Release notes

• Add warning for NTLM when using incorrect Java 11, Java 17 runtime configuration
• Reload kerberos config after properties have changed
• Update dependencies
• Remove Test SSO button from SAML admin page

Release notes

• Add warning for NTLM when using incorrect Java 11, Java 17 runtime configuration
• Reload kerberos config after properties have changed
• Update dependencies
• Remove Test SSO button from SAML admin page

• Add warning for Kerberos when using incorrect Java 11, Java 17 runtime configuration

• Add warning for Kerberos when using incorrect Java 11, Java 17 runtime configuration

• Add SAML support for SessionNotOnOrAfter attribute
• Add SAML request signing on login for redirect binding
• Add SAML request signing on logout for redirect binding
• Add SAML support for redirect binding Single Log Out (SLO)

• Add SAML support for SessionNotOnOrAfter attribute
• Add SAML request signing on login for redirect binding
• Add SAML request signing on logout for redirect binding
• Add SAML support for redirect binding Single Log Out (SLO)

• Add logging for session info not sent on logout
• Fix metadata for SLO based on admin binding type
• Fix mismatched SPNameQualifier on login and logout
• Fix jespa upload problem with debug enabled

• Add logging for session info not sent on logout
• Fix metadata for SLO based on admin binding type
• Fix mismatched SPNameQualifier on login and logout
• Fix jespa upload problem with debug enabled

• Signed Requests for SAML Login POST bindings
• Signed Requests for SAML Logout POST bindings
• Update security dependencies
• Bug fixes

• Signed Requests for SAML Login POST bindings
• Signed Requests for SAML Logout POST bindings
• Update security dependencies
• Bug fixes

• Update outdated dependencies
• Improve error messages for SAML Signature validation

• Update outdated dependencies
• Improve error messages for SAML Signature validation

• Improved error handling
• Improved Jespa IOPLEX v2 compatibility

• Improved error handling
• Improved Jespa IOPLEX v2 compatibility

• UI changes for "blocklist" and "allowlist"
• IOPLEX Jespa library version displayed in EasySSO/NTLM/About dialog (if re-uploaded)

• UI changes for "blocklist" and "allowlist"
• IOPLEX Jespa library version displayed in EasySSO/NTLM/About dialog (if re-uploaded)

• Improve error messages for NTLM configuration
• Update dependencies

• Improve error messages for NTLM configuration
• Update dependencies

• EasySSO for Confluence had an unused dependency on org.apache.commons:commons-text library – now removed
• for details see CVE-2022-42889 our apps are not affected on our StatusPage

• EasySSO for Confluence had an unused dependency on org.apache.commons:commons-text library – now removed
• for details see CVE-2022-42889 our apps are not affected on our StatusPage

• Update dependencies

• Update dependencies

• Update dependencies

• Update dependencies

IOPLEX Jespa library 1.2.11 introduced some incompatible changes. This fix addresses this incompatibility and makes EasySSO support both old and new versions of Jespa.

IOPLEX Jespa library 1.2.11 introduced some incompatible changes. This fix addresses this incompatibility and makes EasySSO support both old and new versions of Jespa.

• Added support for NameID formats(transient, persistent … ) when performing SAML Single Log Out (SLO)
• Fixed a bug in how logout binding types and URLs were identified from the UI settings (Redirect vs. POST)
• Removed session check from metadata URL
• Added a message in UI to indicate that the SAML metadata is only available to IP addresses not filtered out by the IP filtering
• Updated the license warning message

• Added support for NameID formats(transient, persistent … ) when performing SAML Single Log Out (SLO)
• Fixed a bug in how logout binding types and URLs were identified from the UI settings (Redirect vs. POST)
• Removed session check from metadata URL
• Added a message in UI to indicate that the SAML metadata is only available to IP addresses not filtered out by the IP filtering
• Updated the license warning message

• Fix a bug where incorrect SAML binding type is selected on logout

• Fix a bug where incorrect SAML binding type is selected on logout

• Improve performance for SAML login in the case where large numbers of Global Permissions present
• Improve performance for SAML login when no group update operations are required

• Improve performance for SAML login in the case where large numbers of Global Permissions present
• Improve performance for SAML login when no group update operations are required

• Improved screen reader support on NTLM/Kerberos, SAML, X509 & Headers configuration pages
• Success and error messages are now announced to screen reader when displayed
• All configuration links now accessible by keyboard navigation
• Improved description and help messages

Bugfixes:

• Added a log warning when a non-admin user attempts to update groups for system-admin groups.

• Improved screen reader support on NTLM/Kerberos, SAML, X509 & Headers configuration pages
• Success and error messages are now announced to screen reader when displayed
• All configuration links now accessible by keyboard navigation
• Improved description and help messages

Bugfixes:

• Added a log warning when a non-admin user attempts to update groups for system-admin groups.

• Fix for bug where SAML SLO will not complete with certain configurations
• Fix for bug where incorrectly cased computer account name used for Kerberos - causing Message Stream Modified error

• Fix for bug where SAML SLO will not complete with certain configurations
• Fix for bug where incorrectly cased computer account name used for Kerberos - causing Message Stream Modified errors

• Fix for an issue where the computer account name is entered in the format username$@domain.com results in "message stream modified" exception.

• Fix for an issue where the computer account name is entered in the format username$@domain.com results in "message stream modified" exception.

Fix for SAML button misalignment

Fix for SAML button misalignment

New Features:

• Support Kerberos with Strong Encryption Types
• JIT User Provisioning and syncing from SAML IdP
• Full support for read-only mode (Jira, Confluence, Bitbucket)

Bugfixes:

• Fix for popup when leaving admin form
• Fix for SAML failure page rendering variable name
• Fix for Computer account screen text-overflow
• Fix for SAML failing on internal forwards
• Fix for session invalidation error when response committed early

New Features:

• Support Kerberos with Strong Encryption Types
• JIT User Provisioning and syncing from SAML IdP
• Full support for read-only mode (Jira, Confluence, Bitbucket)

Bugfixes:

• Fix for popup when leaving admin form
• Fix for SAML failure page rendering variable name
• Fix for Computer account screen text-overflow
• Fix for SAML failing on internal forwards
• Fix for session invalidation error when response committed early

• Fix for a bug where raw Kerberos tokens not parsed correctly
• Fix for a bug in SAML where email is not parsed correctly on subsequent logins.
• Fix for a bug where the SAML login button is not displayed in some scenarios in JSD

• Fix for a bug where raw Kerberos tokens not parsed correctly
• Fix for a bug in SAML where email is not parsed correctly on subsequent logins.
• Fix for a bug where the SAML login button is not displayed in some scenarios in JSD

• We added a consistent footer across all screens with links to How to Get Logs article, FAQ and a button to email our 24x7 support
• Map group names send by the SAML IdP to the pre-existing application groups, to add the user provisioned on successful login added to these automatically
• Where available use whitelist to control the ability for the SAML IdP to redirect to URLs other than the baseURL
• EasySSO for Bitbucket adds a configuration option in EasySSO/NTLM/Advanced Configuration screen to display the HTTP(S) clone URLs before SSH ones in the default "clone" dialog
• Updates to EasySSO SAML with Azure AD documentation
• Listed in Azure AD Enterprise Applications gallery: EasySSO for Jira, EasySSO for Confluence, EasySSO for Bitbucket, EasySSO for Bamboo
• Improved Jira Mobile app compatibility
• HTTP Headers authenticator can be applied to all URLs now
• Extended logging for the SAML Management endpoint
• Fixes for the SAML IdP metadata import from a URL
• Small usability fixes
• Bugfixes

• We added a consistent footer across all screens with links to How to Get Logs article, FAQ and a button to email our 24x7 support
• Map group names send by the SAML IdP to the pre-existing application groups, to add the user provisioned on successful login added to these automatically
• Where available use whitelist to control the ability for the SAML IdP to redirect to URLs other than the baseURL
• EasySSO for Bitbucket adds a configuration option in EasySSO/NTLM/Advanced Configuration screen to display the HTTP(S) clone URLs before SSH ones in the default "clone" dialog
• Updates to EasySSO SAML with Azure AD documentation
• Listed in Azure AD Enterprise Applications gallery: EasySSO for Jira, EasySSO for Confluence, EasySSO for Bitbucket, EasySSO for Bamboo
• Improved Jira Mobile app compatibility
• HTTP Headers authenticator can be applied to all URLs now
• Extended logging for the SAML Management endpoint
• Fixes for the SAML IdP metadata import from a URL
• Small usability fixes
• Bugfixes

• Added regex parse and replace capability to X.509 authenticator to handle complex conversions. See updated EASYSSO WITH X.509 - CONFIGURATION page for details.
• Restored regex parse and replace capability in SAML. See PARSING USERNAMES FUNCTIONALITY WHEN USING SAML page for details.
• Updated HOW TO CONFIGURE EASYSSO WITH NTLM/KERERBOS instructions
• Updated I HAVE NTLM WORKING, HOW DO I ENABLE KERBEROS SUPPORT? page

• Added regex parse and replace capability to X.509 authenticator to handle complex conversions. See updated EASYSSO WITH X.509 - CONFIGURATION page for details.
• Restored regex parse and replace capability in SAML. See PARSING USERNAMES FUNCTIONALITY WHEN USING SAML page for details.
• Updated HOW TO CONFIGURE EASYSSO WITH NTLM/KERERBOS instructions
• Updated I HAVE NTLM WORKING, HOW DO I ENABLE KERBEROS SUPPORT? page

• Fixed XSRF vulnerability in admin screens of EasySSO
• Fixed After upgrade to Confluence 7.3 and/or Java 11, EasySSO stops working. It's no longer necessary to do ADDITIONAL CONFIGURATION FOR JAVA 11
• Fixed intermittent failures on upgrade of EasySSO due to incorrect implementation of cluster locking
• Added forgotten password and captcha URLs to the default excludes for SAML
• Included REST URLs previously ignored by NTLM/Kerberos/X.509/HTTP Headers authenticators that a human likely to trigger (e.g. search) to perform SSO if a session previously established has expired.

• Fixed XSRF vulnerability in admin screens of EasySSO
• Fixed After upgrade to Confluence 7.3 and/or Java 11, EasySSO stops working. It's no longer necessary to do ADDITIONAL CONFIGURATION FOR JAVA 11
• Fixed intermittent failures on upgrade of EasySSO due to incorrect implementation of cluster locking
• Added forgotten password and captcha URLs to the default excludes for SAML
• Included REST URLs previously ignored by NTLM/Kerberos/X.509/HTTP Headers authenticators that a human likely to trigger (e.g. search) to perform SSO if a session previously established has expired.

FOR Confluence 7.3+ installations with Java 11 please read: Additional Configuration for Java 11

• Fixed SAML Single Log-out (SLO) doesn't work with Keycloak
• Fixed SAML exclusions do not allow to exclude /plugins/*

FOR Confluence 7.3+ installations with Java 11 please read: Additional Configuration for Java 11

• Fixed SAML Single Log-out (SLO) doesn't work with Keycloak
• Fixed SAML exclusions do not allow to exclude /plugins/*

• Fixed IPv6 parsing issue in IP Filter component ("an IPv6 address should contain 8 shorts")
• Fixed logout behaviour with forced SAML - now all applications arrive to the "default page" e.g. "dashboard"
• Fixed logout behaviour with SAML Single Logout (SLO) going to the fail page - now all applications go to the login page after successful SLO logout.

• Fixed IPv6 parsing issue in IP Filter component ("an IPv6 address should contain 8 shorts")
• Fixed logout behaviour with forced SAML - now all applications arrive to the "default page" e.g. "dashboard"
• Fixed logout behaviour with SAML Single Logout (SLO) going to the fail page - now all applications go to the login page after successful SLO logout.

second part of the "fail page" fix - if we do arrive to the fail page while already logged in (e.g. from the default login page) we will immediately redirect to the the application root/dashboard.

• second part of the "fail page" fix - if we do arrive to the fail page while already logged in (e.g. from the default login page) we will immediately redirect to the the application root/dashboard.

• Fixed issue with the "failed to log you in" page ("fail page") being displayed again when the user after landing on the page initially is subsequently successful with authentication either via SAML SSO or via direct login
• Fixed SAML configuration UI issues with Redirect binding URL being displayed as the default option after upgrade from 4.1.x or earlier and overwriting the previously configured and functional POST binding URL on save

• Fixed issue with the "failed to log you in" page ("fail page") being displayed again when the user after landing on the page initially is subsequently successful with authentication either via SAML SSO or via direct login
• Fixed SAML configuration UI issues with Redirect binding URL being displayed as the default option after upgrade from 4.1.x or earlier and overwriting the previously configured and functional POST binding URL on save

• improved security in HTTP Headers authenticator.
• increased maximum waiting time for a response to a SAML request
• fix for possible infinite loop on logout with SAML authenticator
• changes to some internal UI element

• improved security in HTTP Headers authenticator.
• increased maximum waiting time for a response to a SAML request
• fix for possible infinite loop on logout with SAML authenticator
• changes to some internal UI element

• fixed issues with some IdPs not sending Destination for unsigned responses
• fixed logic with SAML vs application username checks for mixed-case usernames

• fixed issues with some IdPs not sending Destination for unsigned responses
• fixed logic with SAML vs application username checks for mixed-case usernames

Changes in shared code due to issues with Jira 7.13 when uploading IOPLEX Jespa license before IOPLEX Jespa library .zip

Changes in shared code due to issues with Jira 7.13 when uploading IOPLEX Jespa license before IOPLEX Jespa library .zip

• Fixed a bug where after logging in via SAML users would not be redirecting the previous page they were trying to access.
• Changed the default SAML configuration slightly.

• Fixed a bug where after logging in via SAML users would not be redirecting the previous page they were trying to access.
• Changed the default SAML configuration slightly.

• Fix for redirects to URLs with anchors/fragments/hashtags after successful SAML login.
• Fix for sending password back to client in NTLM/Kerberos computer account dialog
• Fix for IOPLEX Jespa license corruption - CR/LF insertion on some Windows systems
• Support for Keycloak metadata containing multiple entities
• Time Skew parameter value in SAML configuration now defaults to 5 seconds

• previous release enabled SAML Login Button in WebSudo (Secure Administrator Session) mode - we removed it again for now

• 2FA support with SecureLogin 2FA for Bitbucket
• OAuth-related excludes for SAML when building Application Links
• Troubleshooting screen "Delete EasySSO folder" dialog bug fixes
• Re-applied additional default excludes for SAML from 4.1.12.4
• Re-applied NPE fixes in SAML from 4.1.12.4
• Re-applied fix from 4.1.12.4 for forced SAML endless loop in Bitbucket when "SAML on login/logout" was unchecked

• Allow clients authenticating via OAuth to not be blocked by SAML.
• Fixed bug with SAML RelayState parameter.

• Fixed UTF-8 encoding bug with the SAML configuration
• Fixed javascript initialization error

• Fixed an issue where users would fail to be automatically created during a login attempt via SAML even when copy user on login was enabled.
• Fixed an issue where an admin could not save the advanced filtering screen (individual opt out via cookie)
• Fixed a bug where the user SSO preferences screen would not render.

• bot-killer fix: for products that have Atlassian Bot Killer plugin this will prevent session established via EasySSO from being invalidated every hour
• correct redirect after SAML re-authentication when session expires e.g. overnight
• correct redirect to the original URL after several SAML re-authentications e.g. unsuccessful ones followed by a successful one

• a common release to bring numbering in line with version that introduces SAML, X.509 and headers-based authenticators to EasySSO for Bitbucket
• fixed an issue in the EasySSO common library: after un-install and re-install the app wouldn't enable until restart of the application node
• fixed an issue with logging introduced in 4.1.5

• Username manipulations/parsing for SAML - ability to parse a username acceptable to the application from the attribute/claim value passed by the IdP using regular expressions e.g. extract the local-name from the full local-name@domain email address.
• Added explicit excludes URIs for SAML to allow Application Links building when in forced SAML mode
• XSRF tokens fix in SAML Config screen in Confluence

• Fixed an issue affecting Data Center instances where the SAML configuration was serialising objects in a non cluster-safe fashion.

• Fixed a bug where after redirecting to a SAML identity provider the query parameters in the URL to the Jira page would be lost, potentially resulting in landing on unexpected or broken pages in Confluence.

• SAML Attributes tab: configurable attribute/claim names - you can configure mapping completely on EasySSO side
• SAML Admin tab: Ability to disable stopsso/runsso request parameters
• SAML Admin tab: REST endpoint to disable/enable SAML, protected by a dedicated IP Filter
• SAML Look and Feel tab: ability protect login and logout pages with SAML SSO
• fix for SAML Login Button display conditions
• saving SAML config in encoded form in the database to accomodate runtime localization of SAML Login button and redirect screens and non-UTF8 database collations

It is now possible to configure different authentication protocols (NTLM vs SAML, etc) completely independently of one another. You are no longer required to complete parts of the NTLM configuration just to get to SAML. This goes for all supported authentication types: NTLM/Kerberos, SAML, Headers and X.509 certificates.

• fixed redirect in SAML for absolute URLs, as was happening with expired sessions in some applink related modes

• Fixed logical error in SAML clock skew

• Troubleshooting screen improvements: log file sizes, delete and truncate file ability
• SAML clock skew setting has been added
• SAML redirect text localizations settings has been enhanced - you can configure different messages in multiple languages
• SAML configuration dialog bug fixes for "provision user on successful login"
• SAML exclude URIs setting added
• Bug fixed for /download/* URIs default exclusion - attachments started triggering NTLM/Kerberos authentication since version 3.2.2

SAML

• Login button L&F and redirect screen text are configurable
• Login button available on Jira Service Desk login screen
• metadata link exposed in the GUI for easier copy/paste
• New configuration interface - a dedicated button is now available from the main EasySSO screen.
• Support for multiple signing certificates
• Proper handling of the original URL with SAML, go to specific page after authentication
• Use RelayState with IdP initiated SAML SSO (page relative to the application context)
• Specify none or multiple groups for the auto-provisioned users
• Correct choosing of an active admin user when auto-provisioning of users from SAML

Troubleshooting

• Jespa.log rotation from GUI
• Ability to invalidate the current session by clicking /plugins/servlet/easysso/invalidate

General

• Support for proxies that set x-forwarded-port & x-forwarded-for (e.g. AWS ELB) to calculate jespa-connection-id automatic.

• Added support for PingID in EasySSO SAML authenticator

• A critical vulnerability was internally identified in SAML response processing. The issue has been fixed and verified by an independent Information Security testing party.
• Kerberos, NTLM, X.509, custom-headers authenticators were not affected.
• SAML Login button (i.e. optional SAML login)
• SAML RelayState fixes for ADFS support
• fixes in how redirect to form login is performed at various SAML processing points
• support for Azure-AD
• support for IdP selected authentication method (e.g. IWA in ADFS if available)
• Stop Watching Page link when clicked in the email notification from Confluence used to cause an error - fixed now.
• Internationalisation fixes
• Improved logging

• EasySSO now more transparently supports running in parallel with Atlassian Crowd SSO, without the need for special configuration.
• We have changed the default user agent filtering to make it easier to set up application links without having to do any special configuration in EasySSO.
• User session will no longer time out after a long period of inactivity

• Fixed a bug where some URL paths which should be excluded from SSO were not being ignored as intended.

• Fixed a bug where uploading a new Jespa trial license on top of an existing expired could be result in EasySSO still reporting that the license was expired.

• Fixed a bug where IP filtering would not properly work when a specific port of an IP address was specified in the request header.

IOPLEX Jespa library 1.2.x introduced some incompatible changes to code and encryption of licenses. This fix addresses this incompatibility and makes EasySSO support both old and new versions of Jespa

This release contains no new features, but it includes some core changes to request filtering.

• We've fixed a problem that could cause the add-on to fail to enable if the jespa.log location was set incorrectly.
• Made some changes to the IP address filter to properly support several fringe use-cases.

• Multi-factor authentication via "2-Factor Auth Secure Login" by Syracom Consulting AG (see their blogpost from AtlasCamp 2016)
• OpenID (Twitter, Facebook, Google Apps) as fallback to Kerberos/NTLM via OpenID authentication by Pawel Niewiadomski
• Native support for X.509 client certificate authentication
• Support for external authentication (e.g. in front-facing reverse proxies) via header-based integration
• Support for custom authenticator add-ons via attribute-based integration
• Bug in computer account name validation fixed

• EasySSO Configuration UI has been completely redesigned to be less busy: the main screen now contains the minimum required fields, a progress tracker has been introduced, any values that could have reasonable defaults have them now
• Parameter values validation has been added - less chances to make mistakes
• Additional configuration parameters, IP Filtering, User-Agent Filtering and Advanced Filtering have been moved under "Advanced" button
• "Test Connection" button has been added to enable testing the connection to the domain controller
• SetComputerPassword.vbs script is now available for download directly from the UI
• “Troubleshooting” button allows you to download the logs and inspect them to check if anything has gone wrong
• “About” button opens a dialog that allows you to review the status of your licenses, including the IOPLEX Jespa one, as well as the mode in which EasySSO is operating
• Offline installation instructions have been added - for installing without no internet connection

• User-Agent Filtering: config screen now supports parsing arbitrary UA strings on demand
• UserAgentUtils library has been updated to version 1.20
• Cookie Opt-Out: Admins can enable SSO opt-out via cookie in Advanced Filtering tab, users can opt-out in their User Profile settings, anonymous users can opt-out if enabled (to support regular non-domain users)
• new IP Filtering tab in EasySSO config
• ability to specify client IP addresses whitelist and blacklist as single IP, IP ranges, in CIDR, and host-based notation
• ability to specify regex-based whitelist and blacklist for client IP addresses
• the old "Included IP Addresses" regex client IP address filter configuration will be migrated to the new "IP Regex Whitelist" automatically
• Support for reverse proxies, local, remote, and multiple chained reverse proxies
• Reduced log chattiness when EasySSO trial license or evaluation license has expired
• Fix for uploading fresh ioplex.zip over already expired trial one
• bug fixes and improvement

• now works correctly with "unlicensed" users access used by Jira Service Desk to display KB articles in Confluence spaces

• User-Agent Filtering screen now supports parsing arbitrary UA strings - to simplify writing filtering rules
• Admins can enable SSO opt-out in Advanced Filtering tab
• Users can opt-out from SSO in their User Profile settings
• Fix for uploading fresh ioplex .zip over already expired trial one
• bringing version in-sync with Jira/Bamboo one

• compatibility with Data Center
• new IP Filtering tab
• added ability to specify client IP addresses whitelist and blocklist, supports single IP, ranges, CIDR and host-based notation
• added ability to specify client IP addresses Regex-based whitelist and blocklist
• "Included IP Addresses" field, a client IP address filter based on Regular Expression has been migrated to the new "IP Filtering" tab as "IP Regex Whitelist" and enhanced to support a list of expressions, one per line. The new field is backward compatible with the old field and will make the old pre-existing value to appear in the new field and continue to work after upgrade.
• Support for local reverse proxies in IP filtering

• Correct handling of users without USE privileges - now they stay anonymous and are able to access public spaces e.g. Jira Service Desk End-Users accessing public KB on Confluence (via Service Desk interface)
• better SocketException/ClientAbortException squashing

• compatibility with Data Center
• new IP Filtering tab
• added ability to specify client IP addresses whitelist and blocklist, supports single IP, ranges, CIDR and host-based notation
• added ability to specify client IP addresses Regex-based whitelist and blocklist
• "Included IP Addresses" field, a client IP address filter based on Regular Expression has been migrated to the new "IP Filtering" tab as "IP Regex Whitelist" and enhanced to support a list of expressions, one per line. The new field is backward compatible with the old field and will make the old pre-existing value to appear in the new field and continue to work after upgrade.
• Support for local reverse proxies in IP filtering

• Correct handling of users without USE privileges - now they stay anonymous and are able to access public spaces e.g. Jira Service Desk End-Users accessing public KB on Confluence (via Service Desk interface)
• better SocketException/ClientAbortException squashing

• fixed issue with excessive Jespa library re-initialisation on startup when big number of other add-ons is present
• fixed issue with Kerberos pre-auth and timing out of credentials

• Support for Kerberos authentication has been added
• now works on Mac OS X and Linux (if joined to a domain)
• as always works on Windows - but better than ever!

Addressed an issue that may occur during startup if a big number of other add-ons (including system ones) is present.

This used to result in excessive re-initialization of IOPLEX Jespa library on startup and has been identified as the root cause for "jcifs.smb.SmbException: All pipe instances are busy" exception observed in the logs later during operation.

• Added ability to direct IOPLEX Jespa log into the regular Confluence log via Log4J, using category "jespa" and level "DEBUG"
• "Get Started" now leads to "How to Install?" documentation page on the website
• Added anti-caching parameters in add-on config screens
• Added fade-outs for messages in config screens

Fix for state transition on expired EasySSO license Additional excludes supported via "excludes" in additional parameters

As reported by users some hardware loadbalancers react badly to NTLM challenges on certain type of requests (HTTP HEAD). This version lets such requests pass through without doing NTLM challenge to be handled by the core application.

Microsoft patch MS15-027/KB3002657 breaks "localhost.netbios.name" feature of IOPlex Jespa. In EasySSO this was set via instance identifier parameter in UI, which now has been removed.

With this functionality it was previously possible to use the same computer account in different web applications - this is no longer supported, please create distinct computer accounts for your applications.

Please also review the note on the IOPlex website.

• Fixed an issue affecting configurations with delegated authentication directories but no Copy on Login enabled - all user information would get overwritten with only a username
• Added "AD site" parameter to be able to restrict Domain Controllers based on the information in DNS
• Added additional parameters to pass extra config options to Jespa library (as per Jespa Operators Manual)
• Introduced an extra step before Fully Configured - users have encountered that authentication would be attempted before all Jespa-related parameters have been set by the admin

When used with other plugins, internal forwards from deep inside web-stack may occur. In these cases previous versions of EasySSO despite working would log a long stacktrace. The new version correctly identifies such forwards and handles them gracefully.

This version fixes issues with the dynamically loaded Jespa library jar being locked under Windows, which prevents updating IOPlex zip distribution and uploading license files.

• Some older versions of Internet Explorer submit upload file names differently than newer versions and other browsers - this prevented upload of IOPlex Jespa .zip distribution from working correctly
• When Jira is deployed on Windows OS server-side, with some versions of Windows unpacking of trial license from IOPlex Jespa .zip distribution didn't work correctly - resulted in "Jespa License has expired" messages
• A small bugfix for production Jespa licenses upload

- Fixed issue on Windows systems when uploading jespa ZIP

- Fixed issue with windows paths in setting log location.