• Fix: URL decoding of links not working when Forced SSO URLs is enabled
• Fix: AD FS does not allow ~ sign in URL

• Fix: URL decoding of links not working when Forced SSO URLs is enabled
• Fix: AD FS does not allow ~ sign in URL

• Feat: Show warning when conflicting redirect rules are configured.
• Fix: First regex transformation was always applied event though multiple regular expression rules are configured.
• Fix: Wrong redirect URL after session timeout on pull request pages.

• Feat: Show warning when conflicting redirect rules are configured.
• Fix: First regex transformation was always applied event though multiple regular expression rules are configured.
• Fix: Wrong redirect URL after session timeout on pull request pages.

• Improvement: Login from root page in Bitbucket with anonymous projects goes to dashboard instead of the public repository page

• Improvement: Login from root page in Bitbucket with anonymous projects goes to dashboard instead of the public repository page

• SAML: Fix test page incorrectly showing managed groups to be removed
• OIDC: Integration with Github working with a better guide

• SAML: Fix test page incorrectly showing managed groups to be removed
• OIDC: Integration with Github working with a better guide

• API tokens: new switch to enable/disable
• API tokens bugfix: Delete token not working when using PostgreSQL database
• OIDC improvment: User lookup via sub now working
• Cloud user provisioning: Switch to enable/disable sync of security enabled groups from Azure AD
• General improvements and bugfixes

• API tokens: new switch to enable/disable
• API tokens bugfix: Delete token not working when using PostgreSQL database
• OIDC improvment: User lookup via sub now working
• Cloud user provisioning: Switch to enable/disable sync of security enabled groups from Azure AD
• General improvements and bugfixes

• Feature: User synchronization with SCIM - https://kantega-sso.atlassian.net/l/c/UBv0hhC6
• Feature: Authenticate clients with API tokens - https://kantega-sso.atlassian.net/l/c/J01QdQLU
• Fix: Broken links in SAML/OIDC configuration pages
• Fix: Cloud user provisioning allowing &-character in group names
• Fix: Bamboo Git SSH connections failing with PEMException after generating IDP signing certificates in KSSO: https://confluence.atlassian.com/bamkb/bamboo-git-ssh-connections-failing-with-pemexception-968679809.html

• Feature: User synchronization with SCIM - https://kantega-sso.atlassian.net/l/c/UBv0hhC6
• Feature: Authenticate clients with API tokens - https://kantega-sso.atlassian.net/l/c/J01QdQLU
• Fix: Broken links in SAML/OIDC configuration pages
• Fix: Cloud user provisioning allowing &-character in group names
• Fix: Bamboo Git SSH connections failing with PEMException after generating IDP signing certificates in KSSO: https://confluence.atlassian.com/bamkb/bamboo-git-ssh-connections-failing-with-pemexception-968679809.html

• Fix: SAML Single Logout (SLO) does not work without an explicit return URL.

• Fix: SAML Single Logout (SLO) does not work without an explicit return URL.

Kerberos, SAML and OpenID Connect (OIDC) are the most widely used protocols for single sign-on. Now, Kantega SSO Enterprise supports all three.

OpenID Connect (OIDC) is an authentication protocol and an identity layer built on top of OAuth 2.0. It does everything OAuth does plus authentication. It based on modern communication protocols, such as JSON and REST, and it uses JSON Web Tokens (JWT), called an ID token, to provide authentication information.Our documentation describes more about the differences between OpenID Connect and SAML.Users that are familiar with how to configure SAML identity providers in Kantega SSO Enterprise will see that the setup and configuration of OIDC is very similar.

Kerberos, SAML and OpenID Connect (OIDC) are the most widely used protocols for single sign-on. Now, Kantega SSO Enterprise supports all three.

OpenID Connect (OIDC) is an authentication protocol and an identity layer built on top of OAuth 2.0. It does everything OAuth does plus authentication. It based on modern communication protocols, such as JSON and REST, and it uses JSON Web Tokens (JWT), called an ID token, to provide authentication information.

Our documentation describes more about the differences between OpenID Connect and SAML.

Users that are familiar with how to configure SAML identity providers in Kantega SSO Enterprise will see that the setup and configuration of OIDC is very similar.

• Fix:Allow SAML test to be run without incognito mode
• Fix: Eliminate log warnings related to Crowd updates / notifications being run on LDAP directories

• Fix:Allow SAML test to be run without incognito mode
• Fix: Eliminate log warnings related to Crowd updates / notifications being run on LDAP directories

- Fix Batch pagination regression for Cloud User sync with Azure AD, introduced in 3.7.0. Memberships for large groups were not properly retrieved. The bug only affects 3.7.0 with the Azure AD connector.

- Fix Batch pagination regression for Cloud User sync with Azure AD, introduced in 3.7.0. Memberships for large groups were not properly retrieved. The bug only affects 3.7.0 with the Azure AD connector.

• Cloud User Sync: Performance and robustness enhancements.
• Cloud User Sync configuration change: "Include members of the following groups (discard other groups)" option has been removed. It should be remapped to the new group inclusion filter automatically.
• SAML: Configure custom landing page for Single logout.
• Fix: Cloud User Sync for GSuite now correctly syncs memberships assigned using the user's non-primary e-mail. Previously, affected users would fail to show up the respective groups.

• Cloud User Sync: Performance and robustness enhancements.
• Cloud User Sync configuration change: "Include members of the following groups (discard other groups)" option has been removed. It should be remapped to the new group inclusion filter automatically.
• SAML: Configure custom landing page for Single logout.
• Fix: Cloud User Sync for GSuite now correctly syncs memberships assigned using the user's non-primary e-mail. Previously, affected users would fail to show up the respective groups.

• Cloud User Sync: Support for specific group and membership selection added
• Cloud User Sync: Added regular expression support for specific user, group and membership selection
• Cloud User Sync fix: Warning when JSON file has not been uploaded
• Fix SAML/Kerberos: Update memberships on every login not working for Crowd remote directory

• Cloud User Sync: Support for specific group and membership selection added
• Cloud User Sync: Added regular expression support for specific user, group and membership selection
• Cloud User Sync fix: Warning when JSON file has not been uploaded
• Fix SAML/Kerberos: Update memberships on every login not working for Crowd remote directory

• More robust disabling of username/password fields when "Disable Traditional login" is turned on.
• Username/password login is now disallowed when "Disable Traditional login" is turned on, even though BasicAuth login is allowed.

• More robust disabling of username/password fields when "Disable Traditional login" is turned on.
• Username/password login is now disallowed when "Disable Traditional login" is turned on, even though BasicAuth login is allowed.

• Feat: Allow wildcard (*) in user sync group filters
• Fix: Various UI improvements

• Feat: Allow wildcard (*) in user sync group filters
• Fix: Various UI improvements

• Kerberos: introduced ?nokerberosSession URL parameter to avoid Kerberos for the whole web session, and ?kerberosSession to again do Kerberos challenge
• SAML: Manual redirect is enabled when creating new Identity Provider
• SAML: Minor changes to setup wizards

• Kerberos: introduced ?nokerberosSession URL parameter to avoid Kerberos for the whole web session, and ?kerberosSession to again do Kerberos challenge
• SAML: Manual redirect is enabled when creating new Identity Provider
• SAML: Minor changes to setup wizards

• Feat: Show requested url as link on SAML error pages
• Feat: Show more setup details on SAML test result page
• Misc UI improvements.

• Feat: Show requested url as link on SAML error pages
• Feat: Show more setup details on SAML test result page
• Misc UI improvements.

• Fix: First time login for user in AD with local groups and default group memberships

• Fix: First time login for user in AD with local groups and default group memberships

• SAML: add ability to configure username placeholder text in SAML login form
• Cloud User Synchronization: Add ability to filter on guests users only

• SAML: add ability to configure username placeholder text in SAML login form
• Cloud User Synchronization: Add ability to filter on guests users only

• SAML Fix: URLs with '+' symbol not working in newer Bitbucket versions
• SAML Fix: Avoid group sync issues during login when user is found in user directory of type Jira Crowd
• Kerberos: Expose SPN details in ticket client failures page

• Kerberos: Support for enabling logging of client failures to log, details about this: https://docs.kantega.no/display/KantegaSSOEnterprise/Audit+and+Diagnostics+logging

• Kerberos: Better test page feedback when SPN differs in letter casing from keytab to ticket
• Kerberos: Better error handling and reporting on Active Directory test page

• SAML Fix: URLs with '+' symbol not working in newer Bitbucket versions
• SAML Fix: Avoid group sync issues during login when user is found in user directory of type Jira Crowd
• Kerberos: Expose SPN details in ticket client failures page

• Kerberos: Support for enabling logging of client failures to log, details about this: https://docs.kantega.no/display/KantegaSSOEnterprise/Audit+and+Diagnostics+logging

• Kerberos: Better test page feedback when SPN differs in letter casing from keytab to ticket
• Kerberos: Better error handling and reporting on Active Directory test page

• Feature: Allow users to be created / updated into crowd user directories when they log in with SAML
• Fix: Just-in-time provisioning must be able to handle setups where no writable user directory exist.
• Fix: Forced SSO Urls does not work with instant redirection mode
• Fix: Exception occurring when Fallback redirect mode is removed
• Fix: Kerberos challenge sent and fails when no user agent information is available. This has caused noise in application logs.

• Feature: Allow users to be created / updated into crowd user directories when they log in with SAML
• Fix: Just-in-time provisioning must be able to handle setups where no writable user directory exist.
• Fix: Forced SSO Urls does not work with instant redirection mode
• Fix: Exception occurring when Fallback redirect mode is removed
• Fix: Kerberos challenge sent and fails when no user agent information is available. This has caused noise in application logs.

• Cloud user provisioning: Fix incorrect password notification for a non-sso user when Cloud User Directory was ordered higher and the user was not in this directory

• Cloud user provisioning: Fix incorrect password notification for a non-sso user when Cloud User Directory was ordered higher and the user was not in this directory

• SAML: Let Just-in-time provisioning write to any writable, internal directory
• Cloud user provisioning: Avoid that password from the Internal directory could be used when the same username was found in Cloud directory and this had higher priority.
• New onboarding flow for SAML & Kerberos.

• SAML: Let Just-in-time provisioning write to any writable, internal directory
• Cloud user provisioning: Avoid that password from the Internal directory could be used when the same username was found in Cloud directory and this had higher priority.
• New onboarding flow for SAML & Kerberos

• SAML: New group based redirect to IDP rule.
• SAML: Improved GUI for setting up redirect rules page.
• User provisioning: New user filter keeping all group memberships

• SAML: New group based redirect to IDP rule.
• SAML: Improved GUI for setting up redirect rules page.
• User provisioning: New user filter keeping all group memberships

Feature: Support for HTTP header authentication.

Fix: Expose a human readable error message when just-in-time user creation fails because of missing data attributes.

Fix: Catch and handle exceptions when unexpected user data and JSON elements are sent from GSuite.

Feature: Support for HTTP header authentication.

Fix: Expose a human readable error message when just-in-time user creation fails because of missing data attributes.

Fix: Catch and handle exceptions when unexpected user data and JSON elements are sent from GSuite.

• Bugfix: Kerberos test page would in some cases claim an IP was blacklisted when it wasn't.
• Revert change related to user lookup, to once more allow fallback. Needed in envs where users are in an LDAP directory with a baseDN that doesn't match Kerberos REALM.
• Switched to spring-scanner internally.

• Bugfix: Kerberos test page would in some cases claim an IP was blacklisted when it wasn't.
• Revert change related to user lookup, to once more allow fallback. Needed in envs where users are in an LDAP directory with a baseDN that doesn't match Kerberos REALM.
• Switched to spring-scanner internally.

• Feature: Default Groups from LDAP/AD on each login (for both SAML & Kerberos)
• Feature: Better AzureAD managed groups support. Recognizing http://schemas.microsoft.com/ws/2008/06/identity/claims/groups as SAML group claims.
• Refactoring: More robust username lookup in LDAP/AD
• Fix: Not landing on Dashboard after Kerberos login when ForcedSSO is enabled
• Fix: Avoid Kerberos login for excluded Rest endpoints

• Feature: Default Groups from LDAP/AD on each login (for both SAML & Kerberos)
• Feature: Better AzureAD managed groups support. Recognizing http://schemas.microsoft.com/ws/2008/06/identity/claims/groups as SAML group claims.
• Refactoring: More robust username lookup in LDAP/AD
• Fix: Not landing on Dashboard after Kerberos login when ForcedSSO is enabled
• Fix: Avoid Kerberos login for excluded Rest endpoints

Regression fix: Fix for kerberos for rest with user agent exclusion

Update documentation links: We have restructured our documentation pages and all of the setup guide links are now given new and persistent urls

Regression fix: Fix for kerberos for rest with user agent exclusion

Update documentation links: We have restructured our documentation pages and all of the setup guide links are now given new and persistent urls

• Feat: Extend Just-in-time provisioning to also activate and update user records
• Fix: Compatibility with Java 11

• Feat: Extend Just-in-time provisioning to also activate and update user records
• Fix: Compatibility with Java 11

• Fixed regression introduced by the 3.5.16 fix for AD FS / destination URLs containing the tilde character.
• Misc internal code changes.

• Fixed regression introduced by the 3.5.16 fix for AD FS / destination URLs containing the tilde character.
• Misc internal code changes.

• Fixed Forced SSO support for all defined URLs in Bitbucket
• Fix support for ~ (tilde) symbol in return URLs for ADFS SAML
• Improved GSuite User Provisioning guide
• Cursor focus on username field when manually cancelling SAML login

• Fixed Forced SSO support for all defined URLs in Bitbucket
• Fix support for ~ (tilde) symbol in return URLs for ADFS SAML
• Improved GSuite User Provisioning guide
• Cursor focus on username field when manually cancelling SAML login

• Feature: Ability to configure exclusion for Kerberos on rest paths

• Feature: Ability to auditlog successful and failed logins using built-in log frameworks.

• Feature: Ability to configure exclusion for Kerberos on rest paths

• Feature: Ability to auditlog successful and failed logins using built-in log frameworks.

Multiple BouncyCastle dependencies with different versions caused NoSuchFieldError when setting up SAML idps. This version fix these dependency problems.

Multiple BouncyCastle dependencies with different versions caused NoSuchFieldError when setting up SAML idps. This version fix these dependency problems.

• Fixed a regression introduced in 3.5.11. SAML JIT provisioning would ignore the configured SAML username attribute, causing users being created in the Internal Directory with username "Firstname Lastname" on first login.
• Resolved a SAML redirection issue when target destination was Dashboard.jspa.

• Fixed a regression introduced in 3.5.11. SAML JIT provisioning would ignore the configured SAML username attribute, causing users being created in the Internal Directory with username "Firstname Lastname" on first login.
• Resolved a SAML redirection issue when target destination was Dashboard.jspa.

• Bugfix related to group sync using Delegated LDAPs
• Updated OneLogin SAML integration manual
• Minor UI improvments for JIT provisioning

• Bugfix related to group sync using Delegated LDAPs
• Updated OneLogin SAML integration manual
• Minor UI improvments for JIT provisioning

• Feat: Configuration option to require SAML group claims for Just-in-time user creation.
• Feat: Configurable option for allowing BasicAuth requests to pass when traditional username / password login is disabled
• Fix: Repair failing back-links from test result page

• Feat: Configuration option to require SAML group claims for Just-in-time user creation.
• Feat: Configurable option for allowing BasicAuth requests to pass when traditional username / password login is disabled
• Fix: Repair failing back-links from test result page

• Feature: Editable list of user agent strings where Kerberos should not trigger
• Improvement: Invalidate old css and javascript resources on new releases
• Improvement: Better usability in navigating menus and links in application
• Improvement: Redesign of SAML redirect modes page

• Feature: Editable list of user agent strings where Kerberos should not trigger
• Improvement: Invalidate old css and javascript resources on new releases
• Improvement: Better usability in navigating menus and links in application
• Improvement: Redesign of SAML redirect modes page

• Feat: Customize text shown to users when SAML authentication fails.
• Feat: Ability to set up cloud user provisioning to only synchronize users (not groups and memberships).
• Update: AzureAD and GSuite setup guidesFix: Kerberos for REST does not work with GoEdit
• Fix: LDAP err 49 in user lookup with AD LDS with non-standard username attribute
• Fix: Nullpointer exception in Active Directory test page
• Fix: Kerberos and required groups do not work in Bitbucket

• Feat: Customize text shown to users when SAML authentication fails.
• Feat: Ability to set up cloud user provisioning to only synchronize users (not groups and memberships).
• Update: AzureAD and GSuite setup guidesFix: Kerberos for REST does not work with GoEdit
• Fix: LDAP err 49 in user lookup with AD LDS with non-standard username attribute
• Fix: Nullpointer exception in Active Directory test page
• Fix: Kerberos and required groups do not work in Bitbucket

• Feat: Ability to disable BasicAuth server-side
• Feat: SAML - Import metadata by url
• Feat: Extract users through the AzureAD batch API
• Fix: When setting up Okta cloud user provisioning, the input field for domains are restricted with a too limited value range (only allowing domains ending with okta.com and okta-preview.com)

• Feat: Ability to disable BasicAuth server-side
• Feat: SAML - Import metadata by url
• Feat: Extract users through the AzureAD batch API
• Fix: When setting up Okta cloud user provisioning, the input field for domains are restricted with a too limited value range (only allowing domains ending with okta.com and okta-preview.com)

• Fix support for managed groups also for encrypted SAML assertions
• Fix potential error during login on certain configurations
• Support for full DNS names for Bitbucket in login redirects

• Fix support for managed groups also for encrypted SAML assertions
• Fix potential error during login on certain configurations
• Support for full DNS names for Bitbucket in login redirects

• Feat: Ability to disable traditional username / password login and enforce SSO as primary authentication.
• Fix: Adding cloud users to local groups fails.
• UI: Improve handling of custom SAML group and user attributes.

• Feat: Ability to disable traditional username / password login and enforce SSO as primary authentication.
• Fix: Adding cloud users to local groups fails.
• UI: Improve handling of custom SAML group and user attributes.

• Feat: Allow usernames from SAML response to be transformed with regex before lookup
• Ref: Refactor user directory, username attribute selection and transformation configuration pages
• Fix: Make file upload form fields compliant with Jira 8 and Bitbucket 6.1

• Feat: Allow usernames from SAML response to be transformed with regex before lookup
• Ref: Refactor user directory, username attribute selection and transformation configuration pages
• Fix: Make file upload form fields compliant with Jira 8 and Bitbucket 6.1

The cloud user provisioning feature for username transformations (introduced in v.3.5.0) failed when applied together with group filters.

The cloud user provisioning feature for username transformations (introduced in v.3.5.0) failed when applied together with group filters.

• Feat: Support for SAML Single Logout (SLO).

• Feat: Username transformation for Cloud user provisioning: Ability to strip off domain part from username attribute.
• Fix: “Synchronize now” status/counter not incrementing in Bitbucket 6.

• Feat: Support for SAML Single Logout (SLO).

• Feat: Username transformation for Cloud user provisioning: Ability to strip off domain part from username attribute.

• Fix: “Synchronize now” status/counter not incrementing in Bitbucket 6.

• Improved LDAP user lookup performance by obeying User Directory flag for "Update group memberships when logging in"

• Improved LDAP user lookup performance by obeying User Directory flag for "Update group memberships when logging in"

• Fix: Update Azure AD user provisioning guide with Directory.read.all as necessary permission
• Fix: Missing login links in Jira Service Desk
• Fix: Avoid SSO redirects to Jira login pages

• Fix: Update Azure AD user provisioning guide with Directory.read.all as necessary permission
• Fix: Missing login links in Jira Service Desk
• Fix: Avoid SSO redirects to Jira login pages

• Feat: Configurable auto redirect for relogins
• Fix: Correct user extractions from Azure AD. Replair error introduced in v. 3.4.18.

• Feat: Configurable auto redirect for relogins
• Fix: Correct user extractions from Azure AD. Replair error introduced in v. 3.4.18.

• Feat: Cloud user provisioning with custom group and user type filters.
• Fix: Improved kerberos for git support
• Fix: Double URL prefixing when opening attachments

• Feat: Cloud user provisioning with custom group and user type filters.
• Fix: Improved kerberos for git support
• Fix: Double URL prefixing when opening attachments