...
A regression in all 4.x releases was identified in the way the Attribute-Based Subject C14N feature handles scoped attribute values such that only the value portion would be returned and used, ignoring the scope. For example, an eduPersonPrincipalName of “foo@example.org” would be returned as “foo”. This was easily fixed, but MAY impact existing behavior if the “broken” behavior were relied on. This can be remedied by adjusting the configuration to transform the scoped value back into an unscoped one but is something that could alter behavior following an upgrade until it’s addressed.
The support for auto-loading files that end in “.properties” was apparently broken in such a manner that the V4.1 releases may have excluded any file also named idp.properties regardless of location. The new version was fixed to properly handle all paths as unique regardless of filename and load such files, so you should NOT store any “backup” files or copies of your property files inside the conf tree. Note that the new release also logs any duplicate properties it detects for debugging. This will normally be sent to the container’s logging sink because it happens before the IdP is “started” enough to log things itself.
A long-standing design flaw was fixed so that deployers can configure inbound SAML profile interceptor flows without having to “repeat” a built-in interceptor flow that implements some of the inbound security handling logic. We are unaware of widespread (or any?) use of the inbound profile interceptor hook, but if it’s in use, there are possibly unneeded duplicate references to a flow ID such as “security/saml2-sso” or similarly-named flows that need to be removed. The duplicate reference will cause message replay failures because the flow will be run twice.
...