1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
Version 0.5.0
---------------------------------------------------------------------------
* Honour MellonProbeDiscoveryIdP order when sending probes.
* MellonAuthnContextClassRef configuration directive, to limit
authentication to specific authentication methods.
* Support for the HTTP-POST binding when sending authentication
requests to the IdP.
* MellonSubjectConfirmationDataAddressCheck option to disable received
address checking.
* Various cleanups and bugfixes:
* Support for older versions of GLib and APR.
* Send the correct SP entityID to the discovery service.
* Do not set response headers twice.
* Several cleanups in the code that starts authentication.
Version 0.4.0
---------------------------------------------------------------------------
* Allow MellonUser variable to be translated through MellonSetEnv
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
IdP dicovery URL scheme
* New MellonCond directive to enable attribute filtering beyond
MellonRequire functionalities.
* New MellonIdPMetadataGlob directive to load mulitple IdP metadata
using a glob(3) pattern.
* Support for running behind reverse proxy.
* MellonCookieDomain and MellonCookiePath options to configure cookie
settings.
* Support for loading federation metadata files.
* Several bugfixes.
Version 0.3.0
---------------------------------------------------------------------------
* New login-endpoint, which allows easier manual initiation of login
requests, and specifying parameters such as IsPassive.
* Validation of Conditions and SubjectConfirmation data in the assertion
we receive from the IdP.
* Various bugfixes.
Version 0.2.7
---------------------------------------------------------------------------
* Optionaly save the remote IdP entityId in the environment
* Shibboleth 2 interoperability
Version 0.2.6
---------------------------------------------------------------------------
* Fix XSS/DOS vulnerability in repost handler.
Version 0.2.5
---------------------------------------------------------------------------
* Replay POST requests after been sent to the IdP
* Fix HTTP response splitting vulnerability.
Version 0.2.4
---------------------------------------------------------------------------
* Fix for downloads of files with Internet Explorer with SSL enabled.
* Mark session as disabled as soon as logout starts, in case the IdP
doesn't respond.
Version 0.2.3
---------------------------------------------------------------------------
* Bugfix for session lifetime. Take the session lifetime from the
SessionNotOnOrAfter attribute if it is present.
Version 0.2.2
---------------------------------------------------------------------------
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
element data to be supplied from Apache configuration
Version 0.2.1
---------------------------------------------------------------------------
* Make SAML authentication assertion and Lasso session available in the
environement.
Version 0.2.0
---------------------------------------------------------------------------
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
* Multiple IdP support, with discovery service.
* Built in discovery service which tests the availability of each IdP,
and uses the first available IdP.
* Fix a mutex leak.
Version 0.1.1
---------------------------------------------------------------------------
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
session cookies.
* Better handling of logout request when the user is already logged out.
Version 0.1.0
---------------------------------------------------------------------------
* Better support for BSD.
* Support for setting a IdP CA certificate and SP certificate.
* Support for loading the private key during web server initialization.
With this, the private key only needs to be readable by root. This
requires a recent version of Lasso to work.
* Better DOS resistance, by only allocating a session when the user has
authenticated with the IdP.
* Support for IdP initiated login. The MellonDefaultLoginPath option can
be to configure which page the user should land on after authentication.
Version 0.0.7
---------------------------------------------------------------------------
* Renamed the logout endpoint from "logoutRequest" to "logout".
"logoutRequest" is now an alias for "logout", and may be removed in the
future.
* Added SP initiated logout. To initiate a logout from the web site, link
the user to the logout endpoint, with a ReturnTo parameter with the url
the user should be redirected to after being logged out. Example url:
"https://www.example.com/secret/endpoint/logout
?ReturnTo=http://www.example.com/". (Note that this should be on a
single line.)
* Fixed a memory leak on login.
* Increased maximum Lasso session size to 8192 from 3074. This allows us to
handle users with more attributes.
* Fixed handling of multiple AttributeValue elements in response.
|