Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame History Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
simplesamlphp-changelog.md 71.45 KiB

SimpleSAMLphp changelog

This document lists the changes between versions of SimpleSAMLphp. See the upgrade notes for specific information about upgrading.

Version 1.16.0

Released TBD

Changes

  • Default signature algorithm is now RSA-SHA256.
  • Renamed class SimpleSAML_Error_BadUserInnput to SimpleSAML_Error_BadUserInput
  • PHP 7.2 compatibility, including removing deprecated use of assert with string.
  • Avoid logging database credentials in backtraces.
  • Fix edge case in getServerPort.
  • Updated Spanish translation.
  • Improvements to documentation, testsuite, code quality and coding style.

New features

  • Added support for SAML "Enhanced Client or Proxy" (ECP) protocol, IdP side with HTTP Basic Authentication as authentication method. See the ECP IdP documentation for details.
  • New option sendmail_from, the from address for email sent by SSP.
  • New option options for PDO database connections, e.g. for TLS setup.
  • New option search.scope for LDAP authsources.
  • Add support for the DiscoHints IPHint metadata property.
  • Add support to specify metadata XML in config with the xml parameter, next to the exising file and url options.
  • Also support CGI/RewriteRule setups that set the REDIRECT_SIMPLESAMLPHP_CONFIG_DIR environment variable next to regular SIMPLESAMLPHP_CONFIG_DIR.
  • Support creating an AuthSource via factory, for example useful in tests.
  • Support preloading of a virtual config file via SimpleSAML_Configuration::setPreLoadedConfig to allow for dynamic population of authsources.php.
  • Add basic documentation on Nginx configuration.
  • Test authentication: optionally show AuthData array.
  • Improve performance of PDO Metadata Storage handler entity lookup.

adfs

  • Make signature algorithm configurable with signature.algorithm.
  • Use configuration assertion lifetime when available.
  • Use adfs:wreply parameter when available.

authmyspace

  • Module removed because service is no longer available.

cas

  • Respect all LDAP options in LDAP call.

casserver

  • Module removed; superseded by externally hosted module.

consent

  • Sort attribute values for consent.
  • Fix table layout for MySQL > 5.6.
  • Rename noconsentattributes to attributes.exclude; the former is now considered deprecated.

consentAdmin

  • Work better with TargetedIDs when operating as a proxy.
  • Add attributes.exclude option to correspond to the same option in the Consent module.

core

  • StatisticsWithAttribute: add passive- prefix when logging passive requests, set new option skipPassive to skip logging these altogether.
  • Replace deprecated create_function with an anonymous function.
  • New authproc filter Cardinality to enforce attribute cardinality.
  • SQLPermanentStorage: proper expiration of stored values.
  • AttributeLimit: new options regex and ignoreCase.
  • AttributeMap: prevent possible infinite loop with some PHP versions.

ldap

  • AttributeAddUsersGroups: if attribute.groupname is set, use the configured attribute as the group name rather than the DN.
  • Also base64encode the ms-ds-consistencyguid attribute.

metarefresh

  • Return XML parser error for better debugging of problems.
  • Only actually parse metadata types that have been enabled.
  • Fix missing translation.

Oauth

  • Make module HTTP proxy-aware.
  • Remove unused demo app.

saml

  • AttributeConsumingService: allow to set isDefault and index options.
  • Encrypted attributes in an assertion are now decrypted correctly.
  • Prefer the HTTP-Redirect binding for AuthnRequests if available.

smartattributes

  • Fix to make the add_authority option work.

sqlauth

  • The module is now disabled by default.

statistics

  • Show a decent error message when no data is available.

Version 1.15.4

Released 2018-03-02

  • Resolved a security issue related to signature validation in the SAML2 library. See SSPSA 201803-01.

Version 1.15.3

Released 2018-02-27

  • Resolved a security issue related to signature validation in the SAML2 library. See SSPSA 201802-01.
  • Fixed edge-case scenario where an application uses one of the known LoggingHandlers' name as a defined class
  • Fixed issue #793 in the PHP logging handler.

Version 1.15.2

Released 2018-01-31

  • Resolved a Denial of Service security issue when validating timestamps in the SAML2 library. See SSPSA 201801-01.
  • Resolved a security issue with the open redirect protection mechanism. See SSPSA 201801-02.
  • Fix undefined method error when using memcacheD.

authfacebook

  • Fix compatibility with Facebook strict URI match.

consent

  • Fix statistics not being gathered.

sqlauth

  • Prevented a security issue with the connection charset used for MySQL backends. See SSPSA 201801-03.

Version 1.15.1

Released 2018-01-12

Bug fixes

  • AuthX509 error messages were broken.
  • Properly calculate supported protocols based on config.
  • NameIDAttribute filter: update to use SAML2\XML\saml\NameID.
  • Replace remaining uses of SimpleSAML_Logger with namespace version.
  • Statistics: prevent mixed content errors.
  • Add 'no-store' to the cache-control header to avoid Chrome caching redirects.

Version 1.15.0

Released 2017-11-20

New features

  • Added support for authenticated web proxies with the proxy.auth setting.
  • Added new AttributeValueMap authproc filter.
  • Added attributemaps for OIDs from SIS (Swedish Standards Institute) and for eduPersonUniqueId, eduPersonOrcid and sshPublicKey.
  • Added an option to specify metadata signing and digest algorithm metadata.sign.algorithm.
  • Added an option for regular expression matching of trusted.url.domains via new trusted.url.regex setting.
  • The debug option is more finegrained and allows one to specify whether to log full SAML messages, backtraces or schema validations separately.
  • Added a check for the latest SimpleSAMLphp version on the front page. It can be disabled via the new setting admin.checkforupdates.
  • Added a warning when there's a probable misconfiguration of PHP sessions.
  • Added ability to define additional attributes on ContactPerson elements in metatada, e.g. for use in Sirtfi contacts.
  • Added option to set a secure flag also on the language cookie.
  • Added option to specify the base URL for the application protected.
  • Added support for PHP Memcached extension next to Memcache extension.
  • Added Redis as possible session storage mechanism.
  • Added support to specify custom metadata storage handlers.
  • Invalidate opcache after writing a file, so simpleSAMLphp works when opcache.validate_timestamps is disabled.
  • Metadata converter will deal properly with XML with leading whitespace.
  • Update ldapwhoami() call for PHP 7.3.
  • Made response POST page compatible with strict Content Security Policy on calling webpage.
  • Updated Greek, Polish, Traditional Chinese and Spanish translations and added Afrikaans.

Bug fixes

  • The deprecated OpenIdP has been removed from the metadata template.
  • Trailing slash is no longer required in baseurlpath.
  • Make redirections more resilient.
  • Fixed empty protocolSupportEnumeration in AttributeAuthorityDescriptor.
  • Other bug fixes and numerous documentation enhancements.
  • Fixed a bug in the Redis store that could lead to incorrect duplicate assertion errors.

API and user interface

  • Updated to Xmlseclibs 3.0. Minimum PHP version is now 5.4, mcrypt requirement dropped.
  • Added a PSR-4 autoloader for modules. Now modules can declare their classes under the SimpleSAML\Module namespace.
  • Added new hook for module loader exception handling exception_handler.
  • Expose RegistrationInfo in parsed SAML metadata.
  • The AuthnInstant is now available in the state array.
  • Introduced Twig templating for user interface.
  • Lots of refactoring, code cleanup and added many unit tests.

adfs

  • Fixed POST response form parameter encoding.

authYubiKey

  • Fixed PHP 7 support.

authfacebook

  • Updated to work with latest Facebook API.

authlinkedin

  • Added setting attributes to specify which attributes to request from LinkedIn.

authtwitter

  • Added support for fetching the user's email address as attribute.

consent

  • Added support for regular expressions in consent.disable.

core

  • Added logging of REMOTE_ADDR on successful login.
  • AttributeMap: allow fetching mapping files from modules.
  • ScopeAttribute: added option onlyIfEmpty to add a scope only if none was present.
  • AttributeCopy: added option to copy to multiple destination attributes.

cron

  • Allow invocation via PHP command line interface.

discopower

  • Added South Africa tab.

ldap

  • Added search.filter setting to limit LDAP queries to a custom search filter.
  • Added OpenLDAP support in AttributeAddUsersGroups.
  • Fixed for using non standard LDAP port numbers.
  • Fixed configuration option of whether to follow LDAP referrals.

memcacheMonitor

  • Fixed several missing strings.

metarefresh

  • Fixed several spurious PHP notices.

multiauth

  • Fixed selected source timeout.

negotiate

  • Fixed authentication failure on empty attributes-array.
  • Fixed PHP notices concerning missing arguments.

oauth

  • Updated library to improve support for OAuth 1.0 Revision A.

radius

  • Improved error messages.
  • Added parameter realm that will be suffixed to the username entered.

saml

  • Handle instead of reject assertions that do not contain a NameID.
  • Added options to configure AllowCreate and SPNameQualifier.
  • Added option saml:NameID to set the Subject NameID in a SAML AuthnRequest.
  • Added filter FilterScopes to remove values which are not properly scoped.
  • Make sure we log the user out before reauthenticating.
  • More robust handling of IDPList support in proxy mode.
  • Increased _authSource field length in Logout Store.

smartattributes

  • Fix SmartName authproc that failed to load.

sqlauth

  • Fixed SQL schema for usergroups table.

Version 1.14.17

Released 2017-10-25

  • Resolved a security issue with the SAML 1.1 Service Provider. See SSPSA 201710-01.

Version 1.14.16

Released 2017-09-04

  • Resolved a security issue in the consentAdmin module. See SSPSA 201709-01.

Version 1.14.15

Released 2017-08-08

  • Resolved a security issue with the creation and validation of time-limited tokens. See SSPSA 201708-01.
  • Fixed an issue with session handling that could lead to crashes after upgrading from earlier 1.14.x versions.
  • Fixed issue #557 with instances of SimpleSAMLphp installed from the repository as well as custom modules.
  • Fixed issue #648 to properly handle SAML responses being sent to reply the same request, but using different response IDs.
  • Fixed issues #612 and #618 with the mobile view of the web interface.
  • Fixed issue #639 related to IdP names containing special characters not being properly displayed by discopower.
  • Fixed issue #571 causing timeouts when using Active Directory as a backend.
  • Other minor fixes.

Version 1.14.14

Released 2017-05-05

  • Resolved a security issue with in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See SSPSA 201705-01.
  • Resolved a security issue with in the multiauth module. See SSPSA 201704-02.

Version 1.14.13

Released 2017-04-27

  • Resolved a security issue with unauthenticated encryption in the SimpleSAML\Utils\Crypto class. See SSPSA 201704-01.
  • Added requirement for the Multibyte String PHP extension and the corresponding checks.
  • Set a default name for SimpleSAMLphp sessions in the configuration template for the PHP session handler.

Version 1.14.12

Released 2017-03-30

  • Resolved a security issue in the authcrypt module (Htpasswd authentication source) and in SimpleSAMLphp's session validation. See SSPSA 201703-01.
  • Resolved a security issue with IV generation in the SimpleSAML\Utils\Crypto::_aesEncrypt() method. See SSPSA 201703-02.
  • Fixed an issue with the authfacebook module, broken after a change in Facebook's API.
  • Fixed an issue in the discopower module that ignored the hide.from.discovery metadata option.
  • Fixed an issue with trusted URLs validation that prevented a URL from being accepted if a standard port was explicitly included but not specified in the configuration.
  • Fixed an issue that prevented detecting a Memcache server being down when fetching Memcache statistics.
  • Fixed an issue with operating system detection that made SimpleSAMLphp identify OSX as Windows.

Version 1.14.11

Released 2016-12-12

  • Resolved a security issue involving signature validation of SAML 1.1 messages. See SSPSA 201612-02.
  • Fixed an issue when the user identifier used to generate a persistent NameID was missing due to a misconfiguration, causing SimpleSAMLphp to generate the nameID based on the null data type.
  • Fixed an issue when persistent NameIDs were generated out of attributes with empty strings or multiple values.
  • Fixed issue #530. An empty SubjectConfirmation element was causing SimpleSAMLphp to crash. On the other hand, invalid SubjectConfirmation elements were ignored in PHP 7.0.

Version 1.14.10

Released 2016-12-02

  • Resolved a security issue involving signature validation. See SSPSA 201612-01.
  • Fixed issue #517. A misconfigured session when acting as a service provider was leading to a PHP fatal error.
  • Fixed issue #519. Prevent persistent NameIDs from being generated from empty strings.
  • Fixed issue #520. It was impossible to verify Apache's custom MD5 passwords when using the Htpasswd authentication source.
  • Fixed issue #523. Avoid problems caused by different line-ending strategies in the project files.
  • Other minor fixes and enhancements.

Version 1.14.9

Released 2016-11-10

  • Fixed an issue that resulted in PHP 7 errors being masked.
  • Fixed the smartattributes:SmartName authentication processing filter.
  • Fixed issue #500. When parsing metadata, two 'attributes.required' options were generated.
  • Fixed the list of requirements in composer, the documentation, and the configuration page.
  • Fixed issue #479. There were several minor issues with XHTML compliance.
  • Other minor fixes.

Version 1.14.8

Released 2016-08-23

  • Fixed an issue in AuthMemCookie causing it to crash when an attribute received contains XML as its value.
  • Fixed an issue in AuthMemCookie that made it impossible to set its own cookie.
  • Fixed an issue when acting as a proxy and receiving attributes that contain XML as their values.
  • Fixed an issue that led to incorrect URL guessing when a script is invoked with a URI that doesn't include its name.

Version 1.14.7

Released 2016-08-01

  • Fixed issue #424. Attributes containing XML as their values (like eduPersonTargetedID) were empty.

Version 1.14.6

Released 2016-07-18

  • Fixed issue #418. SimpleSAMLphp was unable to obtain the current URL correctly when invoked from third-party applications.

Version 1.14.5

Released 2016-07-12

  • Fixed several issues with session handling when cookies couldn't be set for some reason.
  • Fixed an issue that caused wrong URLs to be generated in the web interface under certain circumstances.
  • Fixed the exception handler to be compatible with PHP 7.
  • Fixed an issue in the dropdown IdP selection page that prevented it to work with PHP 5.3.
  • Fixed compatibility with Windows machines.
  • Fixed an issue with the PDO and Serialize metadata storage handlers.
  • Fixed the authwindowslive module. It stopped working after the former API was discontinued.
  • Other minor issues and fixes.

Version 1.14.4

Released 2016-06-08

  • Fixed two minor security issues that allowed malicious URLs to be presented to the user in a link. Reported by John Page.
  • Fixed issue #366. The LDAP class was trying to authenticate even when no password was provided (using the CAS module).
  • Fixed issue #401. The authenticate.php script was printing exceptions instead of throwing them for the exception handler to capture them.
  • Fixed issue #399. The size limitation of the TEXT type in MySQL was creating problems in certain setups.
  • Fixed issue #5. Incoherent population of the $_SERVER variable was creating broken links when running PHP with FastCGI.
  • Other typos and minor bugs: #389, #392.

Version 1.14.3

Released 2016-04-19

  • Fixed a bug in the login form that prevented the login button to be displayed in mobile devices.
  • Resolved an issue in the PHP session handler that made it impossible to use PHP sessions simultaneously with other applications.

Version 1.14.2

Released 2016-03-11

  • Use stable versions of the externalized modules to prevent possible issues when further developing them.

Version 1.14.1

Released 2016-03-08

  • Resolved an information leakage security issue in the sanitycheck module. See SSPSA 201603-01.

Version 1.14.0

Released 2016-02-15

Security

  • Resolved a security issue with multiple modules that were not validating the URLs they were redirecting to.
  • Added a security check to disable loading external entities in XML documents.
  • Enforced admin access to the metadata converter tool.
  • Changed xmlseclibs dependency to point to robrichards/xmlseclibs version 1.4.1.

New features

  • Allow setting the location of the configuration directory with an environment variable.
  • Added support for the Metadata Query Protocol by means of the new MDX metadata storage handler.
  • Added support for the Sender-Vouches method.
  • Added support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata.
  • Added support for file uploads in the metadata converter.
  • Added support for setting the prefix for Memcache keys.
  • Added support for the Hide From Discovery REFEDS Entity Category.
  • Added support for the eduPersonAssurance attribute.
  • Added support for the full SCHAC 1.5.0 schema.
  • Added support for UNIX sockets when configuring memcache servers.
  • Added the SAML NameID to the attributes status page, when available.
  • Added attribute definitions for schacGender (schac), sisSchoolGrade and sisLegalGuardianFor (skolfederation.se).
  • Attributes required in metadata are now taken into account when parsing.

Bug fixes

  • Fixed an issue with friendly names in the attributes released.
  • Fixed an issue with memcache that would result in a push for every fetch, when several servers configured.
  • Fixed an issue with memcache that would result in an endless loop if all servers are down.
  • Fixed an issue with HTML escaping in error reports.
  • Fixed an issue with the 'admin.protectmetadata' option not being enforced for SP metadata.
  • Fixed an issue with SAML 1.X SSO authentications that removed the NameID of the subject from available data.
  • Fixed an issue with the login form that resulted in a NOSTATE error if the user clicked the login button twice.
  • Fixed an issue with replay detection in IdP-initiated flows.
  • Fixed an issue with SessionNotOnOrAfter that kept moving forward in the future with every SSO authentication.
  • Fixed an issue with the session cookie being set twice for the first time.
  • Fixed an issue with the XXE attack prevention mechanism conflicting with other applications running in the same server.
  • Fixed an issue that prevented the SAML 1.X IdP to restart when the session is lost.
  • Fixed an issue that prevented classes using namespaces to be loaded automatically.
  • Fixed an issue that prevented certain metadata signatures to be verified (fixed upstream in xmlseclibs).
  • Other bug fixes and numerous documentation enhancements.