ReleaseNotes

Upgrades MUST be done in place!

If you are upgrading, PLEASE follow the directions on the Upgrading page and do NOT install the new version separately and then attempt to apply your old configuration files. You MUST upgrade "in place" by using an installation directory that contains a copy of the previously working configuration.

Failure to do so will result in a non-working system in the majority of cases because there are absolutely essential differences between the output of the installer in the two cases to prevent your configuration from being altered in unexpected ways.

This problem is exacerbated by the extent of the internal changes made to V4.1 and the results of combining old and new files without an extreme amount of effort will be unpleasant. It is urgent that people heed this warning and attempt to modernize settings (if at all) only after upgrading and verifying the behavior of the system.

Upgrade Plugins First

Less critically than the above warning, it’s advisable to upgrade any plugins you may have installed (meaning official plugins using the machinery introduced with V4.1 of the IdP) before upgrading the IdP itself, as this may prevent some extra warning noise in the log (or outright incompatibility issues noted by the installer). Upgrade and test those plugin features, and once those are validated, you can proceed to upgrade the IdP itself.

Please review these release notes before upgrading your system. You should review the notes for all the versions subsequent to the one you're running prior to upgrade, including referring back to older V3 notes.

Also be aware of the following issues regarding container or Java compatibility:

LDAPonJava

Known Bugs

These are known issues in the code that are likely to affect deployers and have yet to be fixed or that require some intervention because of how upgrades work.

IDP-1820: After Upgrading 4.0.1 to 4.1.0 on Tomcat 9, IDP won't deploy, global.xml not foundClosed
- This is a change required to web.xml for systems that have been upgraded from prior to V3.2 and have been maintaining their own copy of web.xml since then. The fix needed for this is documented below under V4.1.0 under Breaking Changes → Deployment Descriptor Issue.
IDP-1625: CSRF token missing in Duo cancel request hyperlinkClosed
- This issue breaks the Cancel option in the Duo login flow when the CSRF feature is enabled. The fix is documented in the issue and can be applied directly to the duo.vm template. Since it involves a template, the fix is manual.

4.3.3 (April 15th, 2024)

This is a patch release to address a Spring Framework advisory, a repeat (actually third time) of the same URL parsing bug that resulted in the previous update and impacts the CAS protocol support feature.

4.3.2 (March 21, 2024)

Getting issues...

This is a patch release to roll up bug fixes and update dependencies on the old branch of the software, and intended to be the final V4 release barring additional security issues requiring further releases. It addresses the Spring Framework bug noted in an advisory.

4.3.1.4 (Windows only) (November 3, 2023)

This is a service release of the Windows installation package which updates Jetty to 10.0.18, addressing a potential memory leak that might impact some deployers.

4.3.1.3 (Windows only) (October 11, 2023)

This is a service release of the Windows installation package which updates Jetty to 10.0.17, addressing security advisories issued by the Jetty Project. These vulnerabilities only impact use of HTTP/2, which is not supported by our delivered Jetty installation, but we are updating out of caution.

4.3.1.2 (Windows only) (September 15, 2023)

This is a service release of the Windows installation package which updates Jetty to 10.0.16, addressing security advisories issued by the Jetty Project.

4.3.1.1 (Windows only) (April 19, 2023)

This is a service release of the Windows installation package which updates Jetty to 10.0.15, addressing a pair of security advisories issued by the Jetty Project.

4.3.1 (March 30, 2023)

This is a patch release to address pair of regressions (one serious).

https://shibboleth.atlassian.net/browse/IDP-2084

IDP-1685: Logout page does not auto-redirect to default actionClosed

There are no other changes in this release.

4.3.0 (January 18, 2023)

Getting issues...

This is a small(ish) feature release expected to wrap up work on the V4 branch. It contains some additional deprecation and at-risk warnings for features either scheduled for removal in V5 or being considered for removal in a future version. Please check your warning log regularly for these warnings to ensure that you aren’t caught off guard or have the opportunity to express any concerns regarding any at risk features.

Changes to Existing Behavior

When proxying (i.e., using the SAML login flow feature), the IdP will now include a <Scoping> element in the request containing the original requesting SP's entityID. This is a requirement of the standard and was a bug by omission. In the event that you wish to suppress this behavior either out of concern for privacy or due to bugs on the part of other actors in the system, the ignoreScoping profile setting will suppress the generation of (and the evaluation of) the element altogether, though this is contrary to the standard.

A change was made to the feature allowing the IdP to auto-search for property files to load at startup. Prior to this version, if any directories under the search tree were unreadable due to access control, IdP startup would fail. With this release, the code is now trapping that error and startup continues, allowing this to be done deliberately to hide content from the IdP. Since this error can only be logged to the container’s log (it happens prior to the IdP starting up), it may be less obvious that it’s happening if it’s by mistake.

Deployers should ensure their containers are logging appropriately in some way (this is outside the scope of the IdP itself, though our Jetty examples do include it) and be aware there could be helpful information there.

Miscellaneous Changes

The most impactful change is a harbinger of a necessary adjustment that will be coming with V5.0 impacting any scripts or components that require injection of the HttpServletRequest or HttpServletResponse via the shibboleth.HttpServletRequest and shibboleth.HttpServletResponse beans, which are now deprecated in favor of a new pair of beans, shibboleth.HttpServletRequestSupplier and shibboleth.HttpServletResponseSupplier.

For the time being, uses of those beans will produce deprecation warnings, but they will be removed in V5.0. Remediating the warning requires adding the “Supplier” suffix to the end of the bean names at the point of injection, and then adding a call to get() in between the original reference to the bean and the servlet method called.

For example, this script line relying on the “custom” extension point to access the user agent string:

var ua = custom.getHeader("User-Agent");

becomes this (the only change is the additional indirection through the get() method):

var ua = custom.get().getHeader("User-Agent");

The quickest way to remediate the issue is to grep for the old bean names, adjust them whereever they’re spotted, and then track back to where they’re used (usually via scripts as in the above example) and add the indirection method.

New Features

Administrative Logout
Authentication Audit Logging
Explicit support for Date/Time-valued Attributes (see