164 lines
5.0 KiB
Plaintext
164 lines
5.0 KiB
Plaintext
Version 0.5.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Honour MellonProbeDiscoveryIdP order when sending probes.
|
|
|
|
* MellonAuthnContextClassRef configuration directive, to limit
|
|
authentication to specific authentication methods.
|
|
|
|
* Support for the HTTP-POST binding when sending authentication
|
|
requests to the IdP.
|
|
|
|
* MellonSubjectConfirmationDataAddressCheck option to disable received
|
|
address checking.
|
|
|
|
* Various cleanups and bugfixes:
|
|
|
|
* Support for older versions of GLib and APR.
|
|
|
|
* Send the correct SP entityID to the discovery service.
|
|
|
|
* Do not set response headers twice.
|
|
|
|
* Several cleanups in the code that starts authentication.
|
|
|
|
Version 0.4.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Allow MellonUser variable to be translated through MellonSetEnv
|
|
|
|
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
|
|
IdP dicovery URL scheme
|
|
|
|
* New MellonCond directive to enable attribute filtering beyond
|
|
MellonRequire functionalities.
|
|
|
|
* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
|
|
using a glob(3) pattern.
|
|
|
|
* Support for running behind reverse proxy.
|
|
|
|
* MellonCookieDomain and MellonCookiePath options to configure cookie
|
|
settings.
|
|
|
|
* Support for loading federation metadata files.
|
|
|
|
* Several bugfixes.
|
|
|
|
Version 0.3.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* New login-endpoint, which allows easier manual initiation of login
|
|
requests, and specifying parameters such as IsPassive.
|
|
|
|
* Validation of Conditions and SubjectConfirmation data in the assertion
|
|
we receive from the IdP.
|
|
|
|
* Various bugfixes.
|
|
|
|
Version 0.2.7
|
|
---------------------------------------------------------------------------
|
|
|
|
* Optionaly save the remote IdP entityId in the environment
|
|
|
|
* Shibboleth 2 interoperability
|
|
|
|
Version 0.2.6
|
|
---------------------------------------------------------------------------
|
|
|
|
* Fix XSS/DOS vulnerability in repost handler.
|
|
|
|
Version 0.2.5
|
|
---------------------------------------------------------------------------
|
|
|
|
* Replay POST requests after been sent to the IdP
|
|
|
|
* Fix HTTP response splitting vulnerability.
|
|
|
|
Version 0.2.4
|
|
---------------------------------------------------------------------------
|
|
|
|
* Fix for downloads of files with Internet Explorer with SSL enabled.
|
|
|
|
* Mark session as disabled as soon as logout starts, in case the IdP
|
|
doesn't respond.
|
|
|
|
Version 0.2.3
|
|
---------------------------------------------------------------------------
|
|
|
|
* Bugfix for session lifetime. Take the session lifetime from the
|
|
SessionNotOnOrAfter attribute if it is present.
|
|
|
|
Version 0.2.2
|
|
---------------------------------------------------------------------------
|
|
|
|
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
|
|
element data to be supplied from Apache configuration
|
|
|
|
Version 0.2.1
|
|
---------------------------------------------------------------------------
|
|
|
|
* Make SAML authentication assertion and Lasso session available in the
|
|
environement.
|
|
|
|
Version 0.2.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
|
|
|
|
* Multiple IdP support, with discovery service.
|
|
|
|
* Built in discovery service which tests the availability of each IdP,
|
|
and uses the first available IdP.
|
|
|
|
* Fix a mutex leak.
|
|
|
|
|
|
Version 0.1.1
|
|
---------------------------------------------------------------------------
|
|
|
|
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
|
|
session cookies.
|
|
|
|
* Better handling of logout request when the user is already logged out.
|
|
|
|
|
|
Version 0.1.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Better support for BSD.
|
|
|
|
* Support for setting a IdP CA certificate and SP certificate.
|
|
|
|
* Support for loading the private key during web server initialization.
|
|
With this, the private key only needs to be readable by root. This
|
|
requires a recent version of Lasso to work.
|
|
|
|
* Better DOS resistance, by only allocating a session when the user has
|
|
authenticated with the IdP.
|
|
|
|
* Support for IdP initiated login. The MellonDefaultLoginPath option can
|
|
be to configure which page the user should land on after authentication.
|
|
|
|
|
|
Version 0.0.7
|
|
---------------------------------------------------------------------------
|
|
|
|
* Renamed the logout endpoint from "logoutRequest" to "logout".
|
|
"logoutRequest" is now an alias for "logout", and may be removed in the
|
|
future.
|
|
|
|
* Added SP initiated logout. To initiate a logout from the web site, link
|
|
the user to the logout endpoint, with a ReturnTo parameter with the url
|
|
the user should be redirected to after being logged out. Example url:
|
|
"https://www.example.com/secret/endpoint/logout
|
|
?ReturnTo=http://www.example.com/". (Note that this should be on a
|
|
single line.)
|
|
|
|
* Fixed a memory leak on login.
|
|
|
|
* Increased maximum Lasso session size to 8192 from 3074. This allows us to
|
|
handle users with more attributes.
|
|
|
|
* Fixed handling of multiple AttributeValue elements in response.
|