1.1.2

Added

• Added views to selectively disable SSO for login links

Fixed

• Existing users with an empty password raised an exception

1.1.1

Added

• Add a setting to force a login screen and disable SSO on ADFS.
• Documentation about how to enable SSO for other browsers than IE & Edge.

Fixed

• Prevent username field from being overwritten by a claim mapping.
• Prevent traceback upon logout when ADFS config is not yet loaded.
• Fix fields in log messages being swapped.

Security

• Don't allow the audience claim to be ignored. Preventing access token reuse.
• Set an unusable password on newly created user instead of leaving it empty.

1.0.0

This version contains backwards incompatible changes. Make sure to read the entire release notes

Added

• Windows 2016 (a.k.a. ADFS 4.0) Support
• AzureAD support (check the setting TENANT_ID)
• Django Rest Framework support.
• Add a RETRIES and TIMEOUT setting for requests towards the ADFS server.
• Add the CLIENT_SECRET setting to support client secrets in the OAuth2 Flow.
• Users are now redirected back to the page that triggered the login instead of the main page.
• Groups a user belongs to can now be automatically created in Django (check the MIRROR_GROUPS setting)

Changed

• Django 2.1 support
• All settings that can be determined automatically are now set automatically
• When a claim mapped to a non-required field in the user model is missing,
  a warning is logged instead of an exception raised

Incompatible changes

• Because of the login and logout views that were added, the redirect URI back from ADFS should
  now point to /oauth2/callback. Keeping it at /oauth2/login would have caused a potential redirect loop.

Deprecated

• these settings are now loaded from ADFS metadata automatically and have been deprecated:

  • AUTHORIZE_PATH
  • LOGIN_REDIRECT_URL
  • ISSUER
  • REDIR_URI
  • SIGNING_CERT
  • TOKEN_PATH