1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
Version 0.3.1
---------------------------------------------------------------------------
* Allow MellonUser variable to be translated through MellonSetEnv
* A /mellon/probeDisco endpoint replaces the builtin:get-metadata
IdP dicovery URL scheme
* New MellonCond directive to enable attribute filtering beyond
MellonRequire functionalities.
Version 0.3.0
---------------------------------------------------------------------------
* New login-endpoint, which allows easier manual initiation of login
requests, and specifying parameters such as IsPassive.
* Validation of Conditions and SubjectConfirmation data in the assertion
we receive from the IdP.
* Various bugfixes.
Version 0.2.7
---------------------------------------------------------------------------
* Optionaly save the remote IdP entityId in the environment
* Shibboleth 2 interoperability
Version 0.2.6
---------------------------------------------------------------------------
* Fix XSS/DOS vulnerability in repost handler.
Version 0.2.5
---------------------------------------------------------------------------
* Replay POST requests after been sent to the IdP
* Fix HTTP response splitting vulnerability.
Version 0.2.4
---------------------------------------------------------------------------
* Fix for downloads of files with Internet Explorer with SSL enabled.
* Mark session as disabled as soon as logout starts, in case the IdP
doesn't respond.
Version 0.2.3
---------------------------------------------------------------------------
* Bugfix for session lifetime. Take the session lifetime from the
SessionNotOnOrAfter attribute if it is present.
Version 0.2.2
---------------------------------------------------------------------------
* Improve metadata autogeneration: cleanup certificate, allow Organizarion
element data to be supplied from Apache configuration
Version 0.2.1
---------------------------------------------------------------------------
* Make SAML authentication assertion and Lasso session available in the
environement.
Version 0.2.0
---------------------------------------------------------------------------
* Autogeneration of SP metadata. (Requires Lasso 2.2.2 or newer.)
* Multiple IdP support, with discovery service.
* Built in discovery service which tests the availability of each IdP,
and uses the first available IdP.
* Fix a mutex leak.
Version 0.1.1
---------------------------------------------------------------------------
* MellonSecureCookie option, which enables Secure + HttpOnly flags on
session cookies.
* Better handling of logout request when the user is already logged out.
Version 0.1.0
---------------------------------------------------------------------------
* Better support for BSD.
* Support for setting a IdP CA certificate and SP certificate.
* Support for loading the private key during web server initialization.
With this, the private key only needs to be readable by root. This
requires a recent version of Lasso to work.
* Better DOS resistance, by only allocating a session when the user has
authenticated with the IdP.
* Support for IdP initiated login. The MellonDefaultLoginPath option can
be to configure which page the user should land on after authentication.
Version 0.0.7
---------------------------------------------------------------------------
* Renamed the logout endpoint from "logoutRequest" to "logout".
"logoutRequest" is now an alias for "logout", and may be removed in the
future.
* Added SP initiated logout. To initiate a logout from the web site, link
the user to the logout endpoint, with a ReturnTo parameter with the url
the user should be redirected to after being logged out. Example url:
"https://www.example.com/secret/endpoint/logout
?ReturnTo=http://www.example.com/". (Note that this should be on a
single line.)
* Fixed a memory leak on login.
* Increased maximum Lasso session size to 8192 from 3074. This allows us to
handle users with more attributes.
* Fixed handling of multiple AttributeValue elements in response.
|
