Versions Compared

Old Version 196

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 197

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • https://shibboleth.atlassian.net/browse/IDP-1820

    • This is a change required to web.xml for systems that have been upgraded from prior to V3.2 and have been maintaining their own copy of web.xml since then. The fix needed for this is documented below under V4.1.0 under Breaking Changes → Deployment Descriptor Issue.

  • https://shibboleth.atlassian.net/browse/IDP-1625

    • This issue breaks the Cancel option in the Duo login flow when the CSRF feature is enabled. The fix is documented in the issue and can be applied directly to the duo.vm template. Since it involves a template, the fix is manual.

...

hideshow-if
userGroupsconfluence-usersspecialUsername@anonymousshibboleth-project
matchUsingany

4.2.0 (Unreleased)

System JIRAfilter=10035 truef52c7d31-6eab-3f0e-93c3-231b5754d506

Logout Changes

This release contains a few new options and optimizations to improve logout behavior and quiet noise in the logs, and are worth a review if you operate an IdP with a lot of SPs that do not support logout.

It includes an automatic behavioral change that tracks the endpoint used to deliver an assertion when starting a session, and uses that URL when selecting a logout endpoint to use if there are multiple endpoints spanning different virtual hosts or paths. The endpoint selected will contain the longest matching sequence of characters starting from the beginning of the URL(s). This approach is notably more compatible with Shibboleth SPs that are virtually hosted with a single entityID.

Another automatic change eliminates attempts to issue logout requests to SAML 2.0 SPs whose metadata contains no logout endpoints. This should reduce the extra noise of EndpointResolutionFailed events in the log and improve performance.

A new property named idp.logout.assumeAsync can be enabled to handle SPs that can issue logout requests but do not properly handle inbound logout requests or responses. Enabling the option allows an IdP administrator who controls the SP's metadata to remove the broken logout endpoints from the metadata without preventing the handling of logout requests because of "unable to respond" failures.

A new property named idp.logout.propagationHidden can be enabled to hide the list of services and logout status during logout propagation. Enabling this will require other template changes to properly report the logout to the user but allows the logout propagation to be hidden without editing style sheets or changing system files.

Miscellaneous Changes

Display name and descriptive information associated with attributes used on the consent view is now determined in a just-in-time fashion. This reduces the processing needed for those flows and attributes which do not require consent. This change should be irrelevant unless you are using an externally-developed feature using the old (and now deprecated) APIs. Legacy behavior can be re-estabished by using the idp.service.attribute.resolver.suppressDisplayInfo property.

New Properties

  • idp.logout.assumeAsync

  • idp.logout.propagationHidden

  • idp.service.attribute.resolver.suppressDisplayInfo

New Beans

  • shibboleth.PlaintextNameIDFormats

New Messages

  • idp.logout.hidden

...