218 lines
6.7 KiB
Plaintext
218 lines
6.7 KiB
Plaintext
Version 0.6.0
|
|
---------------------------------------------------------------------------
|
|
|
|
Backwards-incompatible changes:
|
|
|
|
* The POST replay functionality has been disabled by default, and the
|
|
automatic creation of the MellonPostDirectory target directory has been
|
|
removed. If you want to use the POST replay functionality, take a
|
|
look at the README file for instructions for how to enable this.
|
|
|
|
* Start discovery service when accessing the login endpoint. We used
|
|
to bypass the discovery service in this case, and just pick the first
|
|
IdP. This has been changed to send a request to the discovery service
|
|
instead, if one is configured.
|
|
|
|
* The MellonLockFile default path has been changed to:
|
|
/var/run/mod_auth_mellon.lock
|
|
This only affects platforms where a lock file is required and
|
|
where Apache doesn't have write access to that directory during
|
|
startup. (Apache can normally create files in that directory
|
|
during startup.)
|
|
|
|
Other changes:
|
|
|
|
* Fix support for SOAP logout.
|
|
|
|
* Local logout when IdP does not support SAML 2.0 Single Logout.
|
|
|
|
* MellonDoNotVerifyLogoutSignature option to disable logout signature
|
|
validation.
|
|
|
|
* Support for relative file paths in configuration.
|
|
|
|
* The debian build-directory has been removed from the repository.
|
|
|
|
* Various cleanups and bugfixes:
|
|
|
|
* Fix cookie parsing header parsing for some HTTP libraries.
|
|
|
|
* Fix inheritance of MellonAuthnContextClassRef option.
|
|
|
|
* Use ap_set_content_type() instead of accessing request->content_type.
|
|
|
|
* README indentation cleanups.
|
|
|
|
* Support for even older versions of GLib.
|
|
|
|
* Fixes for error handling during session initialization.
|
|
|
|
* Directly link with GLib rather than relying on the Lasso library
|
|
linking to it for us.
|
|
|
|
* Some code cleanups.
|
|
|
|
Version 0.5.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Honour MellonProbeDiscoveryIdP order when sending probes.
|
|
|
|
* MellonAuthnContextClassRef configuration directive, to limit
|
|
authentication to specific authentication methods.
|
|
|
|
* Support for the HTTP-POST binding when sending authentication
|
|
requests to the IdP.
|
|
|
|
* MellonSubjectConfirmationDataAddressCheck option to disable received
|
|
address checking.
|
|
|
|
* Various cleanups and bugfixes:
|
|
|
|
* Support for older versions of GLib and APR.
|
|
|
|
* Send the correct SP entityID to the discovery service.
|
|
|
|
* Do not set response headers twice.
|
|
|
|
* Several cleanups in the code that starts authentication.
|
|
|
|
Version 0.4.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Allow MellonUser variable to be translated through MellonSetEnv
|
|
|
|
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
|
|
IdP dicovery URL scheme
|
|
|
|
* New MellonCond directive to enable attribute filtering beyond
|
|
MellonRequire functionalities.
|
|
|
|
* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
|
|
using a glob(3) pattern.
|
|
|
|
* Support for running behind reverse proxy.
|
|
|
|
* MellonCookieDomain and MellonCookiePath options to configure cookie
|
|
settings.
|
|
|
|
* Support for loading federation metadata files.
|
|
|
|
* Several bugfixes.
|
|
|
|
Version 0.3.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* New login-endpoint, which allows easier manual initiation of login
|
|
requests, and specifying parameters such as IsPassive.
|
|
|
|
* Validation of Conditions and SubjectConfirmation data in the assertion
|
|
we receive from the IdP.
|
|
|
|
* Various bugfixes.
|
|
|
|
Version 0.2.7
|
|
---------------------------------------------------------------------------
|
|
|
|
* Optionaly save the remote IdP entityId in the environment
|
|
|
|
* Shibboleth 2 interoperability
|
|
|
|
Version 0.2.6
|
|
---------------------------------------------------------------------------
|
|
|
|
* Fix XSS/DOS vulnerability in repost handler.
|
|
|
|
Version 0.2.5
|
|
---------------------------------------------------------------------------
|
|
|
|
* Replay POST requests after been sent to the IdP
|
|
|
|
* Fix HTTP response splitting vulnerability.
|
|
|
|
Version 0.2.4
|
|
---------------------------------------------------------------------------
|
|
|
|
* Fix for downloads of files with Internet Explorer with SSL enabled.
|
|
|
|
* Mark session as disabled as soon as logout starts, in case the IdP
|
|
doesn't respond.
|
|
|
|
Version 0.2.3
|
|
---------------------------------------------------------------------------
|
|
|
|
* Bugfix for session lifetime. Take the session lifetime from the
|
|
SessionNotOnOrAfter attribute if it is present.
|
|
|
|
Version 0.2.2
|
|
---------------------------------------------------------------------------
|
|
|
|
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
|
|
element data to be supplied from Apache configuration
|
|
|
|
Version 0.2.1
|
|
---------------------------------------------------------------------------
|
|
|
|
* Make SAML authentication assertion and Lasso session available in the
|
|
environement.
|
|
|
|
Version 0.2.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
|
|
|
|
* Multiple IdP support, with discovery service.
|
|
|
|
* Built in discovery service which tests the availability of each IdP,
|
|
and uses the first available IdP.
|
|
|
|
* Fix a mutex leak.
|
|
|
|
|
|
Version 0.1.1
|
|
---------------------------------------------------------------------------
|
|
|
|
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
|
|
session cookies.
|
|
|
|
* Better handling of logout request when the user is already logged out.
|
|
|
|
|
|
Version 0.1.0
|
|
---------------------------------------------------------------------------
|
|
|
|
* Better support for BSD.
|
|
|
|
* Support for setting a IdP CA certificate and SP certificate.
|
|
|
|
* Support for loading the private key during web server initialization.
|
|
With this, the private key only needs to be readable by root. This
|
|
requires a recent version of Lasso to work.
|
|
|
|
* Better DOS resistance, by only allocating a session when the user has
|
|
authenticated with the IdP.
|
|
|
|
* Support for IdP initiated login. The MellonDefaultLoginPath option can
|
|
be to configure which page the user should land on after authentication.
|
|
|
|
|
|
Version 0.0.7
|
|
---------------------------------------------------------------------------
|
|
|
|
* Renamed the logout endpoint from "logoutRequest" to "logout".
|
|
"logoutRequest" is now an alias for "logout", and may be removed in the
|
|
future.
|
|
|
|
* Added SP initiated logout. To initiate a logout from the web site, link
|
|
the user to the logout endpoint, with a ReturnTo parameter with the url
|
|
the user should be redirected to after being logged out. Example url:
|
|
"https://www.example.com/secret/endpoint/logout
|
|
?ReturnTo=http://www.example.com/". (Note that this should be on a
|
|
single line.)
|
|
|
|
* Fixed a memory leak on login.
|
|
|
|
* Increased maximum Lasso session size to 8192 from 3074. This allows us to
|
|
handle users with more attributes.
|
|
|
|
* Fixed handling of multiple AttributeValue elements in response.
|