- remove uri double encoding thanks to @DiaanEngelbrecht
- fix esaml initialization thanks to @bopm
- check and enforce session expiration (CVE-2024-25718) thanks to @idyll
- Added dialyzer checks
- Changed internal function layout to report errors more granularly
- Verified with updates to esaml dependency
- Client can refresh the runtime provider config without restarting the app from bernardd
- Metadata can be specified directly in the IdP config rather than requiring a file
- Bumps dependencies
- Updated minor version due to dependency updates requiring potential language version bumps
- Removed Inch CI
- Updated dependencies for project
- Removed strict required dependency on
sweet_xml
- Use updated version of
esaml
to reduce strict requirements oncowboy
- Updated license copyright
-
target_url
query parameter for the sign-in/sign-out requests must bex-www-form-urlencoded
. -
Redirect URLs are properly encoded.
-
Switched to
report-to
in content security policy. -
cache-control
header value updated. -
Issue: #33 - Content Security Policy Enabled
Content-Security-Policy
in the HTTP response. -
PR: #41 - Config support for nameid format
Samly
uses the nameid format from the IdP metadata XML file. It is possible now to override this usingnameid_fomat
config setting. If this format information is not present in the IdP metadata XML and not specified in the config setting, it defaults to:transient
. Thanks to calvinb for the PR. -
Uptake
esaml 4.2
bringing in support for encrypted assertions. Check Assertion Encryption for supported encryption algorithms. Use this information to enable assertion encryption on IdP. Thanks to tcrossland for theesaml
PR.
- Issues: #39, #40 - Downcase response header names (PR from calvinb)
-
Issue: #31 - Support for Cowboy 2.x Uptake
esaml
v4.0.0 which includes support for Cowboy 2.x. If support for Cowboy 1.x is needed, you need an override withesaml
v3.6.x in your applicationmix.exs
file. -
Issue: #32 - Support for custom State Storage Includes support for ETS and Plug Sessions based authenticated SAML assertion storage. It is possible to create custom stores by implementing
Samly.State.Store
. -
Issue: #34 - Included filename in error messages Include metadata/cert/key filenames when there is an error relevant to those files.
- Uptake
esaml
v3.6.0 that includes fixes for schema validation errors.
- PR merged fixing reopened Issue #16 (from @peterox)
- Remove the need for supplying certificate and key files if the requests are not signed (Issue #16). Useful during development when the corresponding Identity Provider is setup for unsigned requests/responses. Use signing for production deployments. The defaults expect signed requests/responses.
-
Issue: #12. Support for IDP initiated SSO flow.
-
Original auth request ID when returned in auth response is made available in the assertion subject (SP initiated SSO flows). For IDP initiated SSO flows, this will be an empty string.
-
Issue: #14. Remove built-in referer check. Not specific to
Samly
. It is better handled by the consuming application.
- Shibboleth Single Logout session match related fix. Uptake
esaml v3.3.0
.
- Generates SP metadata XML that passes XSD validation
- Handle namespaces in Identity Provider Metadata XML file
- Added support for multiple Identity Providers. Check issue: #4. Instructions for migrating from v0.7.x available in github project wiki.
- Added
use_redirect_for_idp_req
config parameter. By defaultSamly
uses HTTP POST when sending requests to IdP. Set this config parameter totrue
if HTTP redirection should be used instead.
- Added config option (
entity_id
). OOTB uses metadata URI as entity ID. Can be specified (urn
entity ID for example) to override the default.
- Added config options to control if requests and/or responses are signed or not
- Added Inch CI
- Corresponding doc updates
- Doc updates
- Config handling changes and corresponding tests
target_url
query parameter form url encoded
- Plug Pipeline config
:pre_session_create_pipeline
- Computed attributes available in
Samly.Assertion
- Updates to
Samly.Provider
base_url
config handling