simplesamlphp-changelog.md

SimpleSAMLphp changelog
=======================

[TOC]

This document lists the changes between versions of SimpleSAMLphp.
See the upgrade notes for specific information about upgrading.

## Version 2.0.0

Released 1-7-2022

  * Support for certificate fingerprints was removed
  * Support for SAML 1.1 was removed
  * Old-style PHP templates were removed
  * Old-style dictionaries were removed
  * The default value for attrname-format was changed to 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
    to comply with SAML2INT
  * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting.
    Use 'scopeAttribute' instead to identify the attribute holding the scope.
  * Accepting unsolicited responses can be disabled by setting `enable_unsolicited` to `false` in the SP authsource.
  * Certificates and private keys can now be retrieved from a database

## Version 1.19.6

Released 1-7-2022

  * Fix several translations (#1572, #1573, #1577, #1578, #1603)
  * Fix HTTP status code for error pages (#1585)
  * \SimpleSAML\Utils\HTTP::getFirstPathElement() was marked deprecated
  * Bumped twig and minimist dependencies due to known vulnerabilities (CVE-2022-23614 and CVE-2021-44906)
  * Minor fixes to the old UI (#1632)
  * Fix several translations (#1572, #1573, #1577, #1578)

### saml2 library
  * A mis-use of a constant was fixed (#249) that caused an error with HTTP-Artifact binding.

### metarefresh
  * Added regex-template config keyword to apply a template to entityIDs matching a pattern. (v0.10)

## Version 1.19.5

Released 24-01-2021

  * Fix composer-file to prevent warnings
  * Fix database persistence (#1555)
  * Dropped dependency on jquery-ui and selectize

### adfs
  * Bump the module version to the 1.0.x branch;  the 0.9 branch only works with versions before 1.19

### saml2 library
  * Fix an issue with PHP 7.x support that was introduced in 1.19.4 (#1559)

## Version 1.19.4

Released 13-12-2021

### core
  * Fix translations for included templates (i.e. metadata not found error)

### ldap
  * Added the possibility to escape the additional search filters that were introduced in 1.19.2

### saml2 library
  * The library has been quick-fixed to support PHP 8.1 (#1545)

### metarefresh
  * Reverted an unintended update of the module. The v1,0-branch is intended for use with SSP 2.0 (dev-master) only

## Version 1.19.3

Released 2021-10-28

  * Fixed a wrong variable name introduced in v1.19.2 (#1480) that rendered the PHP session handler useless.

## Version 1.19.2

Released 2021-10-27

  * Restored PHP 8.0 compatibility (#1461), also on the saml2 library (v4.2.3)
  * Revert #1435; should not have ended up in a bugfix release. If you need the authproc-filters, please install the
    simplesamlphp-module-subjectidattrs module.
  * Fixed a bug in the logger that would break encoded urls in the message
  * Return a proper HTTP/405 code when incorrect method is used (#1400)
  * Fixed the 'rememberenabled' config setting of the built-in IdP discovery.
  * Fixed a bug where code from external modules would run even though the module is explicitly enabled (#1463)
  * Fix unsolicited response with no RelayState (#1473)
  * Fix statistics being logged despite a configured loglevel that excludes statistics.
  * Fixed an issue with the PHP session handler (#1480, #1350, #1478) causing superfluous log messages.
  * Fixed the MetaDataStorageHandlerPdo for MySQL backends (#1392)
  * Use getVersion instead of getStats to determine whether a memcache-server is up (#1528)

### adfs
  * Fixed several issues that rendered the old UI useless for this module (v0.9.8)

### admin
  * Fix warning in FederationController (#1475)
  * Fix displayed metadata for hosted entities differing from actual metadata.

### consent
  * Add possibility to set the sameSite flag on cookies set by this module (v0.9.7)

### discopower
  * Fixed a dependency issue that caused the module to not install under some PHP-versions (v0.10.0)

### ldap
  * Added search-filters to AttributeAddUserGroups and made the return-attribute configurable (v0.9.11)

### negotiate
  * Fixed a regression that rendered the new UI useless for this module (v0.9.11)

### sqlauth
  * Fixed a bug that rendered the module useless due to missing use-statements.

## Version 1.19.1

Released 2021-04-29

  * Added authproc-filters for generating the subject-id and pairwise-id (#1435)
  * Restore support for custom error messages (#1326)
  * Fixed a bug in the Artifact Resolution Service (#1428)
  * Fixed compatibility with Composer pre 1.8.5 (Debian 10) (#1427)
  * Updated npm dependencies up to April 23, 2021
  * Fixed a bug where it was impossible to set WantAssertionsSigned=true on SP-metadata (#1433)
  * Make inResponseTo available in state array (#1447)

### admin
  * Fixed a bug in the metadata-coverter where the converted metadata would contain newline-characters

### authorize
  * Fix a bug in the Twig-template that causes an exception in Twig strict vars mode

### memcacheMonitor
  * Fix a bug in the Twig-template that causes an exception on newer Twig-versions

### negotiate
  * Fix a bug that was breaking the module when using the old UI

### oauth
  * Fixed a namespace bug that was breaking the module

### statistics
  * Fix a bug in the Twig-template that causes an exception on newer Twig-versions

### sqlauth
  * Fix a security bug where in rare cases the database user credentials would be printed in exception messages

## Version 1.19.0

Released 2021-01-21

  * This version will be the last of the 1.x branch and will provide a migration path to our new
    templating system, routing system and translation system.
  * SAML 1 / Shib 1.3 support is now marked deprecated and will be removed in SimpleSAMLphp 2.0.
  * Raised minimum PHP version to 7.1
  * Dropped support for Symfony 3.x
  * Update the SAML2 library dependency to 4.1.9
  * Fix a bug where SSP wouldn't write to the tmp-directory if it didn't own it, but could write to it (#1314)
  * Fixed several bugs in saml:NameIDAttribute (#1245)
  * Fix artifact resolution (#1343)
  * Allow additional audiences to be specified (#1345)
  * Allow configurable ProviderName (#1348)
  * Support saml:Extensions in saml:SP authsources (#1349)
  * The `attributename`-setting in the core:TargetedID authproc-filter has been deprecated in
    favour of the `identifyingAttribute`-setting.
  * Filter multiauth authentication sources from SP using AuthnContextClassRef (#1362)
  * Allow easy enabling of SameSite = 'None' (#1382)
  * Do not accept the hashed admin password for authentication (#1418)

## Version 1.18.8

Released 2020-09-02

  * Fixed Artifact Resolution due to incorrect use of Issuer objects (#1343).
  * Fixed some of the German translations (#1331). Thanks @htto!
  * Harden against CVE-2020-13625;  this package is not affected, but 3rd party modules may (#1333).
  * Harden against several JS issues (npm update & npm audit fix)
  * Fixed inconsistent configuration of backtraces logging
  * Support for Symfony 3.x is now deprecated
  * Support for Twig 1.x is now deprecated

### authcrypt
  * The dependency for whitehat101/apr1-md5 was moved from the base repository to the module (v0.9.2)

### authx509
  * Restore PHP 5.6 compatibility (v0.9.5)

### cron
  * Fixed old-ui (#1248)

### ldap
  * Moved array with binary attributes to authsource config (v0.9.9)
    Instead of having to edit code, you can now set 'attributes.binary' in the authsource configuration.

### metarefresh
  * Add attributewhitelist to support e.g. R&S+Sirtfi (v0.9.5)
  * Restore PHP 5.6 compatibility (v0.9.6)

### negotiate ###
  * Restore PHP 5.6 compatibility (v0.9.8)
  * Fixed a link (v0.9.9)

### saml2 library
  * Fixed a bug in the AuthnRequest-class that would raise an InvalidArgumentException when setting
      the AssertionConsumerServiceIndex as an integer on an saml:SP authsource.
      Thanks to Andrea @ Oracle for reporting this.

## Version 1.18.7

Released 2020-05-12

  * Fix spurious warnings when session_create_id() fails to create ID (#1291)
  * Fix inconsistency in the way PATH_INFO is being used (#1227).
  * Fix a potential security issue [CVE-2020-11022](https://nvd.nist.gov/vuln/detail/CVE-2020-11022) by updating jQuery. If any of your custom modules rely on jQuery,
      make sure you read the following [update notes](https://jquery.com/upgrade-guide/3.5/), since jQuery has solved this in a non-BC way (#1321).
  * Fix incorrect Polish translations (#1311).
  * Fix a broken migration query in the LogoutStore (#1324).
  * Fix an issue with the SameSite cookie parameter when running on PHP versions older than 7.3 (#1320).

### adfs
  * Fixed a broken link to one of the assets (v0.9.6).

### ldap
  * Handle binary attributes in a generic way (v0.9.5).

### oauth
  * Fix PHP 7.4 incompatibility (v0.9.2).

### preprodwarning
  * Fix Dutch translations (v0.9.2).

### sanitycheck
  * Fix broken HTML (v0.9.1).

### saml
  * Fix several issues in the saml:NameIDAttribute authproc filter (#1325).

### saml2 library
  * fixed a standards compliance issue regarding ContactPerson EMail addresses (v3.4.4).
  * fixed an issue parsing very large metadata files (v3.4.3).

## Version 1.18.6

Released 2020-04-17

  * Fix source code disclosure on case-insensitive file systems. See
    [SSPSA 202004-01](https://simplesamlphp.org/security/202004-01).
  * Fix spurious error in logs when using a custom theme (#1312).
  * Fix broken metadata converter (#1305).

## Version 1.18.5

Released 2020-03-19

  * Make the URLs for the cron module work again (#1248).
  * Email error reports now include metadata again (#1269).
  * Fix exampleauth module when using the legacy UI (#1275).
  * Fix authorize module when using custom reject message.
  * Documentation improvements.
  * Fix connection persistence for deployments that switched to memcached.

## Version 1.18.4

Released 2020-01-24

  * Resolved a security issue in email reports. See
    [SSPSA 202001-01](https://simplesamlphp.org/security/202001-01).
  * Resolved a security issue with the logging system. See
    [SSPSA 202001-02](https://simplesamlphp.org/security/202001-02).
  * Fixed SQL store index creation for PostgreSQL.
  * Handle case where cookie 'domain' parameter was not set.
  * Update versions of included JavaScript dependencies.

## Version 1.18.3

Released 2019-12-09

  * Fixed an issue with several modules being enabled by default (#1257).
  * Fixed an issue with metadata generation for trusted entities (#1247, #1251).

### ldap
  * Fixed an issue affecting the installation in case-insensitive file systems (#1253).

## Version 1.18.2

Released 2019-11-26

  * Fixed an issue with the `ldap` module that prevented installing SimpleSAMLphp from the repository (#1241).

## Version 1.18.1

Released 2019-11-26

   * Fixed an issue that prevented custom themes from working (#1240).
   * Fixed an issue with translations in the discovery service (#1244).
   * Fixed an issue with schema validation.

## Version 1.18.0

Released 2019-11-19

  * Fixed an issue with warnings being logged when using PHP 7.2 or newer (#1168).
  * Fixed an issue with web server aliases or rewritten URLs not working (#1023, #1093).
  * Fixed an issue that prevented errors to be logged if the log file was not writeable (#1194).
  * Fixed an issue with old-style NameIDPolicy configurations that disallowed creating new NameIDs (#1230).
  * Resolved a security issue that exposed host information to unauthenticated users. See
    [SSPSA 201911-02](https://simplesamlphp.org/security/201911-02).
  * Replaced custom Email class with the phpmailer library.
  * Allow logging to STDERR in the `logging.handler` option by setting it to `stderr`.
  * Allow use of stream wrappers (e.g. s3://) in paths.
  * Improved 'update or insert' handling for different SQL drivers.
  * The default algorithm within the TimeLimitedToken class has been bumped from SHA-1 to SHA-256
    as announced by deprecation notice in 1.15-RC1.
  * Most modules have been externalized. They will not be included in our future releases by default,
    but will be easily installable using Composer. For now, they are still included in the package.
  * Many minor fixes to code, css, documentation

### metarefresh
  * The algorithm to compute the fingerprint of the certificate that signed
    metadata can be specified with the new `validateFingerprintAlgorithm`
    configuration option.

### saml
  * Make the id of the generated signed metadata only change when metadata content changes.
  * New SP metadata configuration options `AssertionConsumerService` and `SingleLogoutServiceLocation`
    to allow overriding the default URL paths.
  * Added support for per-IDP configurable `AuthnContextClassRef`/`AuthnContextComparison`.

## Version 1.17.8

Released 2019-11-20

  * Resolved a security issue that exposed host information to unauthenticated users. See
    [SSPSA 201911-02](https://simplesamlphp.org/security/201911-02).

### consentAdmin

  * Fixed an issue with CSS and JavaScript not loading for the module in the new user
    interface.

## Version 1.17.7

Released 2019-11-06

  * Resolved a security issue that allows to bypass signature validation. See
    [SSPSA 201911-01](https://simplesamlphp.org/security/201911-01).

## Version 1.17.6

Released 2019-08-29

  * Fixed a regression with logout database initialization when using MySQL (#1177).
  * Fixed an issue with logout when using iframes (#1191).
  * Fixed an issue causing log entries to be logged with incorrect relative order (#1107).

## Version 1.17.5

Released 2019-08-02

  * Fixed a bug in the SP API where NameID objects weren't taken care of (introduced in 1.17.0).
  * Fixed a regression where MetaDataStorageHandlerPdo::getMetaData() would not return a value (#1165).
  * Fixed an issue with table indexes (#1089).
  * Fixed an issue with table migrations on SQlite (#1169).
  * Fixed an issue with generated eduPersonTargetedID lacking a format specified (#1135).
  * Updated composer dependencies.

## Version 1.17.4

Released 2019-07-11

  * Fix an issue introduced in 1.17.3 with `enable.http_post`.
  
## Version 1.17.3

Released 2019-07-10

  * Resolved a security issue that could lead to a reflected XSS.  See
    [SSPSA 201907-01](https://simplesamlphp.org/security/201907-01).
  * Add new options `session.cookie.samesite` and `language.cookie.samesite` that can be
    used to set a specific value for the cookies' SameSite attribute. The default it not
    to set it.
  * Upgraded jQuery to version 3.4.
  * HHVM is no longer supported.
  * Fixed a bug (#926) where dynamic metadata records where not loaded from a database.
  * Fixed an issue when an error occurs during a passive authentication request.
  * Handle duplicate insertions for SQL Server.
  * Fix a bug in Short SSO Interval warning filter.
  * Apply a workaround for SIGSEGVs during session creation with PHP-FPM 7.3.

### adfs
  * Fixed a missing option to supply a passphrase for the ADFS IDP signing certificate.

### authlinkedin
  * This module has been removed now that LinkedIn no longer supports OAuth1.
    If you relied on this module, you may consider migrating to the
    [authoauth2 module](https://github.com/cirrusidentity/simplesamlphp-module-authoauth2).
    A migration guide for LinkedIn authentication is included in their README.

## Version 1.17.2

Released 2019-04-02

  * Fixed that generated metadata was missing some information
    when PHP's zend.assertions option is set to < 1.
  * Fixed that MDUI Keywords and Logo were not parsed from metadata.
  * Fixed DiscoPower module tab display.
  * Fixed use group name in Attribute Add Users Groups filter.
  * Add metadatadir setting to the default config template.
  * Fixed exception processing in loadExceptionState().
  * Fixed preferredidp in built-in 'links'-style discovery.

## Version 1.17.1

Released 2019-03-07

  * Fixed an issue with composer that made it impossible to install modules
    if SimpleSAMLphp was installed itself with the provided package (tar.gz file).

## Version 1.17.0

Released 2019-03-07

  * Introduce a new experimental user interface based on Twig templates.
    The new Twig templates co-exist next to the old ones and come
    with a new look-and-feel for SimpleSAMLphp and independent interfaces for
    users and administrators. This new interface uses also a new build system
    to generate bundled assets.
  * Introduce Symfony-style routing and dependency injection(#966).
  * Generate session IDs complying with PHP config settings when using the PHP
    session handler (#569).
  * Update OpenSSL RSA bit length in docs (#993).
  * Update all code, configuration templates and documentation to PHP
    short array syntax.
  * All classes moved to namespaces and code reformatted to PSR-2.
  * Use bcrypt for new password hashes, old ones will remain working (#996).
  * Many code cleanups.
  * Update the SAML2 library dependency to 3.2.5.
  * Update the Clipboard.JS library dependency to 2.0.4.
  * Translated to Zulu and Xhosa.
  * Multiple bug fixes and corrections.

### Interoperability
  * The minimum PHP version required is now 5.5.
  * Fixed compatibility with PHP 7.3 and HVVM.
  * SimpleSAMLphp can now be used with applications that use Twig 2 and/or Symfony 4.
  * The SAML2 library now uses getters/setters to manipulate objects properties.

### authfacebook
  * Fix Facebook compatibility (query parameters).

### authorize
  * Add the possibility to configure a custom rejection message.

### consent
  * The module is now disabled by default.

### core
  * Allow `core:PHP` to manipulate the entire state array.
  * IdP initiated login: add compatibility with Shibboleth parameters.

### multiauth
  * Added a `preselect` configuration option to skip authsource selection (#1005).

### negotiate
  * The `keytab` setting now allows for relative paths too.

### preprodwarning
  * This module is now deprecated. Use the `production` configuration
    option instead; set it to `false` to show a pre-production warning
    before authentication.

### saml
  * Add initial support for SAML Subject ID Attributes.
  * Allow to specify multiple supported NameIdFormats in IdP hosted and SP
    remote metadata.
  * Allow to specify NameIDPolicy Format and AllowCreate in hosted SP
    and remote IdP configuration. Restore the possibility to omit it from
    AuthnRequests entirely (#984).
  * Add a `assertion.allowed_clock_skew` setting to influence how lenient
    we should be with the timestamps in received SAML messages.
  * If the Issuer of a SAML response does not match the entity we sent the
    request to, log a warning instead of bailing out with an exception.
  * Allow setting the AudienceRestriction in SAML2 requests (#998).
  * Allow disabling the Scoping element in SP and remote IdP configuration with
    the `disable_scoping` option, for compatibility with ADFS which does not
    accept the element (#985).
  * Receiving an eduPersonTargetedID in string form will no longer break
    parsing of the assertion.

### sanitycheck
  * Translated into several languages.

## Version 1.16.3

Released 2018-12-20

  * Resolved a security issue that could expose the user's credentials locally.  See
    [SSPSA 201812-01](https://simplesamlphp.org/security/201812-01).
  * Downgraded the level of log messages regarding the `userid.attribute` configuration option
    from _warning_ to _debug_.
  * Make the `attr` configuration option of the _negotiate_ allow both a string and an array.
  * Look for the _keytab_ file used by the _negotiate_ module in the `cert` directory, accepting
    both absolute and relative paths.
  * Fixed some broken links.
  * Other minor bugfixes.

## Version 1.16.2

Released 2018-09-28

  * Fixed an issue with PHP sessions in PHP 7.2.
  * Fixed a bug in the OAuth module.
  * Make schema validation work again.
  * Properly document the `saml:AuthnContextClassRef` authentication processing filter.
  * Fixed an issue that made it impossible to install the software with composer using the
    "stable" minimum-stability setting.
  * Changed the default authentication context class to "PasswordProtectedTransport" by default
    when authentication happened on an HTTPS exchange.

## Version 1.16.1

Released 2018-09-07

  * Fix a bug preventing the consent page from showing.
  * Add Catalan to the list of available languages.

## Version 1.16.0

Released 2018-09-06

### Changes
  * Default signature algorithm is now RSA-SHA256.
  * Renamed class `SimpleSAML_Error_BadUserInnput` to `SimpleSAML_Error_BadUserInput`
  * PHP 7.2 compatibility, including removing deprecated use of assert with string.
  * Avoid logging database credentials in backtraces.
  * Fix edge case in getServerPort.
  * Updated Spanish translation.
  * Improvements to documentation, testsuite, code quality and coding style.

### New features
  * Added support for SAML "Enhanced Client or Proxy" (ECP) protocol,
    IdP side with HTTP Basic Authentication as authentication method.
    See the [ECP IdP documentation](./simplesamlphp-ecp-idp) for details.
  * New option `sendmail_from`, the from address for email sent by SSP.
  * New option `options` for PDO database connections, e.g. for TLS setup.
  * New option `search.scope` for LDAP authsources.
  * Add support for the DiscoHints IPHint metadata property.
  * Add support to specify metadata XML in config with the `xml` parameter,
    next to the existing `file` and `url` options.
  * Also support CGI/RewriteRule setups that set the `REDIRECT_SIMPLESAMLPHP_CONFIG_DIR`
    environment variable next to regular `SIMPLESAMLPHP_CONFIG_DIR`.
  * Support creating an AuthSource via factory, for example useful in tests.
  * Support preloading of a virtual config file via `SimpleSAML_Configuration::setPreLoadedConfig`
    to allow for dynamic population of authsources.php.
  * Add basic documentation on Nginx configuration.
  * Test authentication: optionally show AuthData array.
  * Improve performance of PDO Metadata Storage handler entity lookup.

### adfs
  * Make signature algorithm configurable with `signature.algorithm`.
  * Use configuration assertion lifetime when available.
  * Use `adfs:wreply` parameter when available.

### authmyspace
  * Module removed because service is no longer available.

### cas
  * Respect all LDAP options in LDAP call.

### casserver
  * Module removed; superseded by externally hosted module.

### consent
  * Sort attribute values for consent.
  * Fix table layout for MySQL > 5.6.
  * Rename `noconsentattributes` to `attributes.exclude`; the former
    is now considered deprecated.

### consentAdmin
  * Work better with TargetedIDs when operating as a proxy.
  * Add `attributes.exclude` option to correspond to the same option
    in the Consent module.

### core
  * StatisticsWithAttribute: add `passive-` prefix when logging passive
    requests, set new option `skipPassive` to skip logging these altogether.
  * Replace deprecated `create_function` with an anonymous function.
  * New authproc filter Cardinality to enforce attribute cardinality.
  * SQLPermanentStorage: proper expiration of stored values.
  * AttributeLimit: new options `regex` and `ignoreCase`.
  * AttributeMap: prevent possible infinite loop with some PHP versions.

### ldap
  * AttributeAddUsersGroups: if `attribute.groupname` is set, use the
    configured attribute as the group name rather than the DN.
  * Also base64encode the `ms-ds-consistencyguid` attribute.

### metarefresh
  * Return XML parser error for better debugging of problems.
  * Only actually parse metadata types that have been enabled.
  * Fix missing translation.

### Oauth
  * Make module HTTP proxy-aware.
  * Remove unused demo app.

### saml
  * AttributeConsumingService: allow to set isDefault and index options.
  * Encrypted attributes in an assertion are now decrypted correctly.
  * Prefer the HTTP-Redirect binding for AuthnRequests if available.

### smartattributes
  * Fix to make the `add_authority` option work.

### sqlauth
  * The module is now disabled by default.

### statistics
  * Show a decent error message when no data is available.

## Version 1.15.4

Released 2018-03-02

  * Resolved a security issue related to signature validation in the SAML2 library. See [SSPSA 201803-01](https://simplesamlphp.org/security/201803-01).

## Version 1.15.3

Released 2018-02-27

  * Resolved a security issue related to signature validation in the SAML2 library. See [SSPSA 201802-01](https://simplesamlphp.org/security/201802-01).
  * Fixed edge-case scenario where an application uses one of the known LoggingHandlers' name as a defined class
  * Fixed issue #793 in the PHP logging handler.

## Version 1.15.2

Released 2018-01-31

  * Resolved a Denial of Service security issue when validating timestamps in the SAML2 library. See [SSPSA 201801-01](https://simplesamlphp.org/security/201801-01).
  * Resolved a security issue with the open redirect protection mechanism. See [SSPSA 201801-02](https://simplesamlphp.org/security/201801-02).
  * Fix _undefined method_ error when using memcacheD.

### `authfacebook`
  * Fix compatibility with Facebook strict URI match.

### `consent`
  * Fix statistics not being gathered.

### `sqlauth`
  * Prevented a security issue with the connection charset used for MySQL backends. See [SSPSA 201801-03](https://simplesamlphp.org/security/201801-03).

## Version 1.15.1

Released 2018-01-12

### Bug fixes
  * AuthX509 error messages were broken.
  * Properly calculate supported protocols based on config.
  * NameIDAttribute filter: update to use SAML2\XML\saml\NameID.
  * Replace remaining uses of SimpleSAML_Logger with namespace version.
  * Statistics: prevent mixed content errors.
  * Add 'no-store' to the cache-control header to avoid Chrome
    caching redirects.

## Version 1.15.0

Released 2017-11-20

### New features
  * Added support for authenticated web proxies with the `proxy.auth` setting.
  * Added new `AttributeValueMap` authproc filter.
  * Added attributemaps for OIDs from SIS (Swedish Standards Institute) and
    for eduPersonUniqueId, eduPersonOrcid and sshPublicKey.
  * Added an option to specify metadata signing and digest algorithm
    `metadata.sign.algorithm`.
  * Added an option for regular expression matching of trusted.url.domains via new
    `trusted.url.regex` setting.
  * The `debug` option is more finegrained and allows one to specify whether
    to log full SAML messages, backtraces or schema validations separately.
  * Added a check for the latest SimpleSAMLphp version on the front page.
    It can be disabled via the new setting `admin.checkforupdates`.
  * Added a warning when there's a probable misconfiguration of PHP sessions.
  * Added ability to define additional attributes on ContactPerson elements
    in metadata, e.g. for use in Sirtfi contacts.
  * Added option to set a secure flag also on the language cookie.
  * Added option to specify the base URL for the application protected.
  * Added support for PHP Memcached extension next to Memcache extension.
  * Added Redis as possible session storage mechanism.
  * Added support to specify custom metadata storage handlers.
  * Invalidate opcache after writing a file, so simpleSAMLphp works when
    `opcache.validate_timestamps` is disabled.
  * Metadata converter will deal properly with XML with leading whitespace.
  * Update `ldapwhoami()` call for PHP 7.3.
  * Made response POST page compatible with strict Content Security Policy on
    calling webpage.
  * Updated Greek, Polish, Traditional Chinese and Spanish translations and
    added Afrikaans.

### Bug fixes
  * The deprecated OpenIdP has been removed from the metadata template.
  * Trailing slash is no longer required in `baseurlpath`.
  * Make redirections more resilient.
  * Fixed empty protocolSupportEnumeration in AttributeAuthorityDescriptor.
  * Other bug fixes and numerous documentation enhancements.
  * Fixed a bug in the Redis store that could lead to incorrect
    _duplicate assertion_ errors.

### API and user interface
  * Updated to Xmlseclibs 3.0.
    Minimum PHP version is now 5.4, mcrypt requirement dropped.
  * Added a PSR-4 autoloader for modules. Now modules can declare their
    classes under the SimpleSAML\Module namespace.
  * Added new hook for module loader exception handling `exception_handler`.
  * Expose RegistrationInfo in parsed SAML metadata.
  * The AuthnInstant is now available in the state array.
  * Introduced Twig templating for user interface.
  * Lots of refactoring, code cleanup and added many unit tests.

### `adfs`
  * Fixed POST response form parameter encoding.

### `authYubiKey`
  * Fixed PHP 7 support.

### `authfacebook`
  * Updated to work with latest Facebook API.

### `authlinkedin`
  * Added setting `attributes` to specify which attributes to request
    from LinkedIn.

### `authtwitter`
  * Added support for fetching the user's email address as attribute.

### `consent`
  * Added support for regular expressions in `consent.disable`.

### `core`
  * Added logging of `REMOTE_ADDR` on successful login.
  * `AttributeMap`: allow fetching mapping files from modules.
  * `ScopeAttribute`: added option `onlyIfEmpty` to add a scope only if
     none was present.
  * `AttributeCopy`: added option to copy to multiple destination attributes.

### `cron`
  * Allow invocation via PHP command line interface.

### `discopower`
  * Added South Africa tab.

### `ldap`
  * Added `search.filter` setting to limit LDAP queries to a custom search
    filter.
  * Added OpenLDAP support in AttributeAddUsersGroups.
  * Fixed for using non standard LDAP port numbers.
  * Fixed configuration option of whether to follow LDAP referrals.

### `memcacheMonitor`
  * Fixed several missing strings.

### `metarefresh`
  * Fixed several spurious PHP notices.

### `multiauth`
  * Fixed selected source timeout.

### `negotiate`
  * Fixed authentication failure on empty attributes-array.
  * Fixed PHP notices concerning missing arguments.

### `oauth`
  * Updated library to improve support for OAuth 1.0 Revision A.

### `radius`
  * Improved error messages.
  * Added parameter `realm` that will be suffixed to the username entered.

### `saml`
  * Handle instead of reject assertions that do not contain a NameID.
  * Added options to configure `AllowCreate` and `SPNameQualifier`.
  * Added option `saml:NameID` to set the Subject NameID in a SAML AuthnRequest.
  * Added filter `FilterScopes` to remove values which are not properly scoped.
  * Make sure we log the user out before reauthenticating.
  * More robust handling of IDPList support in proxy mode.
  * Increased `_authSource` field length in Logout Store.
  * We now send the eduPersonTargetedID attribute in the correct
    NameID XML form, instead of the incorrect simple string. We will also
    refuse to parse an assertion with an eduPersonTargetedID in 'string' format.

### `smartattributes`
  * Fix SmartName authproc that failed to load.

### `sqlauth`
  * Fixed SQL schema for usergroups table.

## Version 1.14.17

Released 2017-10-25

  * Resolved a security issue with the SAML 1.1 Service Provider. See [SSPSA 201710-01](https://simplesamlphp.org/security/201710-01).

## Version 1.14.16

Released 2017-09-04

  * Resolved a security issue in the consentAdmin module. See [SSPSA 201709-01](https://simplesamlphp.org/security/201709-01).

## Version 1.14.15

Released 2017-08-08

  * Resolved a security issue with the creation and validation of time-limited tokens. See [SSPSA 201708-01](https://simplesamlphp.org/security/201708-01).
  * Fixed an issue with session handling that could lead to crashes after upgrading from earlier 1.14.x versions.
  * Fixed issue #557 with instances of SimpleSAMLphp installed from the repository as well as custom modules.
  * Fixed issue #648 to properly handle SAML responses being sent to reply the same request, but using different response IDs.
  * Fixed issues #612 and #618 with the mobile view of the web interface.
  * Fixed issue #639 related to IdP names containing special characters not being properly displayed by discopower.
  * Fixed issue #571 causing timeouts when using Active Directory as a backend.
  * Other minor fixes.

## Version 1.14.14

Released 2017-05-05

  * Resolved a security issue with in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See [SSPSA 201705-01](https://simplesamlphp.org/security/201705-01).
  * Resolved a security issue with in the multiauth module. See [SSPSA 201704-02](https://simplesamlphp.org/security/201704-02).

## Version 1.14.13

Released 2017-04-27

  * Resolved a security issue with unauthenticated encryption in the SimpleSAML\Utils\Crypto class. See [SSPSA 201704-01](https://simplesamlphp.org/security/201704-01).
  * Added requirement for the Multibyte String PHP extension and the corresponding checks.
  * Set a default name for SimpleSAMLphp sessions in the configuration template for the PHP session handler.
  
## Version 1.14.12

Released 2017-03-30

  * Resolved a security issue in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See [SSPSA 201703-01](https://simplesamlphp.org/security/201703-01).
  * Resolved a security issue with IV generation in the  `SimpleSAML\Utils\Crypto::_aesEncrypt()` method. See [SSPSA 201703-02](https://simplesamlphp.org/security/201703-02).
  * Fixed an issue with the authfacebook module, broken after a change in Facebook's API.
  * Fixed an issue in the discopower module that ignored the `hide.from.discovery` metadata option.
  * Fixed an issue with trusted URLs validation that prevented a URL from being accepted if a standard port was explicitly included but not specified in the configuration.
  * Fixed an issue that prevented detecting a Memcache server being down when fetching Memcache statistics.
  * Fixed an issue with operating system detection that made SimpleSAMLphp identify OSX as Windows.

## Version 1.14.11

Released 2016-12-12

  * Resolved a security issue involving signature validation of SAML 1.1 messages. See [SSPSA 201612-02](https://simplesamlphp.org/security/201612-02).
  * Fixed an issue when the user identifier used to generate a persistent NameID was missing due to a misconfiguration, causing SimpleSAMLphp to generate the nameID based on the null data type.
  * Fixed an issue when persistent NameIDs were generated out of attributes with empty strings or multiple values.
  * Fixed issue #530. An empty SubjectConfirmation element was causing SimpleSAMLphp to crash. On the other hand, invalid SubjectConfirmation elements were ignored in PHP 7.0.

## Version 1.14.10

Released 2016-12-02

  * Resolved a security issue involving signature validation. See [SSPSA 201612-01](https://simplesamlphp.org/security/201612-01).
  * Fixed issue #517. A misconfigured session when acting as a service provider was leading to a PHP fatal error.
  * Fixed issue #519. Prevent persistent NameIDs from being generated from empty strings.
  * Fixed issue #520. It was impossible to verify Apache's custom MD5 passwords when using the Htpasswd authentication source.
  * Fixed issue #523. Avoid problems caused by different line-ending strategies in the project files.
  * Other minor fixes and enhancements.

## Version 1.14.9

Released 2016-11-10

  * Fixed an issue that resulted in PHP 7 errors being masked.
  * Fixed the smartattributes:SmartName authentication processing filter.
  * Fixed issue #500. When parsing metadata, two 'attributes.required' options were generated.
  * Fixed the list of requirements in composer, the documentation, and the configuration page.
  * Fixed issue #479. There were several minor issues with XHTML compliance.
  * Other minor fixes.

## Version 1.14.8

Released 2016-08-23

  * Fixed an issue in AuthMemCookie causing it to crash when an attribute received contains XML as its value.
  * Fixed an issue in AuthMemCookie that made it impossible to set its own cookie.
  * Fixed an issue when acting as a proxy and receiving attributes that contain XML as their values.
  * Fixed an issue that led to incorrect URL guessing when a script is invoked with a URI that doesn't include its name.

## Version 1.14.7

Released 2016-08-01

  * Fixed issue #424. Attributes containing XML as their values (like eduPersonTargetedID) were empty.

## Version 1.14.6

Released 2016-07-18

  * Fixed issue #418. SimpleSAMLphp was unable to obtain the current URL correctly when invoked from third-party applications.

## Version 1.14.5

Released 2016-07-12

  * Fixed several issues with session handling when cookies couldn't be set for some reason.
  * Fixed an issue that caused wrong URLs to be generated in the web interface under certain circumstances.
  * Fixed the exception handler to be compatible with PHP 7.
  * Fixed an issue in the dropdown IdP selection page that prevented it to work with PHP 5.3.
  * Fixed compatibility with Windows machines.
  * Fixed an issue with the PDO and Serialize metadata storage handlers.
  * Fixed the authwindowslive module. It stopped working after the former API was discontinued.
  * Other minor issues and fixes.

## Version 1.14.4

Released 2016-06-08

  * Fixed two minor security issues that allowed malicious URLs to be presented to the user in a link. Reported by John Page.
  * Fixed issue #366. The LDAP class was trying to authenticate even when no password was provided (using the CAS module).
  * Fixed issue #401. The authenticate.php script was printing exceptions instead of throwing them for the exception handler to capture them.
  * Fixed issue #399. The size limitation of the TEXT type in MySQL was creating problems in certain setups.
  * Fixed issue #5. Incoherent population of the $_SERVER variable was creating broken links when running PHP with FastCGI.
  * Other typos and minor bugs: #389, #392.

## Version 1.14.3

Released 2016-04-19

  * Fixed a bug in the login form that prevented the login button to be displayed in mobile devices.
  * Resolved an issue in the PHP session handler that made it impossible to use PHP sessions simultaneously with other applications.

## Version 1.14.2

Released 2016-03-11

  * Use stable versions of the externalized modules to prevent possible issues when further developing them.

## Version 1.14.1

Released 2016-03-08

  * Resolved an information leakage security issue in the sanitycheck module. See [SSPSA 201603-01](/security/201603-01).

## Version 1.14.0

Released 2016-02-15

### Security

  * Resolved a security issue with multiple modules that were not validating the URLs they were redirecting to.
  * Added a security check to disable loading external entities in XML documents.
  * Enforced admin access to the metadata converter tool.
  * Changed `xmlseclibs` dependency to point to `robrichards/xmlseclibs` version 1.4.1.

### New features

  * Allow setting the location of the configuration directory with an environment variable.
  * Added support for the Metadata Query Protocol by means of the new MDX metadata storage handler.
  * Added support for the Sender-Vouches method.
  * Added support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata.
  * Added support for file uploads in the metadata converter.
  * Added support for setting the prefix for Memcache keys.
  * Added support for the Hide From Discovery REFEDS Entity Category.
  * Added support for the eduPersonAssurance attribute.
  * Added support for the full SCHAC 1.5.0 schema.
  * Added support for UNIX sockets when configuring memcache servers.
  * Added the SAML NameID to the attributes status page, when available.
  * Added attribute definitions for schacGender (schac), sisSchoolGrade and sisLegalGuardianFor (skolfederation.se).
  * Attributes required in metadata are now taken into account when parsing.

### Bug fixes

  * Fixed an issue with friendly names in the attributes released.
  * Fixed an issue with memcache that would result in a push for every fetch, when several servers configured.
  * Fixed an issue with memcache that would result in an endless loop if all servers are down.
  * Fixed an issue with HTML escaping in error reports.
  * Fixed an issue with the 'admin.protectmetadata' option not being enforced for SP metadata.
  * Fixed an issue with SAML 1.X SSO authentications that removed the NameID of the subject from available data.
  * Fixed an issue with the login form that resulted in a `NOSTATE` error if the user clicked the login button twice.
  * Fixed an issue with replay detection in IdP-initiated flows.
  * Fixed an issue with SessionNotOnOrAfter that kept moving forward in the future with every SSO authentication.
  * Fixed an issue with the session cookie being set twice for the first time.
  * Fixed an issue with the XXE attack prevention mechanism conflicting with other applications running in the same server.
  * Fixed an issue that prevented the SAML 1.X IdP to restart when the session is lost.
  * Fixed an issue that prevented classes using namespaces to be loaded automatically.
  * Fixed an issue that prevented certain metadata signatures to be verified (fixed upstream in `xmlseclibs`).
  * Other bug fixes and numerous documentation enhancements.

### API and user interface

  * Added a new and simple database class to serve as PDO interface for all the database needs.
  * Added the possibility to copy metadata and other elements by clicking a button in the web interface.
  * Removed the old, unused `pack` installer tool.
  * Improved usability by telling users the endpoints are not to be accessed directly.
  * Moved the hostname, port and protocol diagnostics tool to the admin directory.
  * Several classes and functions deprecated.
  * Changed the signature of several functions.
  * Deleted old and deprecated code, interfaces and endpoints.
  * Deleted old jQuery remnants.
  * Deleted the undocumented dynamic XML metadata storage handler.