Newer
Older
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
* Fix state information being unavailable to UserPassOrgBase authentication templates.
* Make it possible to send POST-messages to http-endpoints without triggering a warning when the IdP supports both http and https.
* Add IPv6-support to the SimpleSAML_Utilities::ipCIDRcheck()-function.
* Do not allow users to switch to a language that is not enabled.
* iframe logout: Add a per-SP timeout option.
* SimpleSAML_Auth_LDAP: Better logging of the cause of exceptions.
* SimpleSAML_Auth_State: Add $allowMissing-parameter to loadState().
* module.php: More strict URL parsing.
* Add support for hashed admin passwords.
* Use openssl_random_pseudo_bytes() for better cross-platform random number generation.
* Add the current hostname to the error reports.
* Make the lifetime of SimpleSAML_Auth_State "state-arrays" configurable (via the `session.state.timeout`-option).
* SimpleSAML_Auth_State: Add cloneState()-function.
* Fix log levels used on Windows.
* SimpleSAML_Auth_LDAP: Clean up some unused code.
* core:UserPassOrgBase: Add selected organization to the authentication data that is stored in the session.
* Do not warn about missing Radius and LDAP PHP extensions unless those modules are enabled.
* Support for overriding the logic to determine the language.
* Avoid crashes due to deprecation-warnings issued by PHP.
* Use case-insensitive matching of language codes.
* Add X-Frame-Options to prevent other sites from loading the SSP-pages in an iframe.
* Add SimpleSAML_Utilities::isWindowsOS()-helper function.
* chmod() generated files to only be accessible to the owner of the files.
* Fix "re-posting" of POST data containing a key named "submit".
* Do not attempt to read new sessions from the session handler.
* Fix some pass-by-reference uses. (Support removed in PHP 5.4.)
* Warn the user if the secretsalt-option isn't set.
* A prototype for a new statistics logging core. Provides more structured logging of events, and support for multiple storage backends.
* Support for arbitrary namespace-prefixed attributes in md:EndpointType-elements.
* Fix invalid HTML for login pages where username is set.
* Remove unecessary check for PHP version >= 5.2 when setting cookies.
* Better error message when a module is missing a default-enable or default-disable file.
* Fixes for session exipration handling.
### `aselect`
* New module that replaces the previous module.
* Better error handling.
* Support for request signing.
* Loses support for A-Select Cross.
* `authcrypt:Hash`: New authentication source for checking username & password against a list of usernames and hashed passwords.
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
* `authcrypt:Htpasswd`: New authentication source for checking username & password against a `.htpasswd`-file.
### `authfacebook`
* Update to latest Facebook PHP SDK.
### `authorize`
* `authorize:Authorize`: Add flag to change the behaviour from default-deny to default-allow.
* `authorize:Authorize`: Add flag to do simple string matching instead of regex-matching.
### `authtwitter`
* Update to use the correct API endpoint.
* Propagate "user aborted" errors back to the caller.
* Changes to error handling, throw more relevant exceptions.
* Store state information directly in the state array, instead of the session.
### `authYubiKey`
* Remove deprecated uses of split().
### `cas`
* Make it possible for subclasses to override finalState().
### `core`
* `core:AttributeCopy`: New filter to copy attributes.
### `consent`
* Add a timeout option for the database connection.
* Fix disabling of consent when the data store is down.
* Simpler configuration for disabling consent for one SP or one IdP.
* Do not connect to the database when consent is disabled for the current SP/IdP.
### `consentAdmin`
* Fix for bridged IdP setup with `userid.attribute` set in `saml20-idp-hosted` metadata.
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
### `cron`
* Set the From-address to be the technical contact email address.
### `expirycheck`
* `expirycheck:ExpiryDate`: New module to check account expiration.
### `ldap`
* Add a base class for authentication processing filters which fetch data from LDAP.
* `ldap:AttributeAddUsersGroups`: Authentication processing filter that adds group information from LDAP.
### `metarefresh`
* Support for blacklisting and whitelisting entities.
* Support for conditional GET of metadata files.
* Reuse old metadata when fetching metadata fails.
### `multiauth`
* Add `multiauth:preselect`-parameter, to skip the page to select authentication source.
* Make it possible to configure the names of the authentication sources.
* Remember the last selected authentication source.
### `negotiate`
* New module implementing "negotiate" authentication, which can be used for Kerberos authentication (including Windows SSO).
### `oauth`
* Update to latest version of the OAuth library.
* Remove support for older versions of OAuth than OAuth Rev A.
### `openid`
* Separate linkback URL from page displaying OpenID URL field.
* Throw more relevant exceptions.
* Update to latest version of the OpenID library.
* Support for sending authentication requests via GET requests (with the prefer_http_redirect option).
* Prevent deprecation warnings from the OpenID library from causing deadlocks in the class loader.
### `openidProvider`
* Prevent deprecation warnings from the OpenID library from causing deadlocks in the class loader.
### `radius`
* Support for setting the "NAS-Identifier" attribute.
### `saml`
* Preserve ID-attributes on elements during signing. (Makes it possible to change the binding for some messages.)
* Allow SAML artifacts to be received through a POST request.
* Log more debug information when we are unable to determine the binding a message was sent with.
* Require HTTP-POST messages to be sent as POST data and HTTP-Redirect messages to be sent as query parameters.
* Link to download certificates from metadata pages.
* Fix canonicalization of <md:EntityDescriptor> and <md:EntitiesDescriptor>.
* Support for receiving and sending extension in authentication request messages.
* Reuse SimpleSAML_Utilities::postRedirect() to send HTTP-POST messages.
* Allow ISO8601 durations with subsecond precision.
* Add support for parsing and serializing the <mdrpi:PublicationInfo> metadata extension.
* Ignore cacheDuration when validating metadata.
* Add support for the Holder-of-Key profile, on both the [SP](./simplesamlphp-hok-sp) and [IdP](./simplesamlphp-hok-idp).
* Better error handling when receiving a SAML 2.0 artifact from an unknown entity.
* Fix parsing of <md:AssertionIDRequestService> metadata elements.
* IdP: Do not always trigger reauthentication when the authentication request contains a IdPList-element.
* IdP: Add `saml:AllowCreate` to the state array. This makes it possible to access this parameter from authentication processing filters.
* IdP: Sign the artifact response message.
* IdP: Allow the "host" metadata option to include more than one path element.
* IdP: Support for generating metadata with MDUI extension elements.
* SP: Use the discojuice-module as a discovery service if it is enabled.
* SP: Add `saml:idp`-parameter to trigger login to a specific IdP to as_login.php.
* SP: Do not display error on duplicate response when we have a valid session.
* SP: Fix for logout after IdP initiated authentication.
* SP: Fix handling of authentication response without a saml:Issuer element.
* SP: Support for specifying required attributes in metadata.
* SP: Support for limiting the AssertionConsumerService endpoints listed in metadata.
* SP: Fix session expiration when the IdP limits the session lifetime.
* `saml:PersistentNameID`: Fail when the user has more than one value in the user ID attribute.
* `saml:SQLPersistentNameID`: Persistent NameID stored in a SQL database.
* `saml:AuthnContextClassRef`: New filter to set the AuthnContextClassRef in responses.
* `saml:ExpectedAuthnContextClassRef`: New filter to verify that the SP received the correct authentication class from the IdP.
## Version 1.8.2
Released 2012-01-10.
* Fix for user-assisted cross site scripting on a couple of pages.
## Version 1.8.1
Released 2011-10-27.
* Fix for key oracle attack against XML encryption on SP.
* Fix for IdP initiated logout with IdP-initiated SSO.
* Fix a PHP notice if we are unable to open /dev/urandom.
* Fix a PHP notice during SAML 1.1 authentication.
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
## Version 1.8
* New authentication modules:
* [`authmyspace`](./authmyspace:oauthmyspace)
* [`authlinkedin`](./authlinkedin:oauthlinkedin)
* [`authwindowslive`](./authwindowslive:windowsliveid)
* Support for custom error handler, replacing the default display function.
* Allow error codes to be defined in modules.
* Better control of logout what we do after logout request.
* This makes it possible for the SP to display a warning when receiving a PartialLogout response from the IdP.
* New `cdc` module, for setting and reading common domain cookies.
### `consent`
* Support for disabling consent for some attributes.
### `ldap`
* `ldap:AttributeAddFromLDAP`: Extract values from multiple matching entries.
### `oauth`
* Added support for:
* RSASHA1 signatures
* consent
* callbackurl
* verifier code
* request parameters
### `openid`
* Support for sending custom extension arguments (e.g. UI extensions).
### `saml`
* Extract Extensions from AuthnRequest for use by custom modules when authenticating.
* Allow signing of SP metadata.
* Better control over NameIDPolicy when sending AuthnRequest.
* Support encrypting/decrypting NameID in LogoutRequest.
* Option to disable client certificate in SOAP client.
* Better selection of AssertionConsumerService endpoint based on parameters in AuthnRequest.
* Set NotOnOrAfter in IdP LogoutRequest.
* Only return PartialLogout from the IdP.
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
* New authentication modules:
* `aselect`
* `authX509`
* Unified cookie configuration settings.
* Added protection against session fixation attacks.
* Error logging when failing to initialize the Session class.
* New session storage framework.
* Add and use generic key/value store.
* Support for storing sessions in SQL databases (MySQL, PostgreSQL & SQLite).
* Support for implementing custom session storage handlers.
* Allow loading of multiple sessions simultaneously.
* Set headers allowing caching of static files.
* More descriptive error pages:
* Unable to load $state array because the session was lost.
* Unable to find metadata for the given entityID.
* Support for multiple keys in metadata.
* Allow verification with any of the public keys in metadata.
* Allow key rollower by defining new and old certificate in configuration.
* Verify with signing keys, encrypt with encryption keys.
* Change `debug`-option to log messages instead of displaying them in the browser.
* Also logs data before encryption and after decryption.
* Support for custom attribute dictionaries.
* Add support for several authentication sessions within a single session.
* Allows several SPs on a single host.
* Allows for combining an SP and an IdP on a single host.
* HTTP proxy support.
### Internal API changes & features removed
* The `saml2` module has been removed.
* The `saml2:SP` authsource has been removed.
* The `sspmod_saml2_Error` class has been renamed to `sspmod_saml_Error`.
* The `sspmod_saml2_Message` class has been renamed to `sspmod_saml_Message`.
* Moved IdP functions from `sspmod_saml_Message` to `sspmod_saml_IdP_SAML2`.
* Removed several functions and classes that are unused:
* `SimpleSAML_Utilities::strleft`
* `SimpleSAML_Utilities::array_values_equal`
* `SimpleSAML_Utilities::getRequestURI`
* `SimpleSAML_Utilities::getScriptName`
* `SimpleSAML_Utilities::getSelfProtocol`
* `SimpleSAML_Utilities::cert_fingerprint`
* `SimpleSAML_Utilities::generateTrackID`
* `SimpleSAML_Utilities::buildBacktrace`
* `SimpleSAML_Utilities::formatBacktrace`
* `SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta`
* Moved function from Utilities-class to more appropriate locations.
* `getAuthority` to `SimpleSAML_IdP`
* `generateUserId` to `sspmod_saml_IdP_SAML2`.
* Replaced calls to with throwing an `SimpleSAML_Error_Error` exception.
* Removed metadata send functionality from old SP code.
* Removed bin/test.php and www/admin/test.php.
* Removed metashare.
* Removed optional parameters from `SimpleSAML_XHTML_Template::getLanguage()`.
* Removed functions from `SAML2_Assertion`: `get/setDestination`, `get/setInResponseTo`.
Replaced with `setSubjectConfirmation`.
* Removed several unused files & templates.
### SAML 2 IdP
* Support for generation of NameID values via [processing filters](./saml:nameid)
* Obey the NameIDPolicy Format in authentication request.
* Allow AuthnContextClassRef to be set by processing filters.
* Rework iframe logout page to not rely on cookies.
### SAML 2 SP
* Support SOAP logout.
* Various fixes to adhere more closely to the specification.
* Allow multiple SessionIndex-elements in LogoutRequest.
* Handle multiple Assertion-elements in Response.
* Reject duplicate assertions.
* Support for encrypted NameID in LogoutRequest.
* Verify Destination-attribute in LogoutRequest messages.
* Add specific options for signing and verifying authentication request and logout messages.
* `saml:NameIDAttribute` filter for extracting NameID from authentication response.
### SAML 1 IdP
* Add `urn:mace:shibboleth:1.0` as supported protocol in generated metadata.
### SAML 1 SP
* Support for IdP initiated authentication.
### `aggregator`
* Allow metadata generation from command line.
### `authfacebook`
* Change attribute names.
### `casserver`
* Support for proxying.
* Add ttl for tickets.
### `core`
* `core:AttributeLimit`: Make it possible to specify a default set of attributes.
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
* Make the SP metadata available on the login pages.
### `discoPower`
* Sort IdPs without a name (where we only have an entityID) last in the list.
* CDC cookie support.
### `exampleAuth`
* Add example of integration with external authentication page.
### `ldap`
* Add `ldap:AttributeAddFromLDAP` filter for adding attributes from a LDAP directory.
### `metarefresh`
* Don't stop updates on the first exception.
### `openid`
* Don't require access to the PHP session.
* Remove OpenID test page. (May as well use the normal test pages.)
* Support for attribute exchange.
* Add `target` option, for directing authentication to a specific OpenID provider.
* Add `realm` option, for specifying the realm we should send to the OpenID provider.
### `portal`
* Make it possible to register pages from modules, and not only from configuration.
### `statistics`
* New y-axis scaling algorithm
### `twitter`
* Change attribute names returned from twitter.
## Version 1.6.3
Released 2010-12-17.
* Fix for cross site scripting in redirect page.
## Version 1.6.2
Released 2010-07-29.
* Various security fixes.
* saml:SP: Fix SingleLogoutService endpoint in SSP-format metadata array.
* Shib13:IdP: Add urn:mace:shibboleth:1.0 to supported protocols.
* Fix SAMLParser::parseElement().
* SAML2:IdP: Fix persistent NameID generation.
* Fix scoping on IdP discovery page.
* metaedit: Fix endpoints parsed from XML.
* Dictionary update.
* Documentation fixes.
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
[Upgrade notes](./simplesamlphp-upgrade-notes-1.6)
* Detection of cookies disabled on the IdP.
* New IdP core, which makes it simpler to share code between different IdPs, e.g. between SAML 1.1 and SAML 2.0.
* Dictionaries moved to JSON format.
* New authentication module: [`cas:CAS`](./cas:cas).
* All images that doesn't permit non-commercial use have been replaced.
* Better support for OrganizationName, OrganizationDisplayName and OrganizationURL in metadata.
* Cookie secure flag no longer automatically set.
* Cross-protocol logout between ADFS and SAML 2.
* New experimental module for aggregating metadata: [`aggregator2`](./aggregator2:aggregator2)
* Metadata support for multiple endpoints with [multiple bindings](./simplesamlphp-metadata-endpoints).
* The metadata generation is using a new set of classes.
As a result, all generated metadata elements now have a `md:`-prefix.
* The deprecated functions `init(...)` and `setAuthenticated(...) in the `SimpleSAML_Session` class have been removed.
* Configuration check and metadata check was removed, as they were often wrong.
### SAML 2 SP
* SAML 2.0 HTTP-Artifact support on the [SP](./simplesamlphp-artifact-sp).
### SAML 2 IdP
* SAML 2.0 HTTP-Artifact support on the [IdP](./simplesamlphp-artifact-idp).
* Support for sending PartialLogout status code in logout response.
* Set AuthnInstant to the timestamp for authentication.
* Combine normal and iframe versions of the logout handlers into a single endpoint.
* The SessionIndex is now unique per SP.
* Statistics for logout failures.
* Better generation of persistent NameID when `nameid.attribute` isn't specified.
### The SP API
* Support for handling errors from the IdP.
* Support for passing parameters to the authentication module.
This can be used to specify SAML 2 parameters, such as isPassive and ForceAuthn.
### `adfs`
* Move to new IdP core.
### `casserver`
* Collect all endpoints in a single file.
* Fix prefix on the tickets.
### `consent`
* Support for deactivating consent for specific services.
### `consentAdmin`
* Support for the SAML SP module.
### `core`
* New filter: [`core:PHP`](./core:authproc_php), which allows processing of attributes with arbitrary PHP code.
* Support for multiple target attributes in [`core:AttributeMap`](./core:authproc_attributemap).
* New filter: [`core:ScopeFromAttribute`](./core:authproc_scopefromattribute), which allows the creation an attribute based on the scope of another attribute.
* Support for a target attribute in [`core:AttributeAlter`](./core:authproc_attributealter).
### `discoPower`
* Support for new scoring algorithm.
### `ldap`
* SASL support in LDAPMulti
### `ldapstatus`
* This module was removed, as it was very specific for Feide.
### `multiauth`
* Support for specifying the target authentication source through a request parameter.
### `oauth`
* Configurable which authentication source should be used.
### `openidProvider`
* OpenID 2.0 support.
* XRDS generation support.
### `saml`
* Support for specifying parameters for authentication request.
* Add AttributeConsumingService to generated metadata.
* The two SPSSODescriptor elements in the metadata has been merged.
## Version 1.5.1
Released 2010-01-08.
* Fix security vulnerability due to insecure temp file creation:
* statistics: The logcleaner script outputs to a file in /tmp.
* InfoCard: Saves state directly in /tmp. Changed to the SimpleSAMLphp temp directory.
* openidProvider: Default configuration saves state information in /tmp.
Changed to '/var/lib/simplesamlphp-openid-provider'.
* SAML 1 artifact support: Saves certificates temporarily in '/tmp/simplesaml', but directory creation was insecure.
* statistics: Handle new year wraparound.
* Dictionary updates.
* Fix bridged logout.
* Some documentation updates.
* Fix all metadata to use assignments to arrays.
* Fix $session->getIdP().
* Support AuthnContextClassRef in saml-module.
* Do not attempt to send logout request to an IdP that does not support logout.
* LDAP: Disallow bind with empty password.
* LDAP: Assume that LDAP_NO_SUCH_OBJECT is an error due to invalid username/password.
* statistics: Fix configuration template.
* Handle missing authority in idp-hosted metadata better.
Released 2009-11-05. Revision 1937.
* New API for SP authentication.
* Make use of the portal module on the frontpage.
* SQL datastore.
* Support for setting timezone in config (instead of php.ini).
* Logging of PHP errors and notices to SimpleSAMLphp log file.
* Improve handling of unhandled errors and exceptions.
* Admin authentication through authentication sources.
* Various bugfixes & cleanups.
* Translation updates.
* Set the dropdown list as default for built in disco service.
### New modules:
* `adfs`
Andreas Åkre Solberg
committed
* [`authorize`](./authorize:authorize)
Andreas Åkre Solberg
committed
* [`autotest`](./autotest:test)
Andreas Åkre Solberg
committed
* [`multiauth`](./multiauth:multiauth)
Andreas Åkre Solberg
committed
* [`openidProvider`](./openidProvider:provider)
* [`radius`](./radius:radius)
* [`saml`](./saml:sp)
* Add ARP + ARP signing functionality to the aggregator.
* Improvements to the aggregator module. Added documentation, and re-written more OO-oriented.
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
* Add support for reconstructing XML where XML for an entity is already cached.
* Add support for excluding tags in metadata aggregator.
### `AuthMemCookie`:
* Delete the session cookie when deleting the session.
* Support for authentication sources.
* Set expiry time of session data when saving to memcache.
* Support multiple memcache servers.
### `cas`:
* Added support for attributes in <cas:serviceResponse>.
### `consent`:
* Support for hiding some attribute values.
### `consentAdmin`:
* Added config option to display description.
### `core`:
* New WarnShortSSOInterval filter.
### `discopower`:
* Live search in discopower-module.
### `ldap`:
* Support for proxy authentication.
* Add 'debug' and 'timeout' options.
* Privilege separation for LDAP attribute retrieval.
* Allow search.base to be an array.
* (LDAPMulti) Add support for including the organization as part of the username.
### `ldapstatus`:
* Do a connect-test to all ip-addresses for a hostname.
* Check wheter hostname exists before attempting to connect.
* hobbit output.
* Check schema version.
* Add command line tab to single LDAP status page for easier debugging.
### `logpeek`:
* Blockwise reading of logfile for faster execution.
### `metarefresh`:
* Adding support for generating Shibboleth ARP files.
* Add 'serialize' metadata format.
### `preprodwarning`:
* Don't show warning in passive request.
* Focus on continue-button.
### SAML:
* Support for multiple AssertionConsumerService endpoints.
* SAML 1 artifact support on the SP side.
* New SAML authentication module.
* Deprecation of www/saml2/sp & www/shib13/sp.
* Support for encrypted NameID.
* NameIDPolicy replaces NameIDFormat.
* Better support for IdP initiated SSO and bookmarked login pages.
* Improvements to iframe logout page.
* Scoping support.
* New library for SAML 2 messages.
* Support for transporting errors from the IdP to the SP.
* Sign both the assertion and the response element by default.
* Support for sending XML attribute values from the IdP.
### `statistics`:
* Extended Google chart encoding... Add option of alternative compare plot in graph...
* Added support for Ratio type reports in the statistics module..
* Changed default rule to sso.
* Added incremental aggregation, independent time resolution from rule def, combined coldefs and more.
* Add DST support in date handler. Added summary columns per delimiter. Added pie chart. +++
* Log first SSO to a service during a session.
## Version 1.4
Released 2009-03-12. Revision 1405.
Updates to `config.php`. Please check for updates in your local modified configuration.
* Language updates
* Documentation update. New authencation source API now default and documented.
* New authentication source (new API):
* LDAP
* LDAPMulti
* YubiKey authentication source. (Separate module)
* Facebook authentication source. (Separate module)
* New Authentication Processing Filter:
* AttributeAlter
* AttributeFilter
* AttributeMap
* Smartname. does it best to guess the full name of the user based on several attributes.
* Language adaptor: allow adopting UI by preferredLanguage SAML 2.0 Attribute both on the IdP and the SP. And if the user selects a lanauge, this can be sent to the SP as an attribute.
* New module: portal, allows you to created tabbed interface for custom pages within SimpleSAMLphp. In example user consent management and attribute viewer.
* New module: ldapstatus. Used by Feide to monitor connections to a large list of LDAP connections. Contact Feide on details on how to use.
* ldapstatus also got certificate check capabilities.
* New module: MemcacheMonitor: Show statistics for memcache servers.
* New module: DiscoPower. A tabbed discovery service module with alot of functionality.
* New module: SAML 2.0 Debugginer. An improved version of the one found on rnd.feide.no earlier is not included in SimpleSAMLphp allowing you to run it locally.
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
* New module: Simple Consent Amdin module that have one button to remove all consent for one user.
* New module: Consent Administration. Contribution from Wayf.
* We also have a consent adminstration module that we use in Feide that is not checked in to subversion.
* New module: logpeek. Lets administrator lookup loglines matching a TRackID.
* New module: PreprodWarning: Adding a warning to users that access a preprod system.
* New module: CAS Server
* New module: Aggregator: Aggregates metadata. Used in Kalmar Union.
* New module: Metarefresh, download, parses and consumes metadata.
* New module: SanityCheck. Checks if things looks good and reports bad configuration etc.
* New module: Cron. Will perform tasks regularly.
* Module: SAML2.0. SAML 2.0 SP implemented as an module. Yet not documented how to use, but all SAML 2.0 SP functionality may be moved out to this module for better modularization.
* New module: statistics. Parses STAT log files, and aggregates based on a generic rule system. Output is stored in aggregated text files, and a frontend is included to present statistics with tables and graphs. Used sanitycheck and cron.
* Added support for IdP initiated SSO.
* Added support for IdP-initiated SLO with iFrame type logout.
* Major updates to iFrame AJAX SLO. Improved user experience.
* iFrame AJAX SLO is not safe against simulanous update of the session.
* Added support for bookmarking login pages. By adding enough information in the URL to be able to bootstrap a new IdP-initiated SSO and sending.
* Major updates to the infocard module.
* Added some handling of isPassive with authentication processing filters.
* More localized UI.
* New login as administrator link on frontpage.
* Tabbed frontpage. Restructured.
* Simplifications to the theming and updated documentation on theming SimpleSAMLphp.
* Attribute presentation hook allows you to tweak attributes before presentation in the attribute viewers. Used by Feide to group orgUnit information in a hieararchy.
* Verification of the Receipient attribute in the response. Will improve security if for some reason an IdP is not includeding sufficient Audience restrictions.
* Added hook to let modules tell about themself moduleinfo hook.
* Improved cron mails
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
* Preserver line breaks in stack trace UI
* Improvements to WS-Federation support: dynamic realms, logout etc.
* Better handling of presentation of JPEG photos as attributes.
* Support limiting size of attribute retrieved from LDAP.
* Added notes about how to aggregate and consume metadata. Just a start.
* Large improvements to Configuration class, and config helper functions.
* STAT logging is moved into separate authenticaion processing filter.
* Fix for NoPassive responses to Google Apps with alternative NameIDFormats.
* LDAP module allows to search multiple searchbases.
* All documentation is converted from docbook to markdown format.
* Added headers to not allow google to index pages.
* Added check on frontpage for magic quotes
* Added statistic loggging to Consent class.
* Improvements to Exception handler in LDAP class, and better logging.
* LDAP class supports turning on LDAP-debug logging.
* Much improvements to SAML 2.0 Metadata generation and parsing.
* Adding more recent jquery library.
* Generic interface for including jquery dependencies in template headers.
* Improved UI on default theme
* Fix for session duration in the Conditions element in the Assertion (SAML 2.0).
* Updated with new Feide IdP metadata in metadata-templates
Released 2008-11-04. Revision 973.
Configuration file `config.php` should not include significant changes, except one language added.
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
* Documentation update
* Added new language. Now there are two different portugese
dialects.
* Consent "module" modified. Now added support for preselecting the
checkbox by a configuration parameter. Consent module supports
including attributs values (possible to configure).
* CSS and look changed. Removed transparency to fix problem for some
browsers.
* The login-admin authentication module does not ask for username any
more.
* Added support for persistent NameID Format. (Added by Hans
ZAndbelt)
* Added experimental SAML 2.0 SP AuthSource module.
* More readable XML output formatting. In example metadata.
* Better support for choosing whether or not to sign authnrequest.
Possible to specify both at SP hosted and IdP remote.
* Adding more example metadata in metadata-templates.
* Improved e-mails sent from SimpleSAMLphp. Now both plain text and
html.
* Configuration class may return information about what version.
* iFrame AJAX SLO improved. Now with non-javascript failback
handling.
* Fixed warning with XML validator.
* Improved loading of private/public keys in XML/Signer.
* Improvements to CAS module.
* Fixed memcache stats.
Released 2008-09-26. Revision 899.
There are some changes in the configuration files from version 1.1 to 1.2. `/simplesaml/admin/config.php` should be used to check what options have changed.
When you upgrade from an previous version you should copy `authsources.php` from `config-templates` into `config` directory.
There are also some changes to the templates. If you have any custom templates, they should be updated to match the ones included. Of notable changes is that the `t(...)`-functtes, they should be updated to match the ones included. Of notable changes is that the `t(...)`-function has been simplified, and takes far fewer parameters. It is backwardscompatible, but will write a warning to the log until updated. The backwards compatibility will be removed in a future version.
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
* Experimental support for modules. Currently modules can contain
custom authentication sources, authentication processing filters
and themes.
* An generic SQL autentication module added for those who store their
users in an SQL database.
* Limited support for validating against a CA root certificate. The
current implementation only supports cases where the certificate is
directly signed by the CA.
* Allow an IdP to have multiple valid certificate fingerprints, to
allow for easier updating of certificates.
* Shibboleth 1.3 authentication for Auth MemCookie.
* Support for link to privacy policy on consent-pages.
* Customizable initial focus on consent-page.
* Almost all pages should be translateable.
* Allow SAML 2.0 SP to handle error replies from IdP.
* PostgreSQL support for consent storage.
* Add support for encrypted private keys.
* Proof-of-concept MetaShare service, for easy publishing and sharing
of metadata.
* Fixed generated SAML 2.0 metadata to be correct.
* Fixed logout for Auth MemCookie.
* Sign SAML 2.0 authentication response on failure (such as
NoPassive).
* Fixes for IsPassive in the SAML 2.0 IdP.
* Fix default syslog configuration on Windows.
* Fix order of signing and encryption of SAML 2.0 responses
* Fix generated metadata for Shib 1.3
* Fix order of elements in encrypted assertions to be schema
compliant.
* Fix session index sent to SAML 2.0 SPs.
* Remember SAML 2.0 NameID sent to SPs, and include it in logout
requests.
Released 2008-06-19. Revision 673.
When upgrading to version 1.1 from version 1.0, you should update the configuration files. Many options have been added, and some have moved or removed. The new configuration check page: `/simplesaml/admin/config.php` may be useful for determining what should be updated. Also note that the `language.available` option in `config.php` should be updated to reflect the new languages which have been added.
There are also several changes to the template files. If you have done any customizations to these, you should test them to make sure that they still work. Some changes, such as allowing the users to save the IdP choice they make in the discovery service, will not work without updating the templates.
New localizations in version 1.1: Sami, Svenska (swedish), Suomeksi (finnish), Nederlands, Luxembourgish, Slovenian, Hrvatski (Croatian), Magyar (Hungarian).
* Add support for saving the users choice of IdP in the IdP discovery
service.
* Add a config option for whether the Response element or the
Assertion element in the response should be signed.
* Make it easier to add attribute alteration functions.
* Added support for multiple languages in metadata name and
description (for IdP discovery service).
* Added configuration checker for checking if configuration files
should be updated.
* Add support for icons in IdP discovery service.
* Add support for external IdP discovery services.
* Support password encrypted private keys.
* Added PHP autoloading as the preferred way of loading the
SimpleSAMLphp library.
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
* New error report script which will report errors to the
`technicalcontact_email` address.
* Support lookup of the DN of the user who is logging in by searching
for an attribute when using the LDAP authentication module.
* Add support for fetching name and description of entities from XML
metadata files.
* Support for setting custom AttributeNameFormats.
* Support for signing generated metadata.
* Support for signature validation of metadata.
* Added consent support for Shib 1.3 logging.
* Added errorlog logging handler for logging to the default Apache
error log.
* Added support for WS-Federation single signon.
* Allow `session_save_path` to be overridden by setting the
`session.phpsession.savepath` option in `config.php`.
* Add support for overriding autogenerated metadata values, such as
the `AssertionConsumerService` address.
* Added IsPassive support in the SAML 2.0 IdP.
* Add attribute filter for generating eduPersonTargetedID attribute.
* Add support for validation of sent and received messages and
metadata.
* Add support for dynamic metadata loading with cache.
* Add support for dynamic generation of entityid and metadata.
* Added wayf.dk login module.
* Add support for encrypting and decrypting assertions.
* CAS authentication module: Add support for serviceValidate.
* CAS authentication module: Add support for getting attributes from
response by specifying XPath mappings.
* Add support for specifying a certificate in the `saml20-idp-remote`
metadata instead of a fingerprint.
* Add an attribute alter function for dynamic group generation.
* Add support for attribute processing in SAML 2 SP.
* Added tlsclient authentication module.
* Allow the templates to override the header and footer of pages.
* Major improvements to the Feide authentication module.
* Add support for ForceAuthn in the SAML 2.0 IdP.
* Choose language based on the languages the user has selected in the
web browser.
* Added fallback to base language if translation isn't found.
* Modified IdP discovery service to support Shibboleth 2.0 SP.
* Fix setcookie warning for PHP version \< 5.2.
* Fix logout not being performed for Auth MemCache sometimes.
* Preserve case of attribute names during LDAP attribute retrival.
* Fix IdP-initiated logout.
* Ensure that changed sessions with changed SP associations are
written to memcache.
* Prevent infinite recursion during logging.
* Don't send the relaystate from the SP which initiated the logout to
other SPs during logout.
* Prevent consent module from revealing DB password when an error
occurs.
* Fix logout with memcache session handler.
* Allow new session to be created in login modules.
* Removed the strict parameter from base64\_decode for PHP 5.1
compatibility.
Released 2008-03-28. Revision 470.
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
Released 2007-10-15. Revision 28.
### Warning
Both `config.php` and metadata format are changed. Look at the
templates to understand the new format.
* Documentation is updated!
* Metadata files made tidier. Unused entries removed. Look at the new
templates on how to change your existing metadata.
* Support for sending metadata by mail to Feide. Automatically
detecting whether you have configured Feide as the default IdP or
not.
* Improved SAML 2.0 Metadata generation
* Added support for Shibboleth 1.3 IdP functionality (beta, contact
me if any problems)
* Added RADIUS authentication backend
* Added support for HTTP-Redirect debugging when enable `debug=true`
* SAML 2.0 SP example now contains a logout page.
* Added new authentication backend with support for multiple LDAP
based on which organization the user selects.
* Added SAML 2.0 Discovery Service
* Initial 'proof of concept' implementation of "User consent on
attribute release"
* Fixed some minor bugs.
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
Released 2007-09-14. Revision X.
* Improved documentation
* Authentication plugin API. Only LDAP authenticaiton plugin is
included, but it is now easier to implement your own plugin.
* Added support for SAML 2.0 IdP to work with Google Apps for
Education. Tested.
* Initial implementation of SAML 2.0 Single Log Out functionality
both for SP and IdP. Seems to work, but not yet well-tested.
* Added support for bridging SAML 2.0 to SAML 2.0.
* Added some time skew offset to the NotBefore timestamp on the
assertion, to allow some time skew between the SP and IdP.
* Fixed Browser/POST page to automaticly submit, and have fall back
functionality for user agents with no javascript support.
* Fixed some bug with warning traversing Shibboleth 1.3 Assertions.
* Fixed tabindex on the login page of the LDAP authentication module
to allow you to tab from username, to password and then to submit.
* Fixed bug on autodiscovering hostname in multihost environments.
* Cleaned out some debug messages, and added a debug option in the
configuration file. This debug option let's you turn on the
possibility of showing all SAML messages to users in the web
browser, and manually submit them.
* Several minor bugfixes.