Releases: Sustainsys/Saml2
Releases · Sustainsys/Saml2
v0.22.0
- Asp.NET Core 2 Handler
- StubIdp renamed/updated to Sustainsys layout.
- Improved error messages
- Validate federation metadata signature
- Preserve state across discovery service call
See milestone for details.
v0.21.2 - SECURITY UPDATE
This is a security update, fixing three issues:
- XML External Entity Injection (affecting .NET 4.5 only)
- Malicious IdP can cause write to arbitrary file
- Flawed ReturnUrl validation leads to Open Redirect
v0.21.1
- Bug Fix: Local logout broken in v0.21.0
- Bug Fixes: Various error conditions have got better messages, instead of hard to understand null reference exceptions.
v0.21.0
- Added Logging
- Fixed GlobalEnableSha256XmlSignatures that was broken in v0.20.0
v0.20.0
- Security Fix: Open redirect issue with ReturnUrl
- Improved active/passive handling for Owin middleware
- SHA256/384/512 support
- More Notifications for custom behaviour
And more... see issue list in milestone for details.
v0.19.0
- Fix: SP-initiated logout uses configured binding.
- Fix: Removed buggy expansion of relative ReturnUrls
- Fix: Enabling SHA256 signatures no longer breaks IdentityServer3.
- Support for SessionNotOnOrAfter
- And some more, see https://github.com/KentorIT/authservices/milestones/v0.19.0 for details.
v0.18.1
- Bug Fix: Use AuthenticationRequest event in HttpModule.
- Don't use ClaimsPrincipal.Current in Logout Command.
- Bug Fix: Logout over HTTP POST.
- Bug Fix: Handle NameIdFormat on Logout.
Release contains breaking changes related to logout handling, please see
https://coding.abel.nu/2016/06/kentor-authservices-0-18-1-breaking-changes/
v0.18.0
- Support for Scoping
- Notifications/callbacks
- Bug fixes, see github milestone for complete list.
- ADFS compatible metadata
v0.17.2
- Bug fix of incorrect URL expansions in 0.17.1.
v0.17.1
Bug fixes, see milestone on github for complete list
- Validation works with load balancing without session affinity
- Correct callback url with IdSrv3 + PublicOrigin setting.
- More resilient to spooky metadata.
- Correct casing of AuthnContextComparision
Release contains breaking changes to the public API of the core Kentor.AuthServices package. Only concerns anyone using the core library directly. HttpModule/Mvc/Owin packages have no API changes.