Viewer

  OpenID/SAML Changelog

File: Changelog_openid.txt
Size: 10 KBytes
MD5: 1E23D20D4AD6DDED5911672F4671A013

1.3.2-1
    - Fixed settings' Reset actions not working.
    - Added RCDevsMFA claim to support Azure OpenID-Connect.

1.3.2
    - This update is required for WebADM version >= 1.7.6.
    - Added support for Client policy -based access restrictions.
    - Added optional Content Security Header protection with SAML POST redirect.
    - Fixed issues with AWS and generated Content Security Header.
    - Fixed Zimbra login in IdP-initiated mode (appsso).
    - Fixed several wrong file permissions.
    
1.3.1
    - Added support for WebADM v1.7 (it does not work with previous versions).
    - Added per client policy (ie. per SAML SP) optional configurations for
      'Assertion Consumer Service URL' and 'Logout Consumer Service URL'.
    - Added a setting to reject SAML requests not matching a client policy.
    - Added a setting to enable/disable the PKI login feature.
    - Added a Security Content Policy header for SAML redirections.
    - OpenID-Connect client secrets and redirect URLs must now be configured
      with client plicies (the global 'OpenID Clients' setting is removed).
      > Multiple redirect URLs can be configured per client.
    - Added optional AWS session duration.
    - Added support for public and pairwize subject types for OpenID-Connect.
    - Added German translations.
    
1.3.0
    - Added SAML per-client configurations with client policies.
      > Retuned attributes nameid and attributes mappings can be set per client.
      > The client policy must be create with the SAML SP issuer name/URL as alias.
      > You MUST adjust your configuration if you used 'Client Name Identifiers'
        (ie. per-client nameid) in the previous version (use client policy instead)!
    - Added support for SAML assertion encryption.
    - Added support for SAML 'holder-of-key' assertion confirmation method.
    - Fixed issues with combined OTP and FIDO2 authentication challenges.

1.2.6
    - Added support for FIDO2 with TPM chips (ex. Apple MacBooks).
      > This option requires OpenOTP v1.4.2.
    - Added support for Single Logout responses with SAML sessions.
    - Fixed other Single Logout issues.
    - Fixed OpenID 'groups' scope not returning groups names.
    - Added opened SSO sessions list under the IdP home page.
    - Fixed returned attributes not added to profile claims.
    
1.2.5
    - Added support for FIDO2 (CTAP and WebAuthn enrollemnts).
      > You need OpenOTP v1.5 with this version of the OpenID/SAML.
    - Fixed OpenID-Connect not return user claims.

1.2.4
    - Added support for OpenID implicit flow mode.
    - Fixed OpenID-Connect claims issues and added support for extra claims.
      > Addtional claims are confirgured via the ReturnAttributes setting.
    - Added more debug information when client is not configured.
    - Fixed IdP-initialted login without a SAML/OpenID request failing.
    - Fixed incorrect subject_types_supported value for OpenID-Connect.
    - Added OpenID-Connect .well-known to the WebADM public endpoints.
    - Added support for inline self-registration URLs with OpenOTP v1.3.11-2.
    - Removed OpenOTP and TiQR custom address settings.
    - Added the 'UserID' name identifier format (returns the user login name only).
      > For security reasons, this option does not work when more than one WebADM
      Domain is configured.
      
1.2.3
    - Added an option to auto-validate login when an SSO session is already started.
      > This disables the confirmation page and redirects the user transparently.
    - Added support for ActiveDirectory displayname attribute.
    - Added support for SAML requests encoded with deflate RFC1951.
    - Added support for WebADM v1.6 (this version does not run on previous WebADM).
    - Added support for access restrictions based on a client policies.
    - Fixed group attribute return not working with WebADM => 1.5.x.
    - Fixed SAML broken with SAML requests without a relay state.
    - Fixed Gsuite redirect URL missing the user's mail domain value.
    - Fixed OAUTH2 error in OAuth2\\GrantType\\AuthorizationCode::__construct().
    - Replaced the 'Email Clients' setting by 'Email NameID Clients'.
      > You can now configure custom NameId formats per SAML SP source URL.
      > You need to adjust you configuration after upgarde!
    - SSO Portal's Access Group setting is removed and replaced by the fact that
      SSO applications can be ajusted per user or group in LDAP.
    - Added support for Google G Suite (Google apps for business).
    - Added support for multiple AWS accounts.
    - Added support for SAML HTTP-POST requests in the SAML metadata.
    
1.2.2
    - Added multilingual support (French translation for now and more to come).
    - Added support for Amazon Web Services under Application SSO.
    - The Application SSO portal can be accessed from the self-service desk.
    - Added the SAML configuration metadata under WebADM enpoints in '/ws/saml/'.
    - Added support for upcoming U2F on Firefox and Orpera browsers.
      > You need OpenOTP v1.3.2 with this version of SelfDesk.
    - Added the jwks_uri information to the OpenID configuration endpoint.
    - Changed response_type_supported to response_types_supported in OpenID config.
    - Added the LDAP access groups feature for Idp-initiated SSO applications.
    - Added support for the new OpenOTP Push Login methods.
    - Device Id context uses HTTP Cookie instead of Browser fingerprint.
    - Always use 'OpenID' as client Id (dropped the SP hostname as client Id).
      > Per-SP client policy is not very relevant with SSO authentication...
      > You may need to adjust your WebADM client policies.
    - SAML Return attributes can be set in the form name1=attr1,name2=attr2...
      where namex is the SAML attribute name mapping for the attribute.
      Ex. email=mail,lang=preferedLanguage.
    - Added a configuration to use different NameID formats. The supported formats
      are Persistent (default), Transient, emailAddress, X509SubjectName and
      WindowsDomainQualifiedName.
    
1.2.0
    - Added support for OpenID-Connect.
    - Removed support for OpenID 1.1 & 2.0 (deprecated).
    - Changed the SAML signature digest algorithm from SHA1 to SHA256.
    - Changed the SAML nameId to a hash value instead of username.
      > The hashed nameId is designed to be unique even with users having
      the same login name on mutiple domains.
      > Note that rthe nameId change might break your SAML SP account mappings.

1.1.6
    - Uses the new WAPI framework from WebADM v1.5.0.
    - Added product categorization for WebADM v1.4.5.
    - Complete facelift with new design and login workflows.
    - Added brute-force attack protection with source IP address blacklisting.

1.1.5
    - Added a configuration for SAML service providers requiring the user email
      address as login ID (fixed).
    - OpenID temporary storage uses Redis backend in WebADM 1.4.x.
    - Added support for WebADM user_level configurations in webadm.conf.

1.1.4
    - This version is designed for WebADM v1.4.
    - Added SSO login for Citrix online applications: GoToMeeting, GoToWebinar,
      GoToTraining and GotoAssist.
    - Added support for OpenOTP contextual authentication with trusted contexts.

1.1.3
    - Added support for cloud services based on customizable templates.
    - First template are available for SalesForce, SugarCRM and Zimbra SSO login.

1.1.2
    - Added support for OpenOTP v1.2 and FIDO U2F authentication.

1.1.1
    - Fixed SAML issues with POST requests binding.
    - Fixes session closed with trusted login form (session already started).
    - Subject NameID in SAML response contain the user ID (required by some SAML SP).
    - OpenID/SAML request sources are now used as OpenOTP or TiQR Client IDs.
      It is also possible to use client policies in WebADM with OpenID and SAML SP.
    - OTP inputs do not display the OTP password (required for protecting OTP PIN).
    - Added support for TiQR 1.0.7-2 with re-designed TiQR+LDAP workflow.
    - Added a PKI login mode which bypasses OTP and TiQR authentication.
    - Added a setting to optioanally sign the entire SAML responses.

1.1.0
    - SAML2 identity provider (IdP) is now included.
      > AuthnRequest and LogoutRequest are supported.
      > Both HTTP-POST and HTTP-Redirect protocol bindings are supported.
      > Options to return a list of configurable user LDAP attributes.
    - Better support of OpenID Simple Registration.
    - Minor enhancements.

1.0.5
     - New aplication architecture designed for WebADM v1.2.6.
     - Added a DisplayMode setting to switch between Normal and Simple OpenOTP Login.
       > In Normal mode: username, password and OTP inputs are displayed.
       > In Simple mode: only username and password inputs are displayed. This mode uses
         the OpenOTP SimpleLogin method where the semantic of the password input is handled
         by the OpenOTP server and based in the user login policy.
     - Adapated HTML for WebADM 1.2.5-1 rendering.
     - OpenOTP and TiQR settings are disabled when application is not present.
     - Added some help to the Manager interface methods (accessible under WebADM Infos menu).
     - Added support for WebApp authentication requiring user certificates.
     
1.0.4
     - Added support for OpenOTP v1.0.17 and TiQR v1.0.3 APIs.
     - Added support for WebADM 1.2.x Manager interface.
     - Fixed TiQR Poll Interval setting not working.

1.0.3
     - Compliance with TiQR Server 1.0.1.
     - Added support for TiQR offline mode.
     - Logging enhancements.
     - Display enhancements.

1.0.2
     - Added support for TiQR.
     - Added support for OpenOTP 1.0.11-1.
     - Dropped per-user OpenOTP settings.
     - Added a setting to set OpenOTP URL if not local.
     - Added OpenOTP Password List support.
     - Fixed button display with Google Chrome.

1.0.1
     - Added OpenID checkid_immediate support.
     - Added MIXED OpenID URL format.
     - Fixed a problem with check_authentication requests.

1.0.0
     Initial OpenID release.