Releases: SAML-Toolkits/java-saml
Releases · SAML-Toolkits/java-saml
OneLogin's SAML Java Toolkit v2.9.0
- #352 Add factories as an extension mechanism for Auth
- #367 Improve SP contacts
- #370 Update parseXML to use XMLErrorAccumulatorHandler
- #376 docs: update dependency version used in README and add TOC
Full Changelog: v2.8.0...v2.9.0
OneLogin's SAML Java Toolkit v2.8.0
- Updated xmlsec to 2.2.3 which fixes CVE-2021-40690
- #359 Allow to control NameIDPolicy.AllowCreate attribute on AuthnReques
- #356 Validate assertion version as well in SAML response validation
- #351 Support more complex response statuses in LogoutResponse generation
- #350 Improve authentication and logout request input params API
- #321 Allow for extension classes to post-process generated XML
- #340 Trim values obtained with getTextContent() on any XML node
- #327 Ensure local resolution of schemas (and DTDs)
- #315 Properly escape text to produce valid XML
OneLogin's SAML Java Toolkit v2.7.0
- Support sending extra GET parameters on login and logout
- #331 Made the SamlResponse returned attribute map preserve attribute order
- #333 Fix extraction of the response issuer
- #320 Add Auth.getLastMessageIssueInstant and Auth.getLastRequestIssueInstant
- #341 Made LogoutRequest and LogoutResponse more extensible
- #318 Made SamlResponse more extensible
- #308 Made constants real constants
- #300 Support for SingleLogoutService ResponseLocation in IdPMetadataParse
- #295 Support Alg Deprecated rejection
- 296 Improve SettingsBuilder build method in order to fix an issue at injectIntoSettings method
- #290 Support for unwrapping key via an HSM when decrypting the SAML assertion
- #293 Support digest algorithm at settings
- #337 Remove useless XMLEntityException declaration in logout throws clause
- #339 Remove the useless Exception throws declaration in LogoutRequest.isValid
- Improved documentation
- Update dependencies due to security warnings.
- Migrate from Travis to Github Actions
OneLogin's SAML Java Toolkit v2.6.0
- Check that the certificate of the XML matches the value registered (cert/fingerprint) before validating signature to be able identify such issue.
- 218 Exposing statuscode and substatuscode through toolkit.
- 233 When checking IdP Settings, verify with multiple possible IdP certs.
- 240 Support KeyStore file for SP. Also 243
- 244 Add StatusCode support for logout response
- 232 Make Fingerprint check case insensitive
- Allow duplicated names in AttributeStatement by configuration.
-253 Expose validation exception in Saml classes - Support NameID Encryptation with MultiCert
- 276 Fix signature validation issue when using fingerprint and sha256 alg
- 272 Fix format time issues
- 284 fix nameidNameQualifier typo on logout example
- 283 Expose a constructor for SamlResponse class which doesn't require HttpRequest
- 250 Add a stay parameter to Auth processSlo
- Make ProtocolBinding in the AuthnRequest configurable
- Metadata constructor now will not set a validUntilTime/cacheDuration if a null parameter is added, if no param provided, it will take constant values.
- Update dependencies
- Update the .java-version file to 1.8
OneLogin's SAML Java Toolkit v2.4.1
This version uses an old version of xmlsec which is vulnerable: CVE-2019-12400
- Set true as default value for 'strict' setting parameter
- Add support for Subjects on AuthNRequests by the new parameter nameIdValueReq
- Update dependencies
OneLogin's SAML Java Toolkit v2.5.0
- Drop support for Java 7 (due xmlsec dependency updated to 2.1.4 due CVE-2019-12400
- Set true as default value for 'strict' setting parameter
- Add support for Subjects on AuthNRequests by the new parameter nameIdValueReq
- Add NVD vulnerability checker Maven plugin to improve CI
- Update dependencies
OneLogin's SAML Java Toolkit v2.4.0
- #159 Adjusted acs.jsp to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted dologout to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter
- #167 Fix RelayState processing
- #165 Add support for second-level status code. Refactor getStatus method (moved to Utils and used at SAMLResponse and LogoutResponse classes.
- Improve addSign method. Support DigestMethod. On decrypt method, verify that there is encrypted data
- Add a property for unique ID prefix
- Update scope of the dependencies at poms
- #166 Fix example page attrs.jsp. Right comparison of parameters.
- #186 Fix example page dologin.jsp. Fix: gather context path via Java
- Changed code to use specific XPathFactoryImpl
- Refact code: Make SamlResponse slightly more extendable
- Add warning on Readme: Discourage the use of fingerprint on production environments
- Removed deprecated HttpRequest calls
- Bump the Jacoco plugin to latest version to allow building project with Jdk 11
- Fix documentation of some setting parameters
OneLogin's SAML Java Toolkit v2.3.0
- Fix Exclusive Canonicalization transform used on addSign method.
- Fix Issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute
- #137 Fix invalid value on onelogin.saml2.security.requested_authncontext of example settings file
- Be able to register multiple Identity Provider x509cert
- Support the ability to parse IdP XML metadata (remote url or file) and be able to inject the data obtained on the settings.
- Refactor multi cert support signature validation
- Adding test that checks VU-475445
- Add extra protection to whitelist algorithm used on Signature
OneLogin's SAML Java Toolkit v2.2.0
OneLogin's SAML Java Toolkit v2.1.0
- Validate serial number as string to work around libxml2 limitation
- Make the Issuer on the Response Optional
- #98 Be able to provide a NameIDFormat to LogoutRequest.Fix getNameIdData method.
- #104 Compatibility with older versions of xerces sax parser
- Add onelogin.saml2.organization.lang attribute
- #105 Throw a more descriptive exception on invalid issuer to ease debugging
- #108 Fix typo in HttpRequest.equals()
- #110 Fix base64decodedInflated method, but set a decompress limit