lasso/NEWS

353 lines
14 KiB
Plaintext
Raw Normal View History

2004-09-07 13:43:47 +02:00
NEWS
====
2010-09-07 16:39:01 +02:00
2.3.1 - September 9th 2010
--------------------------
31 commits, 23 files changed, 523 insertions, 356 deletions
* An ABI breakage was introduced in 2.3.0 with change of value for enumeration
values LASSO_PROVIDER_ROLE_SP and LASSO_PROVIDER_ROLE_IDP, it breaked code
compiled with previous version and dumps of server objects. This release fix
it.
* SAMLv2 handling of the artifact binding for the WebSSO profile is now
simpler, no more dumping of the response nodes and signing at the artifact
building time, the final response is signed when the artifact is generated
and when unserialized later it is only manipulated as XML for not breaking
the signature. It fixes usage of ciphered private keys with the
HTTP-Artifact binding.
* SAMLv2 internal storage of endpoints was modified to better keep the
ordering between endpoints, which is espacially important for
AssertionConsumerService endpoints and difficult to implement well.
2.3.0 - July 21th 2010
2010-09-07 16:39:01 +02:00
----------------------
391 commits, 332 files changed, 13919 insertions, 7137 deletions
So what's new ?
* Misc:
- a public key is no more mandatory for building a LassoProvider
- date parsing now conforms to XSD and ISO8601 specification,
especially with respect to milliseconds (they are just ignored, but
parsing do not fails now).
- the encryption private key can be loaded with a password (SAMLv2
support only)
- keep on replacing direct glib data structure manipulation function by
safer lasso macros.
- remove useless verbosity when there is already some error reporting
through method return value.
- add a signature_verify_hint parameter to all profiles, which can be
used to specify the policy for verifying signatures. The choices are:
- maybe, i.e. let Lasso decides,
- force, i.e. always verify, even when it is not needed by the spec,
- ignore, i.e. verify, but do not block processing on signature
verifications error.
- add a new snippet type: SNIPPET_COLLECT_NAMESPACES, to collect all
declared namespaces in the context of a node. It is needed for
interpreting a string value which depend on the locally declared
namespaces (like XPath queries).
- support full syntax for query strings (lasso missed support for
semi-colon separator between query string key-value pairs).
- make LassoServer load its public key like LassoProvider
- lasso_build_unique_id is now part of the public API
- add lasso_profile_sso_role_with to decide on the role we have toward
another provider (depending on the Identity, the Session or the
Server object in this order).
- add a lasso_node_debug method wich output a human friendly dump (i.e.
indented) of a serialized LassoNode, contrary to dump which returns a
computer friendly one (dump will conserve signature values, not
debug).
* SAMLv2:
- constraint on the number of SessionIndex value in a LogoutRequest was
worked-around (see
lasso_samlp2_logout_request_get/set_session_indexes)
- full support for encrypted signing key (ID-FFv1.2 is coming in next
release)
- The treatment of assertions consumer endpoints metadata was improved to be
what the specification says, i.e find the best default.
- lasso_assertion_query_build_request_msg now properly initialize the Subject
of the query from all possibles sources (first profile->nameIdentifier, then
from the identity dump and finally from the session).
- when a parsed Assertion contains a signature, we return the
original_xmlnode instead of serializing the LassoNode content when
calling lasso_node_get_xmlNode. This is in order to keep canonical
representation of signed assertions. The result is that parsed and
signed assertions should be considered read-only with respect to
serialization.
- lasso_login_build_assertion no longer initialize sessionNotOnOrAfter,
it must be done explicitely by the IdP implementation. Only the
assertion lifetime is set by the arguments.
- when loading metadata for a provider, we verify that a role
descriptor exists for the prescribed role: i.e if you do
server.addProvider(lasso.PROVIDER_ROLE_SP, "metadata.xml"), lasso
checks that the metadata contain a descriptor for the role "SPSSO".
- new helper methods to manipulate and check conditions on
SAMLv2 assertions.
- move strings to their own header (but keep retro-compatibility
through inclusion in xml/strings.h).
* Bindings:
- improve general use of bindings/utils.py module inside the bindings
to share type matching logic.
* Python binding:
- Glib warning are tunneled through python logging API
- camelcasing of uppercase starting fields for python and java bindings has
been fixed, old orthograph has been also kept for compatibility. The problem
could be seen on LassoAssertion object where the field ID was renamed iD
which was difficult to guess.
- node class now supports pickling by leveraging existing XML
serialization. It posseses the same limitations as the existing XML
serialization, for example serializing a LassProfile is not an
idempotent operation, it will miss the server, identity and session
fields.
- empty GList now return an empty tuple, not None (it fixes a lot
list traversal codes)
- do not forget to emit 'pass' in declaration of class without any
content (no method, no field, no constructor)
- the code to emit 'freeing' code for values was factorized and improved.
- for empty lists returns an empty pyhon list, not None.
* Perl binding:
- support for out parameters was added.
- better memory freeing
* Java binding:
- finished exception support for error returning methods.
- optimize the makefile for file listing generation
- for NULL GList returns an empty ArrayList object, not null.
* Documentation:
- add examples to LassoLogout documentation
- fix missing or deprecated methods in lasso-sections.txt
- document LassoIdWsf2Profile methods
- document runtime flags
* Tests:
- new macros to help in testing (see tests/tests.h), they also make
better error reporting (when comparing values, they show the expected
and the obtained value).
- SAMLv2 AuthnRequest through HTTP-Artifact binding is tested
- SAMLv2 LogoutRequest with multiple SessionIndex is tested
- force C locale for integration test (we match UI strings, so it is
needed).
- SAMLv2, test websso with encrypted private keys (idp and sp side)
- SAMLv2, add a python test for attribute authority
* ID-WSF 2.0:
- constant strings were moved to their own header
(lasso/xml/id-wsf-2.0/idwsf2_strings.h)
- add helper method to retrieve the bootstrap EPR from an assertion and
to mint assertion to use as WS-Security tokens.
- add method lasso_idwsf2_data_service_get_query_item_result_content to
retrieve DST query result as text
- sign SAMLv2 assertion used as WS-Security tokens
And many minor bug-fixes...
2010-01-29 17:42:29 +01:00
2.2.91 - January 26th 2010
--------------------------
A new Perl binding, fix for backward compatibility with old versions of glib,
LassoLogout API is more robust since it does not need anymore for all SP logout
to finish to work, new macro lasso_list_add_new_xml_node, add support for
WS-Security UsernameToken (equivalent of poor man HTTP Digest Authentication),
make public internal APIs: lasso_session_add_assertion,
lasso_session_get_assertion and lasso_session_remove_assertion.
2010-01-18 11:04:01 +01:00
2.2.90 - January 18th 2010
2010-01-14 17:18:38 +01:00
--------------------------
Lots of internal changes and some external one too.
There is a new api to force, forbid or let Lasso sign messages, it is called
lasso_profile_set_signature_hint.
Big overhaul of the ID-WSF 1 and 2 codes, and of the SAML 2.0 profiles. Now all
SAML 2.0 profile use common internal functions from the lasso_saml20_profile_
namespace to handle bindings (SOAP,Redirect,POST,Artifact,PAOS). New internal
API to load SSL keys from many more formats from the public API.
In ID-WSF 2.0, Data Service Template has been simplified, we no more try to
apply queries, it is the responsability of the using code to handle them.
In bindings land, the file bindings/utils.py has been stuffed with utility
function to manipulate 'type' tuple, with are now used to transfer argument and
type description, their schema is (name, C-type, { dictionary of options } ),
they are now used everywhere in the different bindings. We support output
argument in PHP5, Python and Java, i.e. pointer of pointer arguments with are
written to in order to return multiple values. For language where the binding
convert error codes to exceptions (all of them now), the ouput value is
returned as the normal return value of the method, so only one output argument
is handled for now.
We now use GObject-introspection annotations in the documentation to transfer
to the binding generator the necessary metadata about the API (content of
lists, hashtables, wheter pointer are caller/callee owned, can be NULL or if
argument have a default value). The file bindings/override.xml is now
deprecated.
In documentation land, the main reference documentation was reorganizaed and
more symbols have been added to it. Many more functions are documented.
There is now tools to control the evolution of the ABI/API of Lasso.
2009-03-23 14:21:48 +01:00
2.2.2 - March 24th 2009
-----------------------
Many fixes and improvements to the ID-WSF 1 support, new API to load SSL keys
off memory, documentation for ID-WSF methods, general robustness and memory
leak fixes.
2008-07-22 14:45:52 +02:00
2.2.1 - July 22nd 2008
----------------------
Fixed problems with signed SAML 2.0 URL strings and checks against existing
assertions to tell if authentication was required.
2008-05-28 12:35:45 +02:00
2.2.0 - May 28th 2008
2008-05-27 18:00:19 +02:00
---------------------
Added support for encrypted NameIdentifier in ID-FF 1.2, fixed various minor
issues with ID-WSF support and several bugs and memory management issues; also
replaced bindings for Java, PHP 5 and Python with new ones, created by a custom
code generator.
2007-08-21 13:21:44 +02:00
2.1.1 - August 21st 2007
------------------------
Added support for LassoSignatureType to bindings (support was already but
implicitely present for Python), fixed references to Node and String lists
in all bindings.
2007-08-13 13:34:48 +02:00
2.1.0 - August 13rd 2007
------------------------
Added preliminary support for ID-WSF 2, Discovery and Data Service Template,
added missing accessors for class elements in SAML 2 language bindings, fixed
potential DoS in message parsing.
2.0.0 - January 16th 2007
2007-01-16 10:14:39 +01:00
-------------------------
Completed SAMLv2 support, passed conformance event organized by the Liberty
Alliance from December 4th to 8th 2006. Gratuitous giant version bump to
mark this step. Fixed memory leaks and potential segmentation faults.
1.9.9 - December 19th 2006
--------------------------
[Test version, news copied over to 2.0.0]
0.6.6 - October 16th 2006
-----------------------
Fixed issues in ID-WSF Data and Interaction services support, fixed a few
robustness issues in corner cases.
[This version was finally not released due to decision to first finish
SAMLv2 support and pass the conformance tests.]
2006-03-21 10:03:37 +01:00
0.6.5 - March 21st 2006
-----------------------
2007-01-16 10:14:39 +01:00
Fixed support for SWIG 1.3.28 (now required), fixed a win32 build issue, fixed
2006-03-21 10:05:37 +01:00
documentation.
2006-03-21 10:03:37 +01:00
2006-03-08 10:14:13 +01:00
0.6.4 - March 8th 2006
2006-03-08 13:13:11 +01:00
----------------------
2006-03-08 10:14:13 +01:00
Added first draft of ID-WSF Interaction Service support, added message
signatures to ID-WSF messages, added first draft of SAML 2 support (only
Web-SSO and part of Single Logout for the moment), fixed some corner cases,
improved error detection in different places, upgraded SWIG support to 1.3.28
and generally improved the bindings.
0.6.3 - September 30th 2005
---------------------------
Improved behaviour when confronted to other Liberty providers that do not
implement all the mandatory Liberty requirements, improved error status code
reporting, completed support for public keys embedded in metadata files, fixed
a few corner case bugs. Also continued work on ID-WSF support, implementing
Discovery and DST services but still considered experimental and disabled by
default.
2005-05-26 11:28:39 +02:00
0.6.2 - May 26th 2005
2005-05-17 19:58:53 +02:00
---------------------
Fixed usage of NameIdentifiers after calls to Register Name Identifier profile,
2005-05-26 11:28:39 +02:00
improved robustness against other Liberty implementations, improved loading of
metadata, fixed minor bugs and memory leaks. Continued work on ID-WSF support,
still partial and disabled by default.
2005-05-17 19:58:53 +02:00
2005-02-22 12:20:17 +01:00
0.6.1 - February 22nd 2005
--------------------------
Completed <lib:Extension> support, added full bidirectional query string support
for AuthnContextStatementRef, AuthnContextClassRef and AuthnContextComparison,
fixed a crasher-bug in a rare case of single sign on profile, tested and
shipped with Microsoft Visual Studio project files.
2005-01-26 23:20:42 +01:00
0.6.0 - January 27th 2005
-------------------------
Rewrote library internals to use standard structures instead of libxml2 nodes;
this allows faster processing, more flexibility and better support for language
bindings. Documented all the API functions. Fixed and improved the rest.
0.5.0 - November 9th 2004
-------------------------
All features of SP Basic, SP, IDP, and LECP profiles for Liberty IDFF 1.2
Static Conformance are now implemented, except for "Backward Compatibility".
Extended features are also supported, except for "Affiliations". Compatible
with the demo application of the last Beta version of SourceID Liberty 2.0.
Improved metadata support, a lot of new feature and bugfixes.
API, ABI, and dump format of messages have changed, so this release is not
compatible with previous versions.
2005-01-26 23:20:42 +01:00
0.4.1 - September 7th 2004
--------------------------
Small bug fixes. Windows DLL are now linked with standard call aliases.
2005-01-26 23:20:42 +01:00
2004-09-07 13:43:47 +02:00
0.4.0 - September 6th 2004
--------------------------
Complete support for the main profiles of Liberty Alliance IF-FF 1.2 (Single
Sign On, Single Logout, and Federation Termination). Revamped language
bindings to use SWIG (supported languages are noew Python, PHP, Java and C#).
More unit tests. Bugs fixed.
2005-01-26 23:20:42 +01:00
2004-09-07 13:43:47 +02:00
0.3.0 - July 27th 2004
----------------------
Improved support for Single Sign On and Single Logout profiles. Python and
Java bindings. Unit tests. Bugs fixed.
0.2.0 - June 1st 2004
---------------------
First release as a C library.