Release notes

• Add warning for NTLM when using incorrect Java 11, Java 17 runtime configuration
• Reload kerberos config after properties have changed
• Update dependencies
• Remove Test SSO button from SAML admin page

• Add warning for Kerberos when using incorrect Java 11, Java 17 runtime configuration

• Add SAML support for SessionNotOnOrAfter attribute
• Add SAML request signing on login for redirect binding
• Add SAML request signing on logout for redirect binding
• Add SAML support for redirect binding Single Log Out (SLO)

• Add logging for session info not sent on logout
• Fix metadata for SLO based on admin binding type
• Fix mismatched SPNameQualifier on login and logout
• Fix jespa upload problem with debug enabled

• Update outdated dependencies
• Improve error messages for SAML Signature validation

• Improved error handling
• Improved Jespa IOPLEX v2 compatibility

• UI changes for "blocklist" and "allowlist"
• IOPLEX Jespa library version displayed in EasySSO/NTLM/About dialog (if re-uploaded)

• Improve error messages for NTLM configuration
• Update dependencies

IOPLEX Jespa library 1.2.11 introduced some incompatible changes. This fix addresses this incompatibility and makes EasySSO support both old and new versions of Jespa.

• Removed session check from metadata URL
• Added a message in UI to indicate that the SAML metadata is only available to IP addresses not filtered out by the IP filtering
• Updated the license warning message

• Added support for NameID formats(transient, persistent … ) when performing Single Log Out (SLO)
• Fixed a bug in how logout binding types and URLs were identified from the UI settings (Redirect vs. POST)

• Fix a bug where incorrect SAML binding type is selected on logout

• Improved screen reader support on NTLM/Kerberos, SAML, X509 & Headers configuration pages
• Success and error message now announced to screen reader when displayed
• All configuration links now accessible by keyboard navigation
• Improved description and help messages

Bugfixes:

• Added a log warning when a non-admin user attempts to update groups for system-admin groups.

• Fix for bug where SAML SLO will not complete with certain configurations
• Fix for bug where incorrectly cased computer account name used for Kerberos - causing Message Stream Modified errors

Major update to bring up to date with all other EasySSO products:

- SAML Authenticator support, including groups and JIT user provisioning

- Support for headers and X.509 based authenticators

- Compatibility with Java 11

- Footer for easy access to support and documentation

• fixed issue preventing IOPLEX Jespa library upload

• Fixed XSRF vulnerability in admin screens of EasySSO

• improved security in HTTP Headers authenticator.
• increased maximum waiting time for a response to a SAML request
• fix for possible infinite loop on logout with SAML authenticator
• changes to some internal UI elements

• Application Links to/from Jira, Confluence and Bamboo stopped working after upgrade from 4.5.x to 4.7.x due to Fecru starting to use chunked encoding. Fixed.

• Fixed a bug where uploading a new Jespa trial license on top of an existing expired could be result in EasySSO still reporting that the license was expired.

• Fixed a bug where IP filtering would not properly work when a specific port of an IP address was specified in the request header.

IOPLEX Jespa library 1.2.x introduced some incompatible changes to code and encryption of licenses. This fix addresses this incompatibility and makes EasySSO support both old and new versions of Jespa

This release contains no new features, but it includes some core changes to request filtering.

• We've fixed a problem that could cause the add-on to fail to enable if the jespa.log location was set incorrectly.
• Made some changes to the IP address filter to properly support several fringe use-cases.

• Native support for X.509 client certificate authentication
• Support for external authentication (e.g. in front-facing reverse proxies) via header-based integration
• Support for custom authenticator add-ons via attribute-based integration

• EasySSO Configuration UI has been completely redesigned to be less busy: the main screen now contains the minimum required fields, a progress tracker has been introduced, any values that could have reasonable defaults have them now

• Parameter values validation has been added - less chances to make mistakes
• Additional configuration parameters, IP Filtering, User-Agent Filtering and Advanced Filtering have been moved under "Advanced" button
• "Test Connection" button has been added to enable testing the connection to the domain controller
• SetComputerPassword.vbs script is now available for download directly from the UI
• “Troubleshooting” button allows you to download the logs and inspect them to check if anything has gone wrong
• “About” button opens a dialog that allows you to review the status of your licenses, including the IOPLEX Jespa one, as well as the mode in which EasySSO is operating
• Offline installation instructions have been added - for installing without no internet connection

• User-Agent Filtering: config screen now supports parsing arbitrary UA strings on demand
• UserAgentUtils library has been updated to version 1.20
• Cookie Opt-Out: Admins can enable SSO opt-out via cookie in Advanced Filtering tab, users can opt-out in their User Profile settings, anonymous users can opt-out if enabled (to support regular non-domain users)
• new IP Filtering tab in EasySSO config
• ability to specify client IP addresses whitelist and blacklist as single IP, IP ranges, in CIDR, and host-based notation
• ability to specify regex-based whitelist and blacklist for client IP addresses
• the old "Included IP Addresses" regex client IP address filter configuration will be migrated to the new "IP Regex Whitelist" automatically
• Support for reverse proxies, local, remote, and multiple chained reverse proxies
• Reduced log chattiness when EasySSO trial license or evaluation license has expired
• Fix for uploading fresh ioplex.zip over already expired trial one
• bug fixes and improvement

• User-Agent Filtering: config screen now supports parsing arbitrary UA strings on demand
• UserAgentUtils library has been updated to version 1.20
• Cookie Opt-Out: Admins can enable SSO opt-out via cookie in Advanced Filtering tab, users can opt-out in their User Profile settings, anonymous users can opt-out if enabled (to support regular non-domain users)
• new IP Filtering tab in EasySSO config
• ability to specify client IP addresses whitelist and blacklist as single IP, IP ranges, in CIDR, and host-based notation
• ability to specify regex-based whitelist and blacklist for client IP addresses
• the old "Included IP Addresses" regex client IP address filter configuration will be migrated to the new "IP Regex Whitelist" automatically
• Support for reverse proxies, local, remote, and multiple chained reverse proxies
• Reduced log chattiness when EasySSO trial license or evaluation license has expired
• Fix for uploading fresh ioplex.zip over already expired trial one
• bug fixes and improvement

• debug logging for Kerberos
• NPE on Kerberos server credentials expiry
• fixes in KDC DNS discovery
• additional escaping for values in the config screen
• TechTime Plugins section in Add-Ons admin screen

• fixed issue with excessive Jespa library re-initialisation on startup when big number of other add-ons is present
• fixed issue with Kerberos pre-auth and timing out of credentials

• Support for Kerberos authentication has been added
• now works on Mac OS X and Linux (if joined to a domain)
• as always works on Windows - but better than ever!

This is the initial port of EasySSO for Jira and Confluence to Fisheye/Crucible