Please review these release notes before upgrading your system. You should review all the versions subsequent to the one you're running prior to upgrade.
Also be aware of the following issues regarding container or Java compatibility:
| Table of Contents |
|---|
4.0.0 and Later
See ReleaseNotes for information on the new major branch of releases.
...
The changes would only impact deployers in these cases:
Anybody copying one of the impacted login flows for private use, either directly or via adaptation into a substantially similar flow.
This is something we expect somebody might have done but is explicitly not supported because doing so would also involve references to non-API classes that are subject to change at any time so is already known to be unsafe across upgrades.
Anybody inheriting from the ExternalAuthentication class to provide an alternate concrete implementation of that class for use in a custom login flow.
This would be necessary if one were to build an alternate version of an external login flow without using non-public classes. We consider it unlikely because of the first bullet: people are taking the easy way out and copying the flows without regard for the correctness of that approach.
Anybody directly instantiating/adding an instance of the ExternalAuthenticationContext class to the profile request context tree.
This is also not something we would expect anybody to have done unless they had also duplicated other implementation classes or were, again, using implementation classes directly in an unsupported manner, so it's more likely to be a consequence of one of the first two.
Note that various third party login flow extensions are known to be impacted by this change and deployers will need to test those. Those flows generally have violated the API contract as mentioned above and will need to be modified in some cases to work with this patch release, contrary to normal assumptions about patch releases.
...
This is a patch update containing a number of bug fixes, primarily motivated by two issues in particular:
Changes to the HTTP Client code to correct an issue with client certificate authentication during TLS renegotiation.
A fix to the JPA StorageService to fail properly in the event that a case-insensitive database is used by mistake.
It also includes additional Java libraries that allow use of the UnboundID LDAP provider in place of JNDI, to work around a bug that occurs in newer Java versions. This change is not automatic, but switching providers can be accomplished with the use of a single property:
...
This property defaults to any pre-existing Ldaptive system property setting the provider class, or failing that, defaults to the JNDI provider for compatibility with current behavior.
3.4.3 (January 9, 2019)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
This is a patch update containing a fix for a regression in the TemplateAttributeDefinition caused by a late decision to deprecate the <SourceAttribute> construct and a regression in the "renew" feature for CAS.
3.4.2 (December 19, 2018)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
There's also a regression involving this particular deprecated feature that is fixed in V3.4.3. In the meantime, upgraded systems may need to update and replace the deprecated <Dependency> elements in any TemplateAttributeDefinition constructs to avoid running into
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
3.4.1 (November 1, 2018)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
Several spurious or outright incorrect warnings have been suppressed, and a pair of regressions impacting upgrades have been corrected. Some warning-related issues remain and are documented under the V3.4.0 release.
3.4.0 (October 10, 2018)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
A regression exists in V3.3.0 that impacts deployers who are relying on the "condition" flow error/warning feature of the Password login flow to handle an expiring password condition. To ensure correct behavior, the patch that fixes
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
In addition to the lists below, a variety of beans and properties have been added in support of these features:
The following new beans (or at least support/placeholders for them) have been added in this release:
shibboleth.HTTPResource
shibboleth.ResponseHeaderFilter
shibboleth.DefaultResponseHeaderMap
shibboleth.ResponseHeaderMap
shibboleth.ResponseHeaderCallbacks
shibboleth.X509TrustManager
shibboleth.DefaultParserPool
The following new properties have been added in this release (defaults in parentheses):
idp.hsts (max-age=0)
idp.frameoptions (DENY)
idp.csp (frame-ancestors 'none';)
idp.entityID.metadataFile (%{idp.home}/metadata/idp-metadata.xml)
idp.encryption.config (shibboleth.EncryptionConfiguration.CBC)
Don't change this without testing, you likely have lots of SPs that don't support AES-GCM.
idp.consent.attribute-release.userStorageKey (shibboleth.consent.PrincipalConsentStorageKey)
idp.consent.terms-of-use.userStorageKey (shibboleth.consent.PrincipalConsentStorageKey)
idp.replayCache.strict (true)
idp.xml.parserPool (shibboleth.ParserPool)
idp.audit.shortenBindings (false)
New Features
There are a large number but some of the most significant worth reviewing include:
HTTPConnector for web services integration in the attribute resolver (and all the various features that can be controlled via attributes)
Extensive customization of behavior through new metadata "tag" conventions
Non-browser Duo AuthAPI support for ECP clients
Improvements for embedding inline scriptlets in a variety of configuration scenarios, reducing the need for custom Spring beans
A new "attended startup" mode that prevents on-disk access to an unlocked or trivially encrypted private key
The ability to provision CAS services using SAML metadata for consistency and to support the new metadata-driven configuration mechanisms
Greatly enhanced context-check interceptor that can address multiple authorization scenarios at the same time
A new impersonation interceptor that supports advanced debugging or testing scenarios
Support for configurable trust for remotely accessed TLS-protected configuration resources and other HTTP client scenarios
Support for key pinning of LDAP connections (i.e., verifying only the LDAP server key, not certificate)
Support for inbound SAML 2 protocol requests for the SSO and logout profiles conveyed via the SAML 2 artifact binding.
An ldaptive system property, org.ldaptive.response.encodeCntrlChars, can be set to prevent unruly characters from appearing in the IdP's log files due to Active Directory.
Deprecation Warnings in Preparation for V4
...
This is a service release of the 3.3.1 Windows Installer that fixes an issue with new installs.(
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
There is no other change, so users running 3.3.1 do not need to apply this update.
...
A regression exists in V3.3.0 that impacts deployers who are relying on the "condition" flow error/warning feature of the Password login flow to handle an expiring password condition. To ensure correct behavior, the patch that fixes IDP-1101
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
3.3.0 (November 10, 2016)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
A regression exists in this release that impacts deployers who are relying on the "condition" flow error/warning feature of the Password login flow to handle an expiring password condition. To ensure correct behavior, the patch that fixes
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
A bug in the ComputedIDDataConnector meant that salts containg leading or trailing spaces, and provided inline in the attribute resolver would have them stripped (which was incompatible with V2). If you want to keep generating values based on a trimmed salt, you need to change the salt appropriately and trim it yourself.
A weird issue bug that caused responses to be issued with missing signatures was corrected. If you encounter sporadic problems in older versions with SPs complaining about missing signatures, the issue will be corrected once you update.
...
The following new user-space configuration files have been added in this release. They will be installed in their default form when you upgrade.
The following new beans have been added in this release:
shibboleth.ParentFlowRegistry
shibboleth.FlowMap
shibboleth.DefaultFlowMap
shibboleth.FlowPatterns
shibboleth.DefaultFlowPatterns
shibboleth.DefaultRESTFlows
shibboleth.RESTFlows
shibboleth.StaticExplicitTrustEngine
shibboleth.StaticPKIXTrustEngine
The following new properties have been added in this release (defaults in parentheses):
idp.authn.rpui (true)
idp.storage.clientSessionStorageName (shib_idp_session_ss)
idp.storage.clientPersistentStorageName (shib_idp_persistent_ss)
New Features
- IDP-962 : A
A new framework for multi-factor authentication workflows is available, see MultiFactorAuthnConfiguration.
- IDP-1013 :
Official support for Duo iframe-based authentication, see DuoAuthnConfiguration.
- IDP-156 :
Account lockout and a simple REST interface to remove lockout records
- IDP-961 :
A new mechanism for enabling authentication to the IdP's own administrative functions.
- IDP-981 :
Ability to support multiple protected paths when using External login methods
- IDP-887 :
The Scripted Attribute Definition, DataConnector and Attribute Filters all gain a new script variable, "subject", with the Java Subject produced during authentication.
- IDP-926 :
The ContextDerivedAttributeAttributeDefinition allows arbitrary user attributes to be derived from the IdP's environment and the SubjectDerivedAttributeAttributeDefinition allows user atttributes to be derived from the Principals associated with an authenticated subject.
- IDP-966 :
Supported mechanism for overriding built-in webflow locations and registering flows automatically from a plugin library
- IDP-813 : Remove
Removed the need for separate 'dc:', 'enc:', and 'ad:' namespaces in the attribute-resolver file. Additionally, the ordering requirements on sub-elements has been removed.
Significant enhancements to the caching capability of the Dynamic metadata resolver, including caching across restarts
Support for local file-based dynamic resolution of metadata
3.2.1.1 (June 23, 2016) (Windows Only)
...
The upgrade process should maintain any customizations made to the Jetty environment via the supported property files. As always, if you need significant customizations you should be using a container you install and maintain separately.
3.2.1 (December 19, 2015)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
The following new beans have been added in this release:
3.2.0 (November 18, 2015)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
A new environment variable, IDP_BASE_URL, can be set to globally override the URL used to call the administrative flows from the command line tools. The default value has also been slightly adjusted to include the servlet context path, so it now defaults to "http://localhost/idp". If you have scripts that set the -u parameter to control this URL now, they may need to be adjusted (or may well no longer be needed). Note that using anything but localhost will generally require modifying conf/access-control.xml.
...
The following new user-space configuration files have been added in this release. They will be installed in their default form when you upgrade.
conf/mvc-beans.xml
The following new properties have been added in this release (defaults in parentheses):
idp.service.failFast (false)
idp.storage.htmlLocalStorage (false)
idp.consent.expandedMaxStoredRecords (0)
idp.consent.expandedStorageThreshold (1048576)
idp.entityID.metadataFile (%{idp.home}/metadata/idp-metadata.xml)
idp.webflow.timeout (30)
idp.webflow.maxConversations (5)
idp.authn.spnego.externalAuthnPath (/Authn/SPNEGO)
idp.fticks.algorithm (SHA-2)
The following new beans have been added in this release:
shibboleth.CustomViewContext (added in comment to conf/global.xml)
shibboleth.ClientStorageServices (added to conf/session-manager.xml)
shibboleth.IgnoredContexts (added to conf/authn/authn-comparison.xml)
shibboleth.authn.Krb5.ServicePrincipal (added to conf/authn/krb5-authn-config.xml)
shibboleth.authn.Krb5.Keytab (added to conf/authn/krb5-authn-config.xml)
shibboleth.authn.Password.RetainAsPrivateCredential (added to conf/authn/password-authn-config.xml)
shibboleth.authn.Password.ExtendedFlows (added to conf/authn/password-authn-config.xml)
shibboleth.authn.Password.PrincipalOverride (added to conf/authn/password-authn-config.xml)
shibboleth.authn.SPNEGO.EnforceRun (added to conf/authn/spnego-authn-config.xml)
shibboleth.authn.SPNEGO.Krb5.RefreshConfig (added to conf/authn/spnego-authn-config.xml)
shibboleth.authn.SPNEGO.Krb5.Realms (added to conf/authn/spnego-authn-config.xml)
shibboleth.KerberosRealmSettings (added to system/flows/authn/spnego-authn-beans.xml)
shibboleth.authn.X509.ClassifiedMessageMap (added to conf/authn/spnego-authn-config.xml)
shibboleth.JDBCPersistentIdStore (added to system/conf/saml-nameid-system.xml)
shibboleth.LogoutRequestAuditExtractors (added to conf/audit.xml)
shibboleth.DefaultLogoutRequestAuditExtractors (added to system/conf/audit-system.xml)
New Features
IDP-594: A new implementation of client-side data storage has been swapped in that is compatible with the prevous use of cookies, and allows a deployer to optionally enable new support for HTML local storage, which greatly expands the size of data that can be stored. In combination with that feature, it's possible to enable the session tracking properties related to logout while still avoiding the use of server-side state.
IDP-224: Our first true single logout implementation is now available, covering front-channel mixed SAML and CAS logout. Documentation on this feature will be developed subsequent to this release.
IDP-111: A new login flow supporting SPNEGO authentication with Kerberos has been added, thanks to a contribution by SWITCH.
IDP-114: The Kerberos login flow has been enhanced to support KDC verification using a service principal and keytab. New beans must be uncommented and configured to use this feature (see KerberosAuthnConfiguration).
IDP-624: The The order in which attributes are displayed to the user during attribute release consent is now configurable.
A new velocity context "attributeDisplayDescriptionFunction" is available to the attribute release consent screens. This is the language browser sensitive content of the <DisplayDescription> declared for the attribute in attribute-resolver.xml. See VelocityVariables for more details.
IDP-661: Two new MDC keys are added in support for logging. See the documentation.
IDP-808: The Filtering language has been simplified, allowing all parts to be specified in the same namespace thus obviating the need for afp: basic: and saml: (although the old syntax is still supported). In some cases the name for the Matcher of PolicyRule has been simplified. The complete mapping is given in AttributeFilterLegacyNameSpaceMapping.
IDP-774: All Velocity views gain a new context "custom" which is whatever is defined as the bean "shibboleth.CustomViewContext". Similarly, scripting subsystems gain a new injectable bean named "customObject" which is made available to scripts as the variable "custom". The custom syntax for the Scripted Attribute Definition, Scripted Data Connector and Scripted Matcher and Policy Rule are all extended to allow a new attribute "customObjectRef".
IDP-715: Plugins can add configuration by placing a Spring configuration file at /META-INF/net.shibboleth.idp/config.xml on the classpath for their jar. All copies of this file which are discovered will be loaded into the root context.
IDP-821: The Password login flow has been enhanced with support for sending the user into other login flows instead of returning its own result, allowing the offer of stronger methods at the same time the password prompt is available. See the documentation on this "Extended Flow" feature.
IDP-840: F-TICKS logging is now explicitly supported.
IDP-852: The default logging configuration has been redesigned to make use of property variables. These changes will not be installed during upgrades but may be reviewed afterwards in case they're of interest.
The LDAP and RDBMS data connectors have been enhanced to avoid repeated attempts to connect to failed data sources for a configurable period of time to improve failover performance. The new noRetryDelay setting enables this feature.
Miscellaneous Fixes
IDP-666: To To enable internationalization of messages displayed to users, the charset used when parsing message source property files has been changed to UTF-8.
IDP-685: The onlyIfRequired attribute as supplied to the MappedAttributeInMetadata and AttributeInMetadata filters was wrongly defaulting to false. This has been changed and it now defaults to true.
IDP-729: The restriction on sourcing persistent NameID values from a released attribute has been fixed and now defaults to allowing unreleased attribute sources since the value is not exposed directly.
IDP-780: A regression was corrected so that SP requests for the "unspecified" AuthnContext class are ignored, consistent with V2 behavior. A bean was added to allow the set of ignored values to be configured for advanced cases or to override this change.
IDP-782: In attribute filter construction, AND and OR Matchers and PolicyRules can have a single child Matcher (or Rule)
IDP-785: A regression was corrected so that attributes with more than one compatible AttributeEncoder attached appear once for each encoder in the resulting SAML AttributeStatement.
JSE-15: The preferred way of specifying the backing file to the FileBackedHTTPResource is via the backingFile constructor parameter. The resource parameter still works but has been deprecated. See the documentation.
...
Notable bugs which have been addressed are:
IDP-703: In previous releases, Failover data connectors did not work. This is fixed.
IDP-666: Allow non Iso-Latin-1 characters in message files
IDP-682: The ProfileRequestContext is now available to scripts as profileContext
3.1.1.2 (Mar 31, 2015) (Windows Only)
This is a service release of the 3.1.1 Windows Installer that fixes a bug (IDP-668) that was preventing proper upgrades of the installer. It is not a change to any of the supplied software, and is only relevant for new upgrades, or for anybody having problems with the upgrade process.
As part of this fix, it's important to note that any changes made directly to the webapp folder's contents after installation do not survive across upgrades. Any such changes must be made to the edit-webapp tree designed for that purpose.
3.1.1 (Mar 26, 2015)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
This release contains a fix for the issue described in the security advisory issued on March 26, 2015. Apart from upgrading, no other actions are required to address the issue.
A bug (IDP-646) was fixed where the maxValidityInterval of the RequiredValidUntil metadata filter was incorrectly interpreted in milliseconds rather than seconds if a duration was specified as a number rather than a duration string.
A bug (IDP-642) was fixed that prevented use of the schema validation metadata filter.
A bug (IDP-635) was fixed that ignored languages preferred by the browser when displaying attributes during consent to attribute release.
A bug (IDP-651) was fixed that prevented the idp.session.consistentAddress property from being turned off.
A bug (IDP-654) was fixed that prevented the use of configuration properties to set return attributes in the LDAP data connector configuration.
Several bugs in CAS protocol support were fixed: IDP-614 (integration), IDP-658 (error handling), IDP-659 (concurrency).
An improvement to the messages/error-messages.properties file was made in the way that runtime exception messages are rendered, so updating to the most recent version of this file is suggested, or alternatively just copying over the updated runtime-error.message property.
3.1.0 (Mar 10, 2015)
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...
The following new properties have been added in this release (defaults in parentheses):
idp.replayCache.StorageService (shibboleth.StorageService)
idp.artifact.StorageService (shibboleth.StorageService)
idp.attribute.resolver.LDAP.searchFilter ("(uid=$requestContext.principalName)")
The following new beans have been added in this release:
shibboleth.AuthenticationPrincipalWeightMap (added to conf/authn/general-authn.xml)
Miscellaneous Fixes
This is a bug fix release addressing IDP-573 which corrected release corrects a serious bug in the attribute resolver required the addition of new public APIs, necessitating a minor version change, but this is not a significant feature upgrade. A few new properties and Spring beans have been added, and these are denoted in the documentation with the superscript 3.1 to distinguish them. Anything so denoted will be ignored or fail if used with an earlier version. (This convention will be used going forward to denote anything introduced with new releases.)
...
A new "map" bean was added to conf/authn/general-authn.xml to address
| Jira Legacy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
Per IDP-580, a A syntax introduced in V3.0 to declare <security:TrustEngine> elements inside <metadata:MetadataProvider> elements has been deprecated in favor of declaring the trust engine element directly within a metadata:SignatureValidation MetadataFilter, which is the only current filter plugin that supports such an object. The deprecated syntax will likely be removed promptly due to its limited usefulness and very recent introduction.
A bug (IDP-585) was fixed that prevented the use of caching in the attribute resolver. In conjunction with this fix, the deprecated cacheResults LDAP/RDBMS data connector attribute is no longer honored (and a warning emitted). The <dc:ResultCache> and <dc:ResultCacheBean> elements are now the only supported mechanism for configuring caching.
Several bugs (IDP-588) were fixed to support using server-side storage such as MySQL or other databases for storage of consent decisions.
Per IDP-560, the The default/example view templates include a few improvements, so you may wish to review those changes if you have a previous install, as the original files will not be overwritten.
...
As noted on the WindowsInstallation page, service releases (represented by the fourth version number) do not indicate an actual update to the Shibboleth software, only to third party components we support.
3.0.0 (Dec 22, 2014)
This is the first release of the third-generation Identity Provider software. The key documentation links are located on the IDP30 space Home page, such as SystemRequirements, Installation, and UpgradingFromV2 material.
...
Significant changes in behavior from previous releases:
The default signing/digest algorithms in this version have changed from SHA-1 to SHA-256. This can be adjusted per-SP or globally, see SecurityConfiguration.
This version restores the original V2 defaults as pertains signing behavior, and defaults to signing responses and not assertions. This is now best practice with SAML, but later versions of V2 contain altered defaults that match what was (at the time) the best practice of signing the assertion instead. Signing the response mitigates attacks against XML Encryption, though in practice these mitigations are of little use unless SPs actually require signed responses, and few if any do so. Use what works for the SPs you have to interoperate with.
A change was made to the process of selecting the format of NameIdentifier included in assertions. A
<NameIDFormat>element in an SP's metadata containing "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" is no longer evaluated when selecting the format to use. Selecting that format requires supplying anameIDFormatPrecedenceproperty in the RelyingPartyConfiguration (both the legacy and current formats allow this).