• Feat: Customize text shown to users when SAML authentication fails.
• Feat: Ability to set up cloud user provisioning to only synchronize users (not groups and memberships).
• Update: AzureAD and GSuite setup guidesFix: Kerberos for REST does not work with GoEdit
• Fix: LDAP err 49 in user lookup with AD LDS with non-standard username attribute
• Fix: Nullpointer exception in Active Directory test page

• Feat: Ability to disable BasicAuth server-side
• Feat: SAML - Import metadata by url
• Feat: Extract users through the AzureAD batch API
• Fix: When setting up Okta cloud user provisioning, the input field for domains are restricted with a too limited value range (only allowing domains ending with okta.com and okta-preview.com)
• Fix: Fecru - SAML authentication always redirects users to default home page, not the original resource.

• Fix support for managed groups also for encrypted SAML assertions
• Fix potential error during login on certain configurations

• Feat: Ability to disable traditional username / password login and enforce SSO as primary authentication.
• Fix: Adding cloud users to local groups fails.
• UI: Improve handling of custom SAML group and user attributes.

• Feat: Allow usernames from SAML response to be transformed with regex before lookup
• Ref: Refactor user directory, username attribute selection and transformation configuration pages

The cloud user provisioning feature for username transformations (introduced in v.3.5.0) failed when applied together with group filters.

• Feature: Username transformation for Cloud user provisioning: Ability to strip off domain part from username attribute.

• Improved LDAP user lookup performance by obeying User Directory flag for "Update group memberships when logging in"

• Fix: Update Azure AD user provisioning guide with Directory.read.all as necessary permission
• Fix: Missing login links in Jira Service Desk
• Fix: Avoid SSO redirects to Jira login pages

• Feat: Configurable auto redirect for relogins
• Fix: Correct user extractions from Azure AD. Replair error introduced in v. 3.4.18.

• Feat: Cloud user provisioning with custom group and user type filters.
• Fix: Improved kerberos for git support
• Fix: Double URL prefixing when opening attachments

• Feat: Google GSuite user provisioning connector can fetch users in several domains
• Fix: Dashboard freezing in Bamboo
• Fix: Disable automatic redirection when matching known domains
• Fix: Groups not extracted correctly from Azure AD user provisioning connector

• fix: Include target URL in idp links in login screens
• fix: Improve text in welcome message

• Fix redirects to documents with spaces in the url
• Some browser improvements (IE11)
• Fix certain incorrect SAML redirect targets when using the mode 'Redirect without showing login page'

• Feature: Encryption of SAML response messages
• Fix: Avoid redirect loops for remote page views
• Feature: UI and branding updates
• Feature: Provide welcome message on first setup

• SAML: New IdP setup guides Auth0, AuthAnvil, Bitium, Duo, Salesforce, WSO2, Keycloak & Ping Federate
• SAML: Links to improved and more detailed screenshot guides for Azure AD, GSuite, Okta, OneLogin & PingOne
• Kerberos: Support for not sending Kerberos challenge when receiving OAuth headers

• Feature: Enable forced SAML authentication on public pages
• Fix: Handle whitespace and other illegal URL characters in SAML target URLs.

Fix Kerberos IP whitelist regression introduced in version 3.4.6

• SAML: Both groups and roles in SAML response are now available for managed group setup
• SAML: Improved usability in setup wizard and test page
• Kerberos: Added functionality for regular expression transformation of usernames

• SAML: Added possibility for custom username attribute from SAML Response
• Kerberos: Added urls to Forced SSO: '/secure/BrowseProjects.jspa' (jira) and '/plugins/inlinetasks/mytasks.action' (confluence)
• Better backwards compatibility for checkbox elements
• Revised SAML setup menu for better understanding

• Java: Upgrade required Java from 1.7 to 1.8
• Feature: Kerberos - Regex support in IP blacklisting / whitelisting.
• UI: Make use of AUI toggle boxes, textual improvements and show license warnings on all add-on pages
• Fix: Repair error in auto fetching of values from AD during kerberos setup

• Default groups for SAML login.
• Configurable SAML redirect delay.
• Enable Kerberos REST protection for Bamboo.
• Fix for Kerberos blocking Confluence App in iOS.
• Improved SAML to allow simultanious logins in multiple tabs.
• General text and ui improvements

• Feature: Give all users access to public Confluence pages. Also when users are authenticated without sufficient group memberships.
• Feature: Provide a warning message on the kerberos test page when kerberos ticket and key tab file have different versions
• Feature: Kerberos usage counters and statistics for group lockout
• Bug: IIS-related error - Test page indicates local IP, even when its not.
• Refactoring: General text improvements

• Support for Kerberos Preemtive Authentization paths with URL parameters
• Minor look and feel and text improvments
• Improved Okta wizard description

Fixed: GSuite user synchronization pagination fault.

Fixed: Proper handling when authenticating inactive JIRA-users (with both SAML and Kerberos).

Fixed: Report key version number correctly in Active Directory server test UI.

Fixed: Support for following referrals in multi AD-domains when using other user principal than sAMAccountName.

• Fixed: SAML authentication failed for users in JIRA remote User Directory.
• Fixed: The “smart-commits” integration between JIRA and Bitbucket failed when Kerberos-authentication was enabled in the Bitbucket REST-api.

This release introduces the "Config Snapshots" feature. Admins can use this to create snapshots (zip files) containing the plugin's current configuration.

This is especially useful during testing and for maintaining SSO configurations when syncing between environments.

Update information about remote users when logging in

Gracefully handle other add-ons producing os_destination values with missing leading forward slash characters.

Connectors: User directories are now created with user attribute update permissions.

• Kerberos: Only attempt to generate AES-256 keys when unlimited cryptography is enabled in the JVM.
• Kerberos: JCE policy files have moved in recent Java versions, tests now take that into account.
• SAML: Fixed an issue where PEM formatted certificates were missing a trailing “-“
• SAML: Don’t interfere with username/password dialogs having an error message (such as CAPTCHA failure)

• New feature: Import keys from Active Directory
• Useful when the Kerberos service account is already configured, but the keytab file has somehow gotten out of sync with the AD account keys
• Sanitizing user provided redirect URLs

• SAML: Allow upload or pasting federation metadata XML also after the identity provider has been registered
• SAML testing: Improved error message when the response or assertion was signed with an unknown / unknown certificate
• SAML testing: When sending test notification emails, fail gracefully if mail server is down or misconfigured

New feature "Cloud connectors" allows syncing of users with groups and memberships from Azure, Google G-Suite and Okta.

See https://connectors.kantega.no for an introduction to the Cloud Connectors feature.

SAML:

• Accept importing federation metadata from Keycloak
• Allow customizing NameIDPolicy attributes
• Update instructions to use the new Azure Portal with Kantega SSO gallery app
• Make the?noautosso easier to use across applications

Kerberos:

• Allow appending instead of replacing keys when uploading a keytab
• Suggest enabling AES-128/AES-256 in account settings when ticket encryption type does not match keytab
• Suggest solutions when keytab version is older / newer than ticket
• Kerberos for REST: On the 401 Negotiate response, suppress any status changes from the application

SAML:

The "do not show the login page" redirect mode now allows manual login following a logout.

Kerberos:

• Suggested service account names should be no longer than 20 charactersFecru /
• Testing for admin permissions now handles Fecru's numeric UserKeys

Users can now be redirected based on what user directory they exist in.

Fixed an issue where the add-on failed to create or update when a delegated LDAP user directory was configured to use SSL.

• SAML: Detect out-of-sync signing keystore password
• SAML: Make keystore password an opt-in feature
• Kerberos: Detect setup wizard connecting to non-AD LDAP servers such as OpenLDAP

Allow saving a SAML identity provider as a draft which can then be resumed at a later point.

• New feature: Group memberships can now be managed via SAML group claims
• New feature: Optionally let users select an Identity Provider by clicking a link in the login UI
• New feature: Support validation of signatures from Identity Providers which do not include the X509Certificate used when signing the SAML response
• Fixed a problem where live updates of the UPM add-on caused classloading lookups to fail for the add-on.

• SAML test: Detect and warn when a non-standard Seraph authenticator is configured in the system
• SAML: New config page allows customizing the Issuer and RequestedAuthnContext elements in the AuthnRequest message.
• SAML: The default for new IDP registrations is changed to not send the RequestedAuthnContext element in AuthnRequests.

• When provisioning users, custom full name and email attribute may be used
• Fixes an issue where duplicate SPN would cause an error in the Kerberos setup wizard

A regression caused SAML login to be disabled in the UI when logging in following a manual log out.

• Redirect rules now support hard redirect. (Do not show the Application login page)
• Adding ?nosaml now bypasses SAML logon
• Fixed an issue where Azure AD joined computers users logged in with Microsoft Edge would get an X509 error

Matching the SAML attribute cn as an alias for Name / DisplayName.

• SAML: Added support for auto-redirect rules. Rules are managed inside each IDP.
• Preemptive authentication: Excluded paths are now matched case-insensitive.

• New: Support for SAML login with guided setup for identity providers such as AD FS, Azure AD, Google G-Suite, Okta, Ping and OneLogin.
• Add-on name changed to "Kantega Single Sign-on" to reflect the new SAML support.

Delegated LDAP Authentication:Fixed: Create or update users according to User Directory settings

• Added instruction for allowing large headers using http2 on Nginx
• Removed extra spaces from ktpass command

• Allow certain paths to be excluded from preemptive authentication
• Active Directory Test: Made search for misconfigured Read Only Domain Controllers much faster
• Setup wizard: Describe how to unmap an SPN if the SPN is mapped to the wrong account

Manual username / password login attempts can now optionally be logged with username, IP and user agent.

• Added detection of invalid, missing or unreadable jce policy files
• Support for version 4.3.0

Support binding anonymously to LDAP User Directories

Plugin now handles the case where userAccountControl or msDS-KeyVersionNumber are unreadable by the binding user

Fixes an issue on the ldap test page when the SPN is not found

• Fixed an issue which caused Safari to present a login popup on a successful login on the test page
• Added test which detects that the Password Replication Policy for a Read Only Domain Controller is configured to deny replication of the service account’s credentials

• Show correct test result on config page.
• Cleanup on the setup wizard task list.

• Detect that the Generic user directory is actually an Active Directory
• Fix for an issue where an invalid token on the test page could cause later HTTP POST requests to fail in Internet Explorer

• Maximum header test removed from the main configuration page
• Account lookup is now performed with the user name attribute configured in the user directory

We are proud to introduce the new setup wizard!

The wizard can check AD and DNS settings to further lower the need for Active Directory and Kerberos knowledge.

Fixes 500 error when the keytab file has no SPN with HTTP/