- remove uri double encoding thanks to @DiaanEngelbrecht
- fix esaml initialization thanks to @bopm
- check and enforce session expiration (CVE-2024-25718) thanks to @idyll
- Added dialyzer checks
- Changed internal function layout to report errors more granularly
- Verified with updates to esaml dependency
- Client can refresh the runtime provider config without restarting the app from bernardd
- Metadata can be specified directly in the IdP config rather than requiring a file
- Bumps dependencies
- Updated minor version due to dependency updates requiring potential language version bumps
- Removed Inch CI
- Updated dependencies for project
- Removed strict required dependency on
sweet_xml - Use updated version of
esamlto reduce strict requirements oncowboy - Updated license copyright
-
target_urlquery parameter for the sign-in/sign-out requests must bex-www-form-urlencoded. -
Redirect URLs are properly encoded.
-
Switched to
report-toin content security policy. -
cache-controlheader value updated. -
Issue: #33 - Content Security Policy Enabled
Content-Security-Policyin the HTTP response. -
PR: #41 - Config support for nameid format
Samlyuses the nameid format from the IdP metadata XML file. It is possible now to override this usingnameid_fomatconfig setting. If this format information is not present in the IdP metadata XML and not specified in the config setting, it defaults to:transient. Thanks to calvinb for the PR. -
Uptake
esaml 4.2bringing in support for encrypted assertions. Check Assertion Encryption for supported encryption algorithms. Use this information to enable assertion encryption on IdP. Thanks to tcrossland for theesamlPR.
- Issues: #39, #40 - Downcase response header names (PR from calvinb)
-
Issue: #31 - Support for Cowboy 2.x Uptake
esamlv4.0.0 which includes support for Cowboy 2.x. If support for Cowboy 1.x is needed, you need an override withesamlv3.6.x in your applicationmix.exsfile. -
Issue: #32 - Support for custom State Storage Includes support for ETS and Plug Sessions based authenticated SAML assertion storage. It is possible to create custom stores by implementing
Samly.State.Store. -
Issue: #34 - Included filename in error messages Include metadata/cert/key filenames when there is an error relevant to those files.
- Uptake
esamlv3.6.0 that includes fixes for schema validation errors.
- PR merged fixing reopened Issue #16 (from @peterox)
- Remove the need for supplying certificate and key files if the requests are not signed (Issue #16). Useful during development when the corresponding Identity Provider is setup for unsigned requests/responses. Use signing for production deployments. The defaults expect signed requests/responses.
-
Issue: #12. Support for IDP initiated SSO flow.
-
Original auth request ID when returned in auth response is made available in the assertion subject (SP initiated SSO flows). For IDP initiated SSO flows, this will be an empty string.
-
Issue: #14. Remove built-in referer check. Not specific to
Samly. It is better handled by the consuming application.
- Shibboleth Single Logout session match related fix. Uptake
esaml v3.3.0.
- Generates SP metadata XML that passes XSD validation
- Handle namespaces in Identity Provider Metadata XML file
- Added support for multiple Identity Providers. Check issue: #4. Instructions for migrating from v0.7.x available in github project wiki.
- Added
use_redirect_for_idp_reqconfig parameter. By defaultSamlyuses HTTP POST when sending requests to IdP. Set this config parameter totrueif HTTP redirection should be used instead.
- Added config option (
entity_id). OOTB uses metadata URI as entity ID. Can be specified (urnentity ID for example) to override the default.
- Added config options to control if requests and/or responses are signed or not
- Added Inch CI
- Corresponding doc updates
- Doc updates
- Config handling changes and corresponding tests
target_urlquery parameter form url encoded
- Plug Pipeline config
:pre_session_create_pipeline - Computed attributes available in
Samly.Assertion - Updates to
Samly.Providerbase_urlconfig handling