v3.3.1

Fixes:

• Too greedy regular expression for path routing, led to requests being routed to wrong plugin if there names were a substring of each other (e.g. frontend named Saml and backend named SamlIDP).
• Corrected documentation for SAML<->Social login use case.

v3.3.0

News:

• SATOSA, through upgraded pysaml2, now supports an MDQ server as metadata source.
• The publish_metadata SAML plugin configuration parameter has been removed due to incorrect functionality.

Fixes:

• OpenIDConnectFrontend now specifies which attributes it will release for a request. This allows the consent micro service to filter the incoming attributes before displaying only the relevant attributes to the user for approval.
• The metadata generation script will not write empty frontend SAML metadata.
• SAMLFrontend will respect the NameID format from the NameID policy in SP's metadata if the authentication request does not contain a NameID policy.

Improvements:

• OpenIDConnectFrontend has been refactored to allow for easier subclassing.
• SATOSA will fail on startup if any plugin configuration file can't be loaded.
• Minor updates in the documentation for clarity.

v3.2.1

Fixes bug in handling of attribute mapping parameter user_id_to_attr.

v3.2.0

News:

• Micro services can implement callbacks in the same way as front-/backends. See a demo for a micro service using this new functionality to display a UI for 2-factor authentication here. Note the changed requirements for MicroService.process() (subclasses has to call process() in the super class).
• Account linking and consent are micro services of SATOSA instead of special cases. This will require configuration upgrades, see the examples here and here respectively.
• OpenIDConnectFrontend supports multiple configured backends. It just requires a request micro services to do the custom routing to specific backends based on something in the request (perhaps the OpenID Connect 'scope' parameter?).

Fixes:

• SAMLMirrorFrontend registers a much more restrictive regular expression for matching requests.
• Pass the incoming request to request micro services, instead of clearing it before it's passed on.
• Update the consent micro service to work with the updated API of the external service.
• Include jwks_uri in the provider configuration information published by OpenIDConnectFrontend.

Improvements:

• Added tests for account linking and consent micro services.
• Make --split-{frontend,backend} option of the satosa-saml-metadata script proper flags (so they don't require an extra argument).
• Simplified config for account linking and consent now that they're micro services.
• Upgraded pyop dependency to get a fix for token error at userinfo endpoint in OpenIDConnectFrontend.

v3.1.0

News:

• Possible to configure lifetimes for tokens issued by the OpenID Connect frontend.
• Metadata generation script (satosa-saml-metadata) has two flags: --split-frontend and --split-backend for producing metadata files with just one EntityDescriptor per file instead of one file with all entities nested in a EntititesDescriptor.

Fixes:

• Correctly handle UI Info in mirrored target IdP's with logo's that don't specify the (optional) language attribute.

v3.0.0

News:

• Completely revamped OIDC frontend with support for all authorization flows (Authorization Code, Implicit, and Hybrid) trough the pyop library
• Micro service for filtering attribute values, see FilterAttributeValues.
• Micro service for restricting communication between clients and target SAML IdPs, see DecideIfRequesterIsAllowed.
• Restrict attribute release per SP per IdP in the SAML frontends using the new configuration parameter custom_attribute_release.
• Print version on startup.

Fixes:

• Don't copy contact information from target provider to frontend metadata when using SAMLMirrorFrontend (see #12).
• Test improvements.
• Updated docs.

v2.1.1

Fix WSGI-non compliant Response class.

Also Improves test coverage and logging.

v2.1.0

Critical fix for SAMLFrontend to handle authentication requests with a NameIDPolicy not containing a format, e.g.: <urn:oasis:names:tc:SAML:2.0:protocol:NameIDPolicy AllowCreate="1" />.

v2.0.0

Massive refactor of the code base to improve maintainability and fixes a number of bugs.

Changes affecting upgrade from v1.0.4->v2.0.0:

• New Docker image.
• New script for generating signed metadata for the configured SAML entities of the proxy, see here.
• Updated and improved documentation.
• Improved configuration, make sure to read the updated docs and look at the updated example configurations.

v1.0.4

Updated OIDCFrontend with pyoidc v0.8.4.0.