextNameIDFormats

New Messages

  • idp.logout.hidden

...

4.1.4 (July 27, 2021)

This is a patch release that supersedes V4.1.3 and fixes a regression introduced into that version.

4.1.3 (July 23, 2021)

Jira Legacy
serverShibboleth JIRA
jqlQueryfilter=14171
counttrue
serverId180d847f-bce4-36b2-9964-771bff586829

...

Unfortunately it contains a regression that breaks the SAML proxying support. An update will be issued in the immediate future to fix the regression, but deployers using the proxy support will need to stick with , so please refer to the V4.1.2 4 release for the momentDuo fix, now available.

4.1.2 (May 27, 2021)

Jira Legacy
serverShibboleth JIRA
jqlQueryfilter=14071
counttrue
serverId180d847f-bce4-36b2-9964-771bff586829

...