September Update

Created by Scott Cantor
Sept 09, 2019
2 min read

The main highlight for this month is that we're going to be issuing an IdP patch, V3.4.5, probably next week. The bug isn't a major one but is an opportunity to ship a few fixes before V4, the most significant being IDP-1491, which allows binary LDAP attributes to work again on newer Java versions where the UnboundID code has to be used. I think we will also include some optional support for addressing the SameSite cookie issue for those deploying without Apache or other software that can more easily address the problem. We have an in depth testing analysis here.

This should, once again, be the final V3 release barring any additional security issues.

I have completed work, more or less, on the revamped password validation support I described last month along with most of the basic documentation updates. We probably will be opening up the draft V4 documentation soon so people can see better what's coming, but we have more work to do on the release notes before that's going to be too helpful.

Support for a handful of new audit fields have been added, such as logging signed requests, encrypted assertions, and requested authentication context information. The default audit format for V4 is not decided at this point, I think we're open to suggestions there, but obviously it doesn't matter much for people upgrading.

An area of current study right now is to make sure all the "fail-fast" and connector validation behavior across all the various services and attribute resolver are more consistent, both with regard to defaults and to make the settings more consistent. This includes fixing the misleading errors that appear when servcies fail to start properly but are falsely attributed to the metrics support.

Most of the deprecated APIs and features have been removed from the master branches as we get closer to a release. I think the only real area of further revamp right now is probably the installer; everything else left is more around new features that we can more easily include or exclude based on the desired schedule.

We're still waiting on CentOS 8, but we're not going to spend much time on the SP again until that drops.