Backport from 6.20 to patch faulty URL parameter sanitization allows HTML injection into the SAML login page.

Full release notes: https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1225883649/Kantega+SSO+Enterprise+6.20.x+release+notes

Consolidated logging by replacing all remaining direct references to the provided dependency of Log4j 1.2.17 with the facade Slf4j. Older versions of Kantega SSO are not affected by CVE-2021-44228, but this release mitigates risk of other vulnerabilities. Read more about the log4j vulnerability here: https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/932118634/About+the+Log4j+vulnerability+CVE-2021-44228

Fix performance issue with unnecessary database queries to AO_xx_RESTRICT_APIENDPOINT on REST API filter

Bugs

• API tokens are blocked when BasicAuth is disabled
• When using JIT provisioning and sending the email parameter as a list instead of a string, the first email is not extracted correctly

Improvements

• Allow user lookup in an AD directory where the user is a member of a subdomain of the directory baseDn
• Allow Jira Crowd requests to pass through when Basic Auth and API tokens are restricted

Bugs

• Just-in-time provisioning does not work with a delegated user directory

Features:

• [User Provisioning] Authenticated anonymous browsing: allow users to browse "anonymous" to the Atlassian product after SAML/OIDC login instead of Just-in-time create user
• [Kerberos] Toggle Kerberos based on user directory

Improvements:

• [OIDC] Support incoming list in OIDC email claim
• [OIDC/SAML] Support \L and \U for lowercase/uppercase in OIDC/SAML user lookup regular expressions
• [SCIM] Support externalId claim for filter in SCIM
• [API Tokens] REST API Access blocking non-API token requests reduced to DEBUG level logging and added to access log

Bugs:

• [API Connector] Bad handling of incorrect tenant name input
• [OIDC] OIDC single logout not triggered from Jira Service Management

Features:

• Kerberos: Wizard helps to fix UPN bound to incorrect AD account issues
• SCIM: Ability to turn off SCIM request authentication using bearer tokens

Improvements:

• SCIM is now out of BETA

Bugs:

• Depreciation warning when configuring CDN with Kantega SSO installed

Fix:

• Redirect based on user directory is no longer independent of user lookup attribute

New features

• [SCIM] Added support for filtered sub-attribute targets in PATCH requests

Security

• App configuration access level increased to system administrator to avoid the possibility for ordinary administrators to elevate privileges

New features

• Added support tab with ability to search documentation and quickly contact support
• Added page for debug information about entire app configuration
• Allow username/password login only for specific user groups

Improvements

• Backup of API tokens and Restrict API endpoint settings in "Snapshot of config"

New features

• Restrict rest API endpoints only to use API tokens for Authentication
• [SAML] Schedule automatic metadata refresh
• [OIDC] Support for Azure AD multi-tenant architecture • Disable traditional login based on the user directory
• Assign default groups based on regex rules

Improvements

• Rewritten license warnings to give a better understanding of why the license is not valid

Fixes

• NoSuchElementException in logs when loading the login page
• SCIM does not accept usernames with apostrophes
• Possible NullPointerException during Single Logout
• Moved away from using CLOB values

Fixes:

• SAML/OIDC: Inconsistent behavior with auto redirect mode using remember-my-login
• SAML: Test page for certificate shows variables instead of actual values

New features:

• OIDC: support for "client_secret_post" client authentication method
• Kerberos: toggle to disable Kerberos on JSM/JSD knowledge base

Improvements:

• OIDC: more robust and richer test login flow and more details in debug info
• OIDC/SAML: test result page has better tracking with a unique ID

Fixes:

• SAML: missing sanitization of URL on SAML response page
• Broken style on debug info text box

Improvements

• ForceSSO for JEditor

Fixes

• Possible NullPointerException on API Tokens

Fixes

• [OIDC] Single Logout issues with activation, incorrect return URL, and improved error handling
• API Tokens incorrectly logs error on version upgrade

Improvements:

• Remove use of API_TOKEN prefix
• Added origin validation as part of CSRF check

Features

• SAML: Added support for changing SSL fingerprint during metadata refresh
• SAML: Added support for HTTP (not only HTTPS) in metadata URL

Fixes

• Kerberos: Fixed logging and improved exception handling for AD server DNS lookup

Also, the following third party libraries were updated:

• commons-io 1.4 to 2.4
• commons-fileupload 1.2.1 to 1.4
• guava 19.0 to 30.0-jre
• jetty 9.4.7.v20170914 to 9.4.34.v20201102
• jackson-databind 2.9.8 to 2.9.10.6
• jackson-module-parameter-names 2.9.8 to 2.9.10
• jackson-datatype-jdk8 2.9.8 to 2.9.10
• jackson-datatype-jsr310 2.9.8 to 2.9.10
• jackson-module-jaxb-annotations 2.9.8 to 2.9.10
• opensaml-saml-impl 3.4.2 to 3.4.5
• slf4j-api 1.7.5 to 1.7.30

Features

• Support for Identity Providers requiring POST binding of SAML Request

Fixes

• X509 Certificates for SAML does not display correctly
• Header Authentication does not work for REST
• API Tokens does not work if there exists an inactive user in Internal Directory and an active user in Active Directory with the same username

Fixes

• OIDC: aud (Audience) claim in id_token only accepts string value and not array

New features

• OIDC: Rewritten library for OIDC
• OIDC: Configure scopes used in OIDC request
• OIDC: Support for domain hint for Azure AD and hosted domain for Google

Improvements

• OIDC: Better feedback when something goes wrong

Fixes

• API token authentication can now receive a request with session cookie without account lockout.
• Hosted Domain is not added to the SAML authentication URL in a two-step login flow.

Fixes

• API Tokens: Valid token requests counted as failed password attempts. Prefix old tokens with API_TOKEN_ to make use of the new functionality.

New features

• SAML: Hosted domain (hd) support for suggesting domain to the identity provider.

Fixes

• API Tokens: Storage format not compatible with the Atlassian backup mechanism.
• API Tokens: Failed token requests counted as failed password attempts. Prefix old tokens with API_TOKEN_ to make use of the new functionality.

New features

• API tokens: Ability to restrict requests based on IP addresses, and user permissions can be set based on group memberships.
• Kerberos: Possibility to enable SSO for user avatar URLs.
• SAML: Support for login hint when using 2-step login.

Fixes

• OIDC: Redirect based on user directory does not save selected user directories.

Improvements

• Name change of IP restriction modes to prevent confusion with IP lists.
• Improved SAML test page debug info.
• More robust test login incognito mode detection.

New features

• SAML/OIDC: Redirect based on username now respects all configured lookup attributes when using redirect by user directory or redirect by selected groups.
• SAML/OIDC: Possibility to require SAML/OIDC response to contain at least one group to allow Just-in-Time provisioning to create users.

Fixes

• Active Directory test does not support multi-domain.
• Broken Just-in-Time provisioning link on the Group memberships page.

Improvements

• Changed wording from whitelist/blacklist to unblocked list/blacked list.

Okta has changed the attributes and pagination in their user APIs.

If you use the API Connector features to synchronize Okta users and experience that you are only able to sync 200 users but have a larger user base, you are most likely hit by this change and should upgrade to version 4.2.2 of Kantega SSO.

• New feature OIDC/SAML: Group creation and synchronization of all incoming group claims as an alternative to managed groups
• SAML fix: Error on test page when incoming SAML response is incomplete

• SAML/OIDC fix: Only instant redirect logins working in Fisheye/Crucible
• SAML/OIDC improvement: Regular expressions in username transformation will now also try original username if no match is found
• Cloud User Sync performance improvements when adding synced users to local groups
• Internal technical improvements

Fix regression introduced in 4.1.12, where basic auth REST requests would give 401 response code when Kerberos is enabled

• Feat: Rate limit delay for Okta API Connector. Avoid creating too many API requests within a short timeframe.
• Improvement: Update Keycloak setup guides

• Feat: Ability to edit client id, secret and discovery url for OIDC integrations
• Feat: Customizable text elements on login screen
• Fix: Cross-site scripting vulnerability when using instant redirect to identity provider

• Feat: Support managed groups and single logout for OpenID Connect providers
• Fix: OpenID Connect setup wizard: Better handling of URL in metadata step
• Fix: General Crowd user directory integration improvements
• Allow anonymous access to LDAP servers
• SAML/OIDC Fix regression from 4.1.7 where exisiting SAML/OIDC IdPs did not work

• Feat: Show warning when conflicting redirect rules are configured.
• Fix: First regex transformation was always applied event though multiple regular expression rules are configured.

• SAML: Fix test page incorrectly showing managed groups to be removed
• OIDC: Integration with Github working with a better guide

• API tokens: new switch to enable/disable
• API tokens bugfix: Delete token not working when using PostgreSQL database
• OIDC improvment: User lookup via sub now working
• Cloud user provisioning: Switch to enable/disable sync of security enabled groups from Azure AD
• General improvements and bugfixes

• Feature: User synchronization with SCIM - https://kantega-sso.atlassian.net/l/c/UBv0hhC6
• Feature: Authenticate clients with API tokens - https://kantega-sso.atlassian.net/l/c/J01QdQLU
• Fix: Broken links in SAML/OIDC configuration pages
• Fix: Cloud user provisioning allowing &-character in group names
• Fix: Bamboo Git SSH connections failing with PEMException after generating IDP signing certificates in KSSO: https://confluence.atlassian.com/bamkb/bamboo-git-ssh-connections-failing-with-pemexception-968679809.html

• Fix: Kantega SSO configuration does not show up in blank environments.

• Fix:Allow SAML test to be run without incognito mode
• Fix: Eliminate log warnings related to Crowd updates / notifications being run on LDAP directories

- Fix Batch pagination regression for Cloud User sync with Azure AD, introduced in 3.7.0. Memberships for large groups were not properly retrieved. The bug only affects 3.7.0 with the Azure AD connector.

• Cloud User Sync: Performance and robustness enhancements.
• Cloud User Sync configuration change: "Include members of the following groups (discard other groups)" option has been removed. It should be remapped to the new group inclusion filter automatically.
• SAML: Configure custom landing page for Single logout.
• Fix: Cloud User Sync for GSuite now correctly syncs memberships assigned using the user's non-primary e-mail. Previously, affected users would fail to show up the respective groups.

• Cloud User Sync: Support for specific group and membership selection added
• Cloud User Sync: Added regular expression support for specific user, group and membership selection
• Cloud User Sync fix: Warning when JSON file has not been uploaded
• Fix SAML/Kerberos: Update memberships on every login not working for Crowd remote directory

• More robust disabling of username/password fields when "Disable Traditional login" is turned on.
• Username/password login is now disallowed when "Disable Traditional login" is turned on, even though BasicAuth login is allowed.

• Feat: Allow wildcard (*) in user sync group filters
• Fix: Various UI improvements

• Kerberos: introduced ?nokerberosSession URL parameter to avoid Kerberos for the whole web session, and ?kerberosSession to again do Kerberos challenge
• SAML: Manual redirect is enabled when creating new Identity Provider
• SAML: Minor changes to setup wizards

• Feat: Show requested url as link on SAML error pages
• Feat: Show more setup details on SAML test result page
• Fix: SAML links and redirection sliders is not allways shown on login pages.
• Misc UI improvements.

• Fix: First time login for user in AD with local groups and default group memberships

• SAML: add ability to configure username placeholder text in SAML login form
• Cloud User Synchronization: Add ability to filter on guests users only

• SAML Fix: Avoid group sync issues during login when user is found in user directory of type Jira Crowd
• Kerberos: Expose SPN details in ticket client failures page

• Kerberos: Support for enabling logging of client failures to log, details about this: https://docs.kantega.no/display/KantegaSSOEnterprise/Audit+and+Diagnostics+logging

• Kerberos: Better test page feedback when SPN differs in letter casing from keytab to ticket
• Kerberos: Better error handling and reporting on Active Directory test page

• Feature: Allow users to be created / updated into crowd user directories when they log in with SAML
• Fix: Just-in-time provisioning must be able to handle setups where no writable user directory exist.
• Fix: Forced SSO Urls does not work with instant redirection mode
• Fix: Exception occurring when Fallback redirect mode is removed
• Fix: Kerberos challenge sent and fails when no user agent information is available. This has caused noise in application logs.

• Cloud user provisioning: Fix incorrect password notification for a non-sso user when Cloud User Directory was ordered higher and the user was not in this directory

• SAML: Let Just-in-time provisioning write to any writable, internal directory
• Cloud user provisioning: Avoid that password from the Internal directory could be used when the same username was found in Cloud directory and this had higher priority.
• New onboarding flow for SAML & Kerberos.

• SAML: New group based redirect to IDP rule.
• SAML: Improved GUI for setting up redirect rules page.
• User provisioning: New user filter keeping all group memberships

• Bugfix: Kerberos test page would in some cases claim an IP was blacklisted when it wasn't.
• Revert change related to user lookup, to once more allow fallback. Needed in envs where users are in an LDAP directory with a baseDN that doesn't match Kerberos REALM.
• Switched to spring-scanner internally.

• Feature: Default Groups from LDAP/AD on each login (for both SAML & Kerberos)
• Feature: Better AzureAD managed groups support. Recognizing http://schemas.microsoft.com/ws/2008/06/identity/claims/groups as SAML group claims.
• Refactoring: More robust username lookup in LDAP/AD

We have restructured our documentation pages and all of the setup guide links are now given news and persistent urls

• Feat: Extend Just-in-time provisioning to also activate and update user records
• Fix: Compatibility with Java 11

• Fixed regression introduced by the 3.5.16 fix for AD FS / destination URLs containing the tilde character.
• Misc internal code changes.

• Fix support for ~ (tilde) symbol in return URLs for ADFS SAML
• Improved GSuite User Provisioning guide
• Cursor focus on username field when manually cancelling SAML login

Multiple BouncyCastle dependencies with different versions caused NoSuchFieldError when setting up SAML idps. This version fix these dependency problems.

• Bugfix related to group sync using Delegated LDAPs
• Updated OneLogin SAML integration manual
• Minor UI improvments for JIT provisioning

• Feat: Configuration option to require SAML group claims for Just-in-time user creation.
• Feat: Configurable option for allowing BasicAuth requests to pass when traditional username / password login is disabled
• Fix: Repair failing back-links from test result page

• Feature: Editable list of user agent strings where Kerberos should not trigger
• Improvement: Invalidate old css and javascript resources on new releases
• Improvement: Better usability in navigating menus and links in application
• Improvement: Redesign of SAML redirect modes page

• Feat: Customize text shown to users when SAML authentication fails.
• Feat: Ability to set up cloud user provisioning to only synchronize users (not groups and memberships).
• Update: AzureAD and GSuite setup guidesFix: Kerberos for REST does not work with GoEdit
• Fix: LDAP err 49 in user lookup with AD LDS with non-standard username attribute
• Fix: Nullpointer exception in Active Directory test page

• Feat: Ability to disable BasicAuth server-side
• Feat: SAML - Import metadata by url
• Feat: Extract users through the AzureAD batch API
• Fix: When setting up Okta cloud user provisioning, the input field for domains are restricted with a too limited value range (only allowing domains ending with okta.com and okta-preview.com)
• Fix: Fecru - SAML authentication always redirects users to default home page, not the original resource.

• Fix support for managed groups also for encrypted SAML assertions
• Fix potential error during login on certain configurations

• Feat: Ability to disable traditional username / password login and enforce SSO as primary authentication.
• Fix: Adding cloud users to local groups fails.
• UI: Improve handling of custom SAML group and user attributes.

• Feat: Allow usernames from SAML response to be transformed with regex before lookup
• Ref: Refactor user directory, username attribute selection and transformation configuration pages

The cloud user provisioning feature for username transformations (introduced in v.3.5.0) failed when applied together with group filters.

• Feature: Username transformation for Cloud user provisioning: Ability to strip off domain part from username attribute.

• Improved LDAP user lookup performance by obeying User Directory flag for "Update group memberships when logging in"

• Fix: Update Azure AD user provisioning guide with Directory.read.all as necessary permission
• Fix: Missing login links in Jira Service Desk
• Fix: Avoid SSO redirects to Jira login pages

• Feat: Configurable auto redirect for relogins
• Fix: Correct user extractions from Azure AD. Replair error introduced in v. 3.4.18.

• Feat: Cloud user provisioning with custom group and user type filters.
• Fix: Improved kerberos for git support
• Fix: Double URL prefixing when opening attachments

• Feat: Google GSuite user provisioning connector can fetch users in several domains
• Fix: Dashboard freezing in Bamboo
• Fix: Disable automatic redirection when matching known domains
• Fix: Groups not extracted correctly from Azure AD user provisioning connector

• fix: Include target URL in idp links in login screens
• fix: Improve text in welcome message

• Fix redirects to documents with spaces in the url
• Some browser improvements (IE11)
• Fix certain incorrect SAML redirect targets when using the mode 'Redirect without showing login page'

• Feature: Encryption of SAML response messages
• Fix: Avoid redirect loops for remote page views
• Feature: UI and branding updates
• Feature: Provide welcome message on first setup

• SAML: New IdP setup guides Auth0, AuthAnvil, Bitium, Duo, Salesforce, WSO2, Keycloak & Ping Federate
• SAML: Links to improved and more detailed screenshot guides for Azure AD, GSuite, Okta, OneLogin & PingOne
• Kerberos: Support for not sending Kerberos challenge when receiving OAuth headers

• Feature: Enable forced SAML authentication on public pages
• Fix: Handle whitespace and other illegal URL characters in SAML target URLs.

Fix Kerberos IP whitelist regression introduced in version 3.4.6

• SAML: Both groups and roles in SAML response are now available for managed group setup
• SAML: Improved usability in setup wizard and test page
• Kerberos: Added functionality for regular expression transformation of usernames

• SAML: Added possibility for custom username attribute from SAML Response
• Kerberos: Added urls to Forced SSO: '/secure/BrowseProjects.jspa' (jira) and '/plugins/inlinetasks/mytasks.action' (confluence)
• Better backwards compatibility for checkbox elements
• Revised SAML setup menu for better understanding

• Java: Upgrade required Java from 1.7 to 1.8
• Feature: Kerberos - Regex support in IP blacklisting / whitelisting.
• UI: Make use of AUI toggle boxes, textual improvements and show license warnings on all add-on pages
• Fix: Repair error in auto fetching of values from AD during kerberos setup

• Default groups for SAML login.
• Configurable SAML redirect delay.
• Enable Kerberos REST protection for Bamboo.
• Fix for Kerberos blocking Confluence App in iOS.
• Improved SAML to allow simultanious logins in multiple tabs.
• General text and ui improvements

• Feature: Give all users access to public Confluence pages. Also when users are authenticated without sufficient group memberships.
• Feature: Provide a warning message on the kerberos test page when kerberos ticket and key tab file have different versions
• Feature: Kerberos usage counters and statistics for group lockout
• Bug: IIS-related error - Test page indicates local IP, even when its not.
• Refactoring: General text improvements

• Support for Kerberos Preemtive Authentization paths with URL parameters
• Minor look and feel and text improvments
• Improved Okta wizard description

Fixed: GSuite user synchronization pagination fault.

Fixed: Proper handling when authenticating inactive JIRA-users (with both SAML and Kerberos).

Fixed: Report key version number correctly in Active Directory server test UI.

Fixed: Support for following referrals in multi AD-domains when using other user principal than sAMAccountName.

• Fixed: SAML authentication failed for users in JIRA remote User Directory.
• Fixed: The “smart-commits” integration between JIRA and Bitbucket failed when Kerberos-authentication was enabled in the Bitbucket REST-api.

This release introduces the "Config Snapshots" feature. Admins can use this to create snapshots (zip files) containing the plugin's current configuration.

This is especially useful during testing and for maintaining SSO configurations when syncing between environments.

Update information about remote users when logging in

Gracefully handle other add-ons producing os_destination values with missing leading forward slash characters.

Connectors: User directories are now created with user attribute update permissions.

• Kerberos: Only attempt to generate AES-256 keys when unlimited cryptography is enabled in the JVM.
• Kerberos: JCE policy files have moved in recent Java versions, tests now take that into account.
• SAML: Fixed an issue where PEM formatted certificates were missing a trailing “-“
• SAML: Don’t interfere with username/password dialogs having an error message (such as CAPTCHA failure)

• New feature: Import keys from Active Directory
• Useful when the Kerberos service account is already configured, but the keytab file has somehow gotten out of sync with the AD account keys
• Sanitizing user provided redirect URLs