Skip to content

Latest commit

 

History

History
160 lines (132 loc) · 8.3 KB

changelog.md

File metadata and controls

160 lines (132 loc) · 8.3 KB
Raw

python-saml changelog

2.2.4 (unreleased)

  • Get NameID when element decrypted twice

2.2.3 (Jun 15, 2017)

  • Replace some etree.tostring calls, that were introduced recfently, by the sanitized call provided by defusedxml
  • Update dm.xmlsec.binding requirement to 1.3.3 version

2.2.2 (May 18, 2017)

  • Be able to relax SSL Certificate verification when retrieving idp metadata
  • #195 Be able to register future SP x509cert on the settings and publish it on SP metadata
  • #195 Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption
  • #195 Allow metadata to be retrieved from source containing data of multiple entities
  • #195 Adapt IdP XML metadata parser to take care of multiple IdP certtificates and be able to inject the data obtained on the settings.
  • #194 Publish KeyDescriptor[use=encryption] only when required
  • #190 Checking the status of response before assertion count
  • Add Pyramid demo example
  • Allows underscores in URL hosts
  • NameID Format improvements
  • #184 Be able to provide a NameIDFormat to LogoutRequest
  • #180 Add DigestMethod support. (Add sign_algorithm and digest_algorithm parameters to sign_metadata and add_sign)
  • Validate serial number as string to work around libxml2 limitation
  • Make the Issuer on the Response Optional

2.2.1 (Jan 11, 2017)

  • #175 Optionally raise detailed exceptions vs. returning False. Implement a more specific exception class for handling some validation errors. Improve/Fix tests
  • #171 Add hooks to retrieve last-sent and last-received requests and responses
  • Improved inResponse validation on Responses
  • #173 Fix attributeConsumingService serviceName format in README

2.2.0 (Oct 14, 2016)

  • Several security improvements:
    • Conditions element required and unique.
    • AuthnStatement element required and unique.
    • SPNameQualifier must math the SP EntityID
    • Reject saml:Attribute element with same “Name” attribute
    • Reject empty nameID
    • Require Issuer element. (Must match IdP EntityID).
    • Destination value can't be blank (if present must match ACS URL).
    • Check that the EncryptedAssertion element only contains 1 Assertion element.
  • Improve Signature validation process
  • #149 Work-around for xmlsec.initialize
  • #151 Fix flask demo error handling and improve documentation
  • #152 Update LICENSE to include MIT rather than BSD license
  • #155 Fix typographical errors in docstring
  • Fix RequestedAttribute Issue
  • Fix __build_signature method. If relay_state is null not be part of the SignQuery
  • #164 Add support for non-ascii fields in settings

2.1.9 (Jun 27, 2016)

  • Change the decrypt assertion process.
  • Add 2 extra validations to prevent Signature wrapping attacks.

2.1.8 (Jun 02, 2016)

  • Fix Metadata XML (RequestedAttribute)
  • Fix Windows specific Unix date formatting bug.
  • Docs for OSx instlltion of libsecxml1
  • Fix SHA384 Constant URI
  • #142 Refactor of settings.py to make it a little more readable.
  • Bugfix for ADFS lowercase signatures
  • READMEs suggested wrong cert name

2.1.7 (May 14, 2016)

  • #117 AttributeConsumingService support
  • #114 Compare Assertion InResponseTo if not None
  • Return empty list when there are no audience values
  • Passing NameQualifier through to logout request
  • Make deflate process when retrieving built SAML messages optional
  • Add debug parameter to decrypt method
  • Fix Idp Metadata parser
  • Add documentation related to the new IdP metadata parser methods
  • Extract the already encoded value directly from get_data
  • #133 Fix typo and add extra assertions in util decrypt test
  • Fix Signature with empty URI support
  • Allow AuthnRequest with no NameIDPolicy
  • Remove requirement of NameID on SAML responses

2.1.6 (Feb 15, 2016)

  • Prevent signature wrapping attack!!
  • #111 Add support for nested NameID children inside AttributeValues
  • ALOWED Misspell
  • Improve how we obtain the settings path.
  • Update docs adding reference to test depencence installation
  • Fix Organization element on SP metadata.
  • #100 Support Responses that don't have AttributeStatements.

2.1.5 (Nov 3, 2015)

  • #86 Make idp settings optional (Usefull when validating SP metadata)
  • #79 Remove unnecesary dependence. M2crypto is not used.
  • #77 Fix server_port can be None
  • Fix bug on settings constructor related to sp_validation_only
  • Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder.
  • Allows the RequestedAuthnContext Comparison attribute to be set via settings
  • Be able to retrieve Session Timeout after processResponse
  • Update documentation. Clarify the use of the certFingerprint

2.1.4 (Jul 17, 2015)

  • Now the SP is able to select the algorithm to be used on signatures (DSA_SHA1, RSA_SHA1, RSA_SHA256, RSA_SHA384, RSA_SHA512).
  • Support sign validation of different kinds of algorithm
  • Add demo example of the Bottle framework.
  • #73 Improve decrypt method
  • Handle valid but uncommon dsig block with no URI in the reference
  • Split the setting check methods. Now 1 method for IdP settings and other for SP settings
  • Let the setting object to avoid the IdP setting check. required if we want to publish SP * SAML Metadata when the IdP data is still not provided.

2.1.3 (Jun 25, 2015)

  • Do accesible the ID of the object Logout Request (id attribute)
  • Add SAMLServiceProviderBackend reference to the README.md
  • Solve HTTPs issue on demos
  • Fix PHP-style array element in settings json
  • Add fingerprint algorithm support. Previously the toolkit assumed SHA-1 algorithm
  • Fix creation of metadata with no SLS, when using settings.get_sp_metadata()
  • Allow configuration of metadata caching/expiry via settings
  • Allow metadata signing with SP key specified as config value, not file
  • Set NAMEID_UNSPECIFIED as default NameIDFormat to prevent conflicts
  • Improve validUntil/cacheDuration metadata settings

2.1.2 (Feb 26, 2015)

  • Fix wrong element order in generated metadata (SLS before NameID). metadata xsd updated
  • Added SLO with nameID and SessionIndex in the demos
  • Fix Exception message on Destination validation of the Logout_request

2.1.0 (Jan 14, 2015)

  • Update the dm.xmlsec.binding library to 1.3.2 (Improved transform support, Workaround for buildout problem)
  • Fix flask demo settings example.
  • Add nameID & sessionIndex support on Logout Request
  • Reject SAML Response if not signed and strict = false
  • Add ForceAuh and IsPassive support on AuthN Request

2.0.2 (Dec 5, 2014)

  • Adding AuthnContextClassRef support
  • Process nested StatusCode
  • Fix settings bug

2.0.1 (Nov 13, 2014)

  • SSO and SLO (SP-Initiated and IdP-Initiated).
  • Assertion and nameId encryption.
  • Assertion signature.
  • Message signature: AuthNRequest, LogoutRequest, LogoutResponses.
  • Enable an Assertion Consumer Service endpoint.
  • Enable a Single Logout Service endpoint.
  • Publish the SP metadata (which can be signed).

1.1.0 (Sep 4, 2014)

  • Security improved, added more checks at the SAMLResponse validation

1.0.0 (Jun 26, 2014)

  • OneLogin's SAML Python Toolkit v1.0.0