JOSSO EE 2.4
TIP
Downloads portal: https://josso-resources.atricore.com
v.2.4.4
Changelog
v.2.4.4 Update #58
UPD: Add kid attribute to JWT Headers when using RSA signature
NEW: Disable appliance build upon JOSSO startup using a configuration property
FIX: SLO issue when triggering SLO from an SP that uses an IDP that overrides the SP channel settings
FIX: Virtual Providers do not required an identity source
FIX: Error when using constants in attribute mapping. Constant value last character is truncated.
FIX: Error after login-logout-login on some JOSSO agents
NEW: form_post support in OpenID
FIX: Reported port in HTTP Content security headers when using HTTPs for OPenID URLs.
FIX: When using IDP initiated, and IDP requires signing authn request, signature is now properly validated.
UPD: Prefer configured encryption method for assertion when SP supports it.
v.2.4.4 Update #54
FIX: OIDC slo post logout URL must not be also listed in client URIs.
UPD: OIDC Attribute profiles for non-overridden channels
v.2.4.4 Update #53
- NEW: OIDC Support for CORS pre-flight requests using OPTIONS
v.2.4.4 Update #52
FIX: OIDC nonce missing in ID token
NEW: OIDC support for attribute mapping profiles
FIX: new JOSSO 2.5 branding adjustments
FIX: OIDC front-channel logout NPE when id token hint was not provided.
v.2.4.4 Update #50
NEW: JOSSO 2.5 Branding
NEW: Processing UI
NEW: OIDC Support for iframe session check
NEW: OIDC CORS support for back channel endpoints
UPD: OIDC Fixes
v.2.4.4 Update #47
NEW: JDBC Identity store connection pooling added
UPD: Improvements to account link emitters. SP/VP user ip address now available while emitting.
NEW: Identity mapping extension points allows to use custom user keys to load users based on context information (Only when using an SP/VP identity store.
FIX: OIDC OP Metadata improvements
v.2.4.4 Update #45
FIX: Custom authenticator / LDAP Store using OSGi services
FIX: XML Parsing security (update #44-ebf)
v.2.4.4 Update #44-ebf
- FIX: XML Parsing security
v.2.4.4 Update #42
- NEW: Virtual Provider support for OIDC
v.2.4.4 Update #31
- UPD: OIDC fix for token refresh
v.2.4.4 Update #39
UPD: OIDC Improvements, including JWT token claims and SLO
NEW: Passwordless authentication using OAuth2
UPD: OAuth2 .Net client support for passwordless authentication
v.2.4.4 Update #33
NEW: Attribute profile allows for expressions to map values
NEW: OIDC UserInfo endpoint
v.2.4.4 Update #31
FIX: Serialization error when enabling copyOnRead property on EH-Cache stores.
UPD: SLO requests uses requested name identifier instead of unspecified.
NEW: OIDC Tokens TTL configurable
UPD: OIDC Signature / Encryption improvements
FIX: Signature validation only for bindings that support it
v.2.4.4 Update #28
FIX: Weblogic agent does not report an error when the authentication is not targeted to JOSSO, but to other provider.
FIX: Weblogic provider version updated to match JOSSO agent version
UPD: OpenID Connect improvements: Implicit flow, Metadata endpoint, Jason Web Key Set (JWKS) endpoint.
FIX: SAML Signature validation only to supporting bindings
FIX: User entity selector issue after SLO
v.2.4.4 Update #25
- FIX: Signature NPE error when signing SAML query strings introduced in update #24.
v.2.4.4 Update #24
- FIX: Default to a valid hash algorithm for appliances imported from older version.
v.2.4.4 Update #23
- FIX: Added missing bcrypt artifact for systems without internet access.
v.2.4.4 Update #22
- NEW: BCrypt hashing support for basic authentication
v.2.4.4 Update #21
- FIX: Error when using upper case names in Virtual Providers and Encrypted assertions
v.2.4.4 Update #20
- FIX: Authentication Service Priority
v.2.4.4 Update #19
- FIX: OpenID Connect SLO support
v.2.4.4 Update #18
- FIX: OpenID Connect authentication failure
v.2.4.4 Update #17
FIX: Error when building appliance that uses external properties (due to spring upgrade).
NEW: Custom token support for pre-authentication. JOSSO can collect a custom token from a header/cookie/request parameter.
NEW: Weblogic execution environment supports customizing location element.
UPD: Improved SSO policies report upon authenticatoin failure. (failed attempts/remaining attempts, account locked/expired, etc).
FIX: KeyInfo element may be present without a key.
FIX: KeyInfo element may not be present.
FIX: SAML Response using HTTP-Redirect binding honors configured SAML Signature options.
v.2.4.4 Update #11
- UPD: Improved Authentication policy reporting
v.2.4.4 Update #10
- NEW: Custom pre-authentication support, includes custom HTTP headers and parameters
v.2.4.4 Update #09
- FIX: Workaround for JDK deflater reporting invalid state. This caused some threads to get into an infinite loop.
v.2.4.4 Update #08
UPD: Configurable email attribute name for User identifier
UPD: User columns alias when defining properties in DB identity store
UPD: Improved SLO error when no SLO endpoint is available for an SP
v.2.4.4 Update #07
UPD: SAML 2 Signature/Encryption improvements
NEW: Jasper Server support
v.2.4.4 Update #06
- NEW: Custom Authenticator / 2FA Authenticator improvements
v.2.4.4 Update #02
- UPD: Merged 2.4.3 #27
v.2.4.3
Changelog
v.2.4.3 Update #32
- FIX: Weblogic 12 agent failed to resolve roles/groups
v.2.4.3 Update #31
- FIX: Workaround for JDK deflater reporting invalid state. This caused some threads to get into an infinite loop.
v.2.4.3 Update #30
FIX: SLO Issuer when using Virtual Providers is now correctly set.
FIX: SLO Signature (HTTP-Redirect) is now included when using VP.
v.2.4.3 Update #29
- UPD: Cross Scripting / clickjack prevention support
v.2.4.3 Update #27
UPD: SAML 2.0 XML Signature verification does not require KeyInfo element.
FIX: OpenID Connect exp claim validation fixes
UPD: OpenID Connect exp claim validation tolerance
NEW: CSA authentication extension point
UPD: CSA CLR verification improved with new CRL configuration options
v.2.4.3 Update #25
UPD: Client Certificate authentication improvements, including CRL support
FIX: SSL Support for trusted certificate store configuration
FIX: SAML Certificate date verification issues for JOSSO managed SPs
UPD: Improved logging, including OIDC wire logging
UPD: Social services token resolution retries to avoid network issues
v.2.4.3 Update #22
UPD: WebLogic agent improvements
UPD: Wire logging format
FIX: SLO fix when using overridden IDP channel between VP and IDP
v.2.4.3 Update #16
NEW: WeChat improvements for account linkage
FIX: Updating Liferay elements fixes
UPD: Spring framework
v.2.4.3 Update #09
- FIX: HA / EHCache integration (memory leaks fixed)
v.2.4.3 Update #07
UPD: WeChat improvements
UPD: JIT-SCIM Support for non-integer error codes
NEW: User-Agent propagated to mediation components
NEW: HTTP Follow redirect improvements (aliases and multi-domains supported)
NEW: ERROR Binding using HTTP GET
UPD: Proxy error propagation improvements
UPD: WeChat login
FIX: Some OSGi bundle configurations
UPD: Removed default setup, plugin-bundles should create specific instances.
UPD: Improved the documentation and logging
NEW: SCIM Connector
UPD: New windows authn ctx class support
UPD: Account Expiration date enabled
UPD: Do not add empty claims to a token (reduces token size).
FIX: Default IDs to be XML friendly
UPD: Transaction management for batch operations
UPD: New update/remove batch operations
UPD: Modify total number of sessions stats
UPD: Support for backslash (\\) in the username
NEW: External attribute permission
NEW: Support for different credential types during basic authentication (email, username, etc.)
NEW: More built-in user attributes
FIX: Pre-authentication URL may contain request parameters
v.2.4.2
Changelog
v.2.4.2 Update #35
- FIX: XML Parsing security
v.2.4.2 Update #34
NEW: Cross Scripting / clickjack prevention support
UPD: Scala version
v.2.4.2 Update #33
- FIX: HA / EHCache integration (memory leaks fixed)
v.2.4.2 Update #31
- FIX: Oauth2 token generation in HA environments
v.2.4.2 Update #30
FIX: Appliance export command
FIX: Oauth2 token generation
v.2.4.2 Update #29
UPD: Total number of sessions statistics calculation changes
FIX: ID generation compliant with XML standard
NEW: Support Windows authentication context class reported by ADFS
FIX: OAuth2 authentication support now creates services even if no pre-authnentication URL is configured.
v.2.4.2 Update #27
NEW: Last authentication timestamp on built-in users support
FIX: Force UTF-8 support in OAuth2 clients
NEW: Async email sending support
UPD: Default Artifact Queue Manager builder configuration for HA environments
FIX: Removing all groups from a user
FIX: Transaction rollback management when operations fail to better error logging.
v.2.4.2 Update #25
NEW: Virtual SP OpenID Connect support
UPD: Fixes to default UI skin
NEW: X-IdBus-Node HTTP header, useful for HTTP loadbalancers
UPD: OpenID Connect examples
v.2.4.2 Update #24
UPD: OpenID Connect improvements
NEW: EHCache Message Queue Manager configuration support
v.2.4.2 Update #23
NEW: Atricore Web console footer branding
UPD: User search improvements (paging, search options)
UPD: SPML Protocol improvements
NEW: EHCache transaction store for self-services, useful in HA environments.
NEW: Oracle Wallet v11R2 support
NEW: SSO UI Locale and i18n improvements
NEW: EHCache Message Queue Manager support, useful in HA environments.
NEW: Inform SSO Session count as user property when using pre-authentication.
NEW: systemd service file for Unix systems
NEW: SSO Session Manager extension point, including SSOSessionContext with subject and context information to use during session creation (i.e. establish timeout, etc.)
v.2.4.2 Update #20
NEW: OAuth2 client reports authentication failure errors as policy statements.
NEW: New disable debug information for Jetty errors (hides stack trace)
NEW: Support for configurable password policies (length, reg-exp, etc.)
UPD: ISAPI Agent configuration is case insensitive for application IDs.
FIX: ISAPI Agent error when no application ID is detected
v.2.4.2 Update #19
FIX: PHP Agent SOAP warning message
FIX: Servlet Agent keeps track of original requested resource when starting login process.
NEW: Command line user management can now disable accounts with user modify command (new command option).
NEW: SSO Session Manager extension point (see atricore idbus examples)
NEW: Subject Authentication Policy extension point to allow users to create custom authentication verification policies (see atricore idbus examples).
FIX: SQLServer support as external database for product persistence (System Settings, Persistence)
NEW: Disable admin account creation option
NEW: Auditing information in user management operations
NEW: Spring boot partner application example
NEW: Oracle Webcenter Sites agent
v.2.4.2 Update #18
NEW: Support for custom JOSSO 1 Agents using WWW Execution environment definition
Requires Update #11 or above installed
v.2.4.2 Update #17
FIX: Oracle JDBC Driver support for system persistence
FIX: Multiple OAuth2 bindings, to work with JavaScript and standard HTTP redirects
Requires Update #11 or above installed
v.2.4.2 Update #16
FIX: Concurrency error when using SAML Providers metadata service
FIX: Minor UI issues
Requires Update #11 or above installed
v.2.4.2 Update #15
FIX: Reported Service Provider alias to pre-authentication applications when using Virtual Provider.
Requires Update #11 or above installed
v.2.4.2 Update #14
New clustering discover support mechanisms when MULTICAS is not an option.
Improved SAML2 Assertion encryption support
Requires Update #11 or above installed
v.2.4.2 Update #13
Updated built-in certificate/key pair used during development
Improved JOSSO Agent protocols, force_authn and authn_ctx_class now supported
LDAP Support improved, special characters in usernames now properly escaped
Fixed Maximum number of logins per user when using Virtual Providers
Requires Update #11 or above installed
v.2.4.2 Update #12
FIX: Reported Authentication Context Class when using Remember Me (OAuth2)
FIX: Passive Authentication support when non is specified by Service Providers
Requires Update #11 or above installed
v.2.4.2 Update #11
FIX: Issue with remember me token persistance using new IDs
Improved default session cookies length
New dynamic peer discovery option for clustered environments
New command to allow to remove social IdPs from command line
FIX: reported authnCtxClass when using Virtual Providers
*Recommended fresh install
TIP
Make sure to export all your identity appliances, back up and delete the folder $JOSSO2_HOME/data/derby and restart JOSSO. You can import your appliances after that.
v.2.4.2 Update #10
Bugfixes
OpenID Connect new features
Improved ID generation for critical artifacts
v.2.4.2 Update #09
Identity Appliance commands improvements
Requires Update #8 or above installed
v.2.4.2 Update #08
Improved Unix scripts
Do not delete the OSGi cache when restarting (unix)
Upgraded to JOSSO 1.8.11 agents
Support for JOSSO 1.8.11 agents using force authentication options
New identity appliance command line management tools
Improved LDAP Password Policy extensions support
Include simple password reset support (LDAP only)
Virtual Provider fixes when overriding federated connections
New built-in attributes available when defining custom attribute profiles: idp alias, authentication context.
Tool to create ID Vault extension projects
TIP
If you have made changes to startup scripts located in the $JOSSO_HOME/bin folder, please make sure to back up those files and reapply the changes to the new set of scripts.
v.2.4.2 Update #06
SAML 2.0 Assertion Encryption Options
User Identifier configuration support for IDPs
Improved auditing properties, added federated provider information
Adds 2.4.1 general availability version
*Requires a fresh install, appliances must be re-created manually.
v.2.4.2 Update #05
Adds 2.4.1 Update #25 to #31
*This update requires 2.4.2 Update #1 already installed
v.2.4.2 Update #04
SAML 2.0 Assertion Encryption Options
Password Management Improvements
*This update requires 2.4.2 Update #1 already installed
v.2.4.2 Update #03
SPs locale selection when requesting authentication: The locale is propagated to the UI (wicket), and to SPs. When using custom attributes, the "userLocale" property must be mapped.
Password Policy Enforcement UI fixes: A new page object was added.
Protocol Pages Title branding: Property: idbus.protocol.page.title, you can add it to $JOSSO2_HOME/etc/org.atricore.idbus.kernel.main.cfg
*This update Requires 2.4.2 Update #1 already installed
v.2.4.2 Update #02
LDAP Policy Management options
*This update Requires 2.4.2 Update #1 already installed
v.2.4.2 Update #01
Includes 2.4.1 Update #24
SAML 2.0 Custom Attribute Profiles Management
Twitter Sign-In improvements
JIRA 6.x Support
Latest JOSSO 1.8.10-SNAPSHOT
v.2.4.2 Initial
Twitter Sign-In support
SAML 2.0 Attributes Profile improvements
Certus Ultra Sonic Authentication
v.2.4.1
Changelog
v.2.4.1 Update #37
- NEW: Cross Scripting / clickjack prevention support
v.2.4.1 Update #36
- FIX: IdP selection strategy
If you haven’t applied update #35 follow instructions for that update.
v.2.4.1 Update #35
- FIX: JDK8 Support for Atricore Console launcher (avoids JSP error)
In case you are updating an older 2.4.1 version (Update #24 or below) you need to apply this update:
Properties you may also want to set:
Basic Authentication (Identity Provider): Reported SAML 2.0 Authentication Context
Directory Bind Authentication: Reported SAML 2.0 Authentication Context
Directory Bind Authentication: Referral
LDAP Identity Source: Referral
v.2.4.1 Update #33
Includes latest 1.8.10 improvements
Fixed invalidate exceeding SSO when using Virtual Providers
Fixed NPE error when SSO session expires using Virtual Providers
Includes 2.4.1 general availability version
*Requires Update #25 or above installed
v.2.4.1 Update #32
External error/warning dashboard support (JSON)
FIX Basic Authentication salt prefix support
*Requires Update #25 or above installed
v.2.4.1 Update #31
Pre-Authentication Fixes
New identity store monitoring metrics
Session Hear-Beat support for proxied IdPs
Requires Update #25 or above installed
v.2.4.1 Update #30
New Salt prefix/suffix support for Basic Authentication
Ws-Federation STS fixes
ISAPI Agent support for IIS 8.x
ISAPI Agent inlcudes latest OpenSSL version 1.0.2d, with new SSL/TLS protocol support, security improvements and bug-fixes.
ISAPI Agent support for multiple virtual hosts
*Requires Update #25 or above installed
v.2.4.1 Update #29
Basic Authentication SHA-512 Support
Remember Me support for Internet Explorer 11
Requires Update #25 or above installed
v.2.4.1 Update #28
SLO Fixes
Remember Me improvements
Requires Update #25 or above installed
v.2.4.1 Update #27
Facebook for Business Support
Facebook 2.4 API support
OAuth2.0 Pre-Authenticated request proxy support
OAuth2.0 Remember Me improvements
Requires Update #25 or above installed
v.2.4.1 Update #26
OpenID 1.0 Configuration Improvements
Requires Update #25 installed
v.2.4.1 Update #24
JIRA 6.x Support
Latest JOSSO 1.8.10-SNAPSHOT
v.2.4.1 Update #24
SAML 2.0 Front Channel SLO Support
OpenID Connect 1.0 Provider
OAuth 2.0 Tokens Lifetime Configuration
Updated Facebook API to v2.3
v.2.4.1 Update #23
Fix NPE issue on some SAML 2.0 configurations with SOAP
Weblogic 11, 12 JOSSO Agents
v.2.4.1 Update #22
Remember Me working when Pre-Authentication is configured
SMAL 2.0 Metadata Service support
HTTP timeout settings for internally proxied requests
LDAP (JNDI) referrals configuration option in Directory components (store and authentication)
New custom features file descriptor for customers extensions
Update Instructions
JOSSO Administrators must edit current identity appliances, and verify LDAP component setups. Save, rebuild, redeploy and restart Identity Appliance.
v.2.4.1 Update #19
IdP SSO Session provided as attribute to applications
Disabled redirects generated by Apache Wicket that caused problems when reverse proxies are used.
IdP/SP proxy support improvements
Cross Origin Resource Sharing support
Improved logger configuration
Ws-Federation SLO Improvements (wreply support)
SLO Location for agent based applications (redirect the user to that URL upon logout)
Identity Appliance Import options to update locations automatically (facilitates promoting applinaces from one environment to another)
v.2.4.1 Initial
Google Sign-In support
Facebook Sign-In support
OpenID Connect support, as relaying party
JDK 7, JDK 8 support
Dot Net OAuth 2.0 APIs
Auditing Module
Virtual Provider Support (VSP)
External Authentication UI (pre-authentication) support
Tomcat 8 JOSSO Agent
Agents use JAXWS when possible
SAML 2.0 Improvements
Performance improvements