1.6.3 (December 13 2023)
    - Added a 'PasswordLess' setting which hides the LDAP password input
      and force OpenOTP logins without LDAP password.
      > This means only OTP/U2F/MFA login is enforced whether or not policy
        has LDAP factor enabled.
1.6.2 (October 18 2023)
    - Added a setting to filter returned groups based on regular expression.
      > This workaround is because OpenID-Connect response may fails when
        there are too many groups for a user.
    - Removed 'groups' from the default list when no scope is requested.
    - Updated the Oauth2/OpenID-Connect framework to the latest version.
1.6.1 (June 26 2023)
    - Domain list is hidden when only one domain is configured.
      > Note that you can use the domain's allowed application setting
        to limit the domain list per application and hide the domain input.

1.6.0 (March 20 2023)
    - Added support for WebADM v2.3 (this version requires WebADM v2.3).
    - Removed Default Backend and Allow PKI login options.
    - Added Require Certificate setting (use Require Certificate with LDAP
      only OpenOTP policy to implement PKI only login).
    - Removed Normal / Simple OpenOTP login options (Simple Login is used).
1.5.0 (January 19 2023)
    - Added compatibility with WebADM 2.2.
    - Removed FIDO U2F (deprecated in flavor of FIDO2).
    - Updated the application icons.
    - Fixed OpenID-Connnect 'expires_in' being returned as JSON string.
1.4.22 (November 1 2022)
    - Fixed an issue with returned attributes containing unicode characters.
    - Added automatic language switching based on LDAP user language.

1.4.21 (September 2 2022)
     - Added SQL audit log event types (requires WebADM >= 2.1.15).
     - Added Error SQL logs for all failed actions.
1.4.20 (August 19 2022)
    - OpenID JWT and AccessToken expiration now honours the Session Timeout.

1.4.19 (August 5 2022)
    - Fixed missing response scopes when AllowedScopes if configured.
    - Removed Returned Attributes from claims in openid-configuration.
    - Added 'groups' the claims list in the openid-configuration.
    - Upgraded OpenID-Connect framework the latest version.
1.4.18 (July 18 2022)
    - Added supports for group name mappings containing ':' characters.
    - Fixed SAML issues with Zoom.
1.4.17 (July 12 2022)
    - Fixed RedirectionURLs not working in OpenID-Connect client policies.
1.4.16 (May 4 2022)
    - Added PrincipalName (ie. ActiveDirectory UPN) nameID format for both
      SAML and OpenID-Connect requests.

1.4.15 (January 5 2022)
    - Fixed SAML requests' decoding issues introduced in v1.4.14.

1.4.14 (December 5 2021)
    - Added support for PKI login with external certificates (ex. eIDAS).
      > Requires WebADM version >= 2.1.0.
    - Added support for FIDO2 Web login with U2F-registered FIDO devices.
    - Fixed broken FIDO2 login with Apple Safari browser.
    - Fixed SAML issues with POST SAMLRequests.
1.4.13 (Septempber 13 2021)
    - Fixed AppSSO page not displayed when only custom apps are beeing used.

1.4.12 (July 5 2021)
    - Fixed QuickSight AppSSO sending AWS role attributes.
    - Create a logfile event for every user operation.
1.4.11 (April 21 2021)
    - Fixed OpenID-Connect requests failing with 'Application Invalid' message.
    - Updated OpenID-Connect/OAuth2 libraries.
1.4.10 (April 20 2021)
    - Added Amazon QuickSight to the IdP-initiated application list (AppSSO).
    - Added the mandatory GSuiteDomain setting for Google for Business.
    - Fixed broken OwnCloud / NextCloud redirection URL.
1.4.9 (April 7 2021)
    - Added Client ID chaining with underlying OpenOTP calls. The SAML/OpenID
      Client ID is now forwarded to OpenOTP during user authentication.
      > Service Provider client policies can also encompass OpenOTP authentication
      > The IdP will enforce SP EntityID-based client ID and will fallback to the
        previous 'OpenID' client ID if not found.
      > During an SSO session, if the session was already authenticated with fewer
        factors than the policy requirements in the current request then a new
        login process is triggered.
    - Fixed wrong client ID with idP-initiated requests.
1.4.7 (March 19 2021)
    - ActiveDirectory objectGUID and objectSID binary attributes can be returned
      in the SAML response attributes in their text formats.
    - Fixed unconfigured AppSSO applications not displayed in grey.
    - With ActiveDirectory backends, ImmutableID NameID now returns the AD user's
      ImmutableID for use with Azure (ie. base64-encoded objectGUID).
1.4.6 (March 9 2021)
    - Added FIDO2 PIN / Biometric user verification policies.
    - Fixed Entire Response Signature not appended at the right place in XML.
    - Removed all TiQR functionalities.
      > Your application configuration may be incorrect after upgrade if you
        enabled any TiQR setting. In this case, just edit and re-apply the
        configuration under the 'Application' menu in WebADM.
    - Fixed OpenID-Connect with nameid 'email' not working.
    - Customizations to the apps/ application definitions are no longer lost
      after an upgrade.
    - Added compatifility with WebADM 2.0.11.
    - Added a Email Mapping setting.
    - Added a setting to set a list of trusted Consumer URLs when URL Protection
      is enabled and the Issuer URL does not match the Consumer URL.
    - Consumer URL Protection is now enabled by default!
    - Added a SAML setting to verify that the SAML assertion consumer and cancel
      URLs are matching the requests' issuer URL hostname.
      > The setting is enabled by default! Disable if you are not using URL-based
      issuer names or if you use SAML IdP cascading.
    - Added NetxCloud in the IdP-initiated SSO applications.
    - Added support for client policies options with custom IdP-initialed SAML
      applications (SSO portal).
    - AWS access via command line tools is now support with PKI login.
    - AWS account selection now works with PKI and TiQR login methods.
    - Fixed AWS SessionDuration not enforced.
    - Name Identifier is configurable for OpenID-Connect.
    - Added support for OpenOTP Voice Biometrics.
    - Fixed issues with AWS AppSSO when only the AWS application is enabled.
    - Removed the AWS account selector (handled on AWS side).
    - Added comatibility with WebADM v2.0.0.
    - Re-introduced AWS account selector.
    - Added OpenSSO Cookie support for custom IdP-initiated applications.
    - OpenSSO cookie is not time-limited and destroyed when closing the browser.
    - OpenID-Connect configuration URL now works without the trailing slash.
    - Added support for Amazon command-line tools with 'spentityid' GET parameter.
    - Added support for AWS roles with SAML redirect and 'spentityid'.
    - Fixed 'Reset' actions not working under the home page.
    - Added mfa-policy claim to support Azure OpenID-Connect.
    - Fixed SAML requests failing when AssertionConsumerURL is not provided.
    - Added support for user ActiveDirectory principal names (UPN).
      > The 'Show Domains List' setting must be disabled to use UPNs.
      > Warning: When 'Show Domains List' is disabled, the domain input is now
        removed! Users must login with domain\username to force a domain name.
    - SAML response's Recipent uses the LoginResponseURL if set in a client policy.
    - Added support for RCDevs OpenSSO shared session management.
      > OpenSSO can be used with micro-service applications as a session server.
    - This update is required for WebADM version >= 1.7.6.
    - Added support for Client policy -based access restrictions.
    - Added optional Content Security Header protection with SAML POST redirect.
    - Fixed issues with AWS and generated Content Security Header.
    - Fixed Zimbra login in IdP-initiated mode (appsso).
    - Fixed several wrong file permissions.
    - Added support for WebADM v1.7 (it does not work with previous versions).
    - Added per client policy (ie. per SAML SP) optional configurations for
      'Assertion Consumer Service URL' and 'Logout Consumer Service URL'.
    - Added a setting to reject SAML requests not matching a client policy.
    - Added a setting to enable/disable the PKI login feature.
    - Added a Security Content Policy header for SAML redirections.
    - OpenID-Connect client secrets and redirect URLs must now be configured
      with client plicies (the global 'OpenID Clients' setting is removed).
      > Multiple redirect URLs can be configured per client.
    - Added optional AWS session duration.
    - Added support for public and pairwize subject types for OpenID-Connect.
    - Added German translations.
    - Added SAML per-client configurations with client policies.
      > Retuned attributes nameid and attributes mappings can be set per client.
      > The client policy must be create with the SAML SP issuer name/URL as alias.
      > You MUST adjust your configuration if you used 'Client Name Identifiers'
        (ie. per-client nameid) in the previous version (use client policy instead)!
    - Added support for SAML assertion encryption.
    - Added support for SAML 'holder-of-key' assertion confirmation method.
    - Fixed issues with combined OTP and FIDO2 authentication challenges.

    - Added support for FIDO2 with TPM chips (ex. Apple MacBooks).
      > This option requires OpenOTP v1.4.2.
    - Added support for Single Logout responses with SAML sessions.
    - Fixed other Single Logout issues.
    - Fixed OpenID 'groups' scope not returning groups names.
    - Added opened SSO sessions list under the IdP home page.
    - Fixed returned attributes not added to profile claims.
    - Added support for FIDO2 (CTAP and WebAuthn enrollemnts).
      > You need OpenOTP v1.5 with this version of the OpenID/SAML.
    - Fixed OpenID-Connect not return user claims.

    - Added support for OpenID implicit flow mode.
    - Fixed OpenID-Connect claims issues and added support for extra claims.
      > Addtional claims are confirgured via the ReturnAttributes setting.
    - Added more debug information when client is not configured.
    - Fixed IdP-initialted login without a SAML/OpenID request failing.
    - Fixed incorrect subject_types_supported value for OpenID-Connect.
    - Added OpenID-Connect .well-known to the WebADM public endpoints.
    - Added support for inline self-registration URLs with OpenOTP v1.3.11-2.
    - Removed OpenOTP and TiQR custom address settings.
    - Added the 'UserID' name identifier format (returns the user login name only).
      > For security reasons, this option does not work when more than one WebADM
      Domain is configured.
    - Added an option to auto-validate login when an SSO session is already started.
      > This disables the confirmation page and redirects the user transparently.
    - Added support for ActiveDirectory displayname attribute.
    - Added support for SAML requests encoded with deflate RFC1951.
    - Added support for WebADM v1.6 (this version does not run on previous WebADM).
    - Added support for access restrictions based on a client policies.
    - Fixed group attribute return not working with WebADM => 1.5.x.
    - Fixed SAML broken with SAML requests without a relay state.
    - Fixed Gsuite redirect URL missing the user's mail domain value.
    - Fixed OAUTH2 error in OAuth2\\GrantType\\AuthorizationCode::__construct().
    - Replaced the 'Email Clients' setting by 'Email NameID Clients'.
      > You can now configure custom NameId formats per SAML SP source URL.
      > You need to adjust you configuration after upgarde!
    - SSO Portal's Access Group setting is removed and replaced by the fact that
      SSO applications can be ajusted per user or group in LDAP.
    - Added support for Google G Suite (Google apps for business).
    - Added support for multiple AWS accounts.
    - Added support for SAML HTTP-POST requests in the SAML metadata.
    - Added multilingual support (French translation for now and more to come).
    - Added support for Amazon Web Services under Application SSO.
    - The Application SSO portal can be accessed from the self-service desk.
    - Added the SAML configuration metadata under WebADM enpoints in '/ws/saml/'.
    - Added support for upcoming U2F on Firefox and Orpera browsers.
      > You need OpenOTP v1.3.2 with this version of SelfDesk.
    - Added the jwks_uri information to the OpenID configuration endpoint.
    - Changed response_type_supported to response_types_supported in OpenID config.
    - Added the LDAP access groups feature for Idp-initiated SSO applications.
    - Added support for the new OpenOTP Push Login methods.
    - Device Id context uses HTTP Cookie instead of Browser fingerprint.
    - Always use 'OpenID' as client Id (dropped the SP hostname as client Id).
      > Per-SP client policy is not very relevant with SSO authentication...
      > You may need to adjust your WebADM client policies.
    - SAML Return attributes can be set in the form name1=attr1,name2=attr2...
      where namex is the SAML attribute name mapping for the attribute.
      Ex. email=mail,lang=preferedLanguage.
    - Added a configuration to use different NameID formats. The supported formats
      are Persistent (default), Transient, emailAddress, X509SubjectName and
    - Added support for OpenID-Connect.
    - Removed support for OpenID 1.1 & 2.0 (deprecated).
    - Changed the SAML signature digest algorithm from SHA1 to SHA256.
    - Changed the SAML nameId to a hash value instead of username.
      > The hashed nameId is designed to be unique even with users having
      the same login name on mutiple domains.
      > Note that rthe nameId change might break your SAML SP account mappings.

    - Uses the new WAPI framework from WebADM v1.5.0.
    - Added product categorization for WebADM v1.4.5.
    - Complete facelift with new design and login workflows.
    - Added brute-force attack protection with source IP address blacklisting.

    - Added a configuration for SAML service providers requiring the user email
      address as login ID (fixed).
    - OpenID temporary storage uses Redis backend in WebADM 1.4.x.
    - Added support for WebADM user_level configurations in webadm.conf.

    - This version is designed for WebADM v1.4.
    - Added SSO login for Citrix online applications: GoToMeeting, GoToWebinar,
      GoToTraining and GotoAssist.
    - Added support for OpenOTP contextual authentication with trusted contexts.

    - Added support for cloud services based on customizable templates.
    - First template are available for SalesForce, SugarCRM and Zimbra SSO login.

    - Added support for OpenOTP v1.2 and FIDO U2F authentication.

    - Fixed SAML issues with POST requests binding.
    - Fixes session closed with trusted login form (session already started).
    - Subject NameID in SAML response contain the user ID (required by some SAML SP).
    - OpenID/SAML request sources are now used as OpenOTP or TiQR Client IDs.
      It is also possible to use client policies in WebADM with OpenID and SAML SP.
    - OTP inputs do not display the OTP password (required for protecting OTP PIN).
    - Added support for TiQR 1.0.7-2 with re-designed TiQR+LDAP workflow.
    - Added a PKI login mode which bypasses OTP and TiQR authentication.
    - Added a setting to optioanally sign the entire SAML responses.

    - SAML2 identity provider (IdP) is now included.
      > AuthnRequest and LogoutRequest are supported.
      > Both HTTP-POST and HTTP-Redirect protocol bindings are supported.
      > Options to return a list of configurable user LDAP attributes.
    - Better support of OpenID Simple Registration.
    - Minor enhancements.

     - New aplication architecture designed for WebADM v1.2.6.
     - Added a DisplayMode setting to switch between Normal and Simple OpenOTP Login.
       > In Normal mode: username, password and OTP inputs are displayed.
       > In Simple mode: only username and password inputs are displayed. This mode uses
         the OpenOTP SimpleLogin method where the semantic of the password input is handled
         by the OpenOTP server and based in the user login policy.
     - Adapated HTML for WebADM 1.2.5-1 rendering.
     - OpenOTP and TiQR settings are disabled when application is not present.
     - Added some help to the Manager interface methods (accessible under WebADM Infos menu).
     - Added support for WebApp authentication requiring user certificates.
     - Added support for OpenOTP v1.0.17 and TiQR v1.0.3 APIs.
     - Added support for WebADM 1.2.x Manager interface.
     - Fixed TiQR Poll Interval setting not working.

     - Compliance with TiQR Server 1.0.1.
     - Added support for TiQR offline mode.
     - Logging enhancements.
     - Display enhancements.

     - Added support for TiQR.
     - Added support for OpenOTP 1.0.11-1.
     - Dropped per-user OpenOTP settings.
     - Added a setting to set OpenOTP URL if not local.
     - Added OpenOTP Password List support.
     - Fixed button display with Google Chrome.

     - Added OpenID checkid_immediate support.
     - Added MIXED OpenID URL format.
     - Fixed a problem with check_authentication requests.

     Initial OpenID release.