Ruby SAML Changelog

1.18.0 (???)

#718 Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
#720 Fix ambiguous regex warnings
#715 Fix typo in SPNameQualifier error text

1.17.0 (Sep 10, 2024)

Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
#687 Add CI coverage for Ruby 3.3 and Windows.
#673 Add Settings#sp_cert_multi paramter to facilitate SP certificate and key rotation.
#673 Support multiple simultaneous SP decryption keys via Settings#sp_cert_multi parameter.
#673 Deprecate Settings#certificate_new parameter.
#673 :check_sp_cert_expiration will use the first non-expired certificate/key when signing/decrypting. It will raise an error only if there are no valid certificates/keys.
#673 :check_sp_cert_expiration now validates the certificate not_before condition; previously it was only validating not_after.
#673 :check_sp_cert_expiration now causes the generated SP metadata to exclude any inactive/expired certificates.

1.16.0 (Oct 09, 2023)

#671 Add support on LogoutRequest with Encrypted NameID

1.15.0 (Jan 04, 2023)

#650 Replace strip! by strip on compute_digest method
#638 Fix dateTime format for the validUntil attribute of the generated metadata
#576 Support Settings#idp_cert_multi with string keys
#567 Improve Code quality
Add info about new repo, new maintainer, new security contact
Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support

1.14.0 (Feb 01, 2022)

#627 Support escape downcasing for validating SLO Signatures of ADFS/Azure
#633 Support ability to change ID prefix
Make the uuid editable on the SAML Messages generated by the toolkit
#622 Add security setting to more strictly enforce audience validation

1.13.0 (Sept 06, 2021)

#611 Replace MAX_BYTE_SIZE constant with setting: message_max_bytesize
#605 :allowed_clock_drift is now bidrectional
#614 Support :name_id_format option for IdpMetadataParser
#611 IdpMetadataParser should always set idp_cert_multi, even when there is only one cert
#610 New IDP sso/slo binding params which deprecate :embed_sign
#602 Refactor the OneLogin::RubySaml::Metadata class
#586 Support milliseconds in cacheDuration parsing
#585 Do not append " | " to StatusCode unnecessarily
#607 Clean up
Add warning about the use of IdpMetadataParser class and SSRF
CI: Migrate from Travis to Github Actions

1.12.3 (Sep 10, 2024)

Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector

1.12.2 (Apr 08, 2021)

#575 Fix SloLogoutresponse bug on LogoutRequest

1.12.1 (Apr 05, 2021)

Fix XPath typo incompatible with Rexml 3.2.5
Refactor GCM support

1.12.0 (Feb 18, 2021)

Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
Adding idp_sso_service_url and idp_slo_service_url settings
#536 Adding feth method to be able retrieve attributes based on regex
Reduce size of built gem by excluding the test folder
Improve protection on Zlib deflate decompression bomb attack.
Add ValidUntil and cacheDuration support on Metadata generator
Add support for cacheDuration at the IdpMetadataParser
Support customizable statusCode on generated LogoutResponse
#545 More specific error messages for signature validation
Support Process Transform
Raise SettingError if invoking an action with no endpoint defined on the settings
Made IdpMetadataParser more extensible for subclasses
#548 Add :skip_audience option
#555 Define 'soft' variable to prevent exception when doc cert is invalid
Improve documentation

1.11.0 (Jul 24, 2019)

Deprecate settings.issuer in favor of settings.sp_entity_id
Add support for certification expiration

1.10.2 (Apr 29, 2019)

Add valid until, accessor
Fix Rubygem metadata that requested nokogiri <= 1.5.11

1.10.1 (Apr 08, 2019)

Fix ruby 1.8.7 incompatibilities

1.10.0 (Mar 21, 2019)

Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated
Improves IdpMetadataParser to allow parse multiple IDPSSODescriptors
Improves format_cert method to accept certs with /\x0d/
Forces nokogiri >= 1.8.2 when possible

1.9.0 (Sept 03, 2018)

#458 Remove ruby 2.4+ warnings
Improve JRuby support
#465 Extend Settings initialization with the new keep_security_attributes parameter
Fix wrong message when SessionNotOnOrAfter expired
#471 Allow for allowed_clock_drift to be set as a string

1.8.0 (April 23, 2018)

#437 Creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState should not send empty RelayState URL param
#454 Added Response available options
#453 Raise a more descriptive exception if idp_sso_target_url is missing
#452 Fix behavior of skip_conditions flag on Response
#449 Add ability to skip authnstatement validation
Clear cached values to be able to use IdpMetadataParser more than once
Updated invalid audience error message

1.7.2 (Feb 28, 2018)

#446 Normalize text returned by OneLogin::RubySaml::Utils.element_text

1.7.1 (Feb 28, 2018)

#444 Fix audience validation for empty audience restriction

1.7.0 (Feb 27, 2018)

Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments

1.6.1 (January 15, 2018)

#428 Fix a bug on IdPMetadataParser when parsing certificates
#426 Ensure Rails responds to logger

1.6.0 (November 27, 2017)

#418 Improve SAML message signature validation using original encoded parameters instead decoded in order to avoid conflicts (URL-encoding is not canonical, reported issues with ADFS)
#420 Expose NameID Format on SloLogoutrequest
#423 Allow format_cert to work with chained certificates
#422 Use to_s for requested attribute value

1.5.0 (August 31, 2017)

#400 When validating Signature use stored IdP certficate if Signature contains no info about Certificate
#402 Fix validate_response_state method that rejected SAMLResponses when using idp_cert_multi and idp_cert and idp_cert_fingerprint were not provided.
#411 Allow space in Base64 string
#407 Improve IdpMetadataParser raising an ArgumentError when parser method receive a metadata string with no IDPSSODescriptor element.
#374 Support more than one level of StatusCode
#405 Support ADFS encrypted key (Accept KeyInfo nodes with no ds namespace)

1.4.3 (May 18, 2017)

Added SubjectConfirmation Recipient validation
#393 Implement IdpMetadataParser#parse_to_hash
Adapt IdP XML metadata parser to take care of multiple IdP certificates and be able to inject the data obtained on the settings.
Improve binding detection on idp metadata parser
#373 Allow metadata to be retrieved from source containing data for multiple entities
Be able to register future SP x509cert on the settings and publish it on SP metadata
Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption.
Improve regex to detect base64 encoded messages
Fix binding configuration example in README.md
Add Fix SLO request. Correct NameQualifier/SPNameQualifier values.
Validate serial number as string to work around libxml2 limitation
Propagate isRequired on md:RequestedAttribute when generating SP metadata

1.4.2 (January 11, 2017)

Improve tests format
Fix nokogiri requirements based on ruby version
Only publish KeyDescriptor[use="encryption"] at SP metadata if security[:want_assertions_encrypted] is true
Be able to skip destination validation
Improved inResponse validation on SAMLResponses and LogoutResponses
#354 Allow scheme and domain to match ignoring case
#363 Add support for multiple requested attributes

1.4.1 (October 19, 2016)

#357 Add EncryptedAttribute support. Improve decrypt method
Allow multiple authn_context_decl_ref in settings
Allow options[:settings] to be an hash for Settings overrides in IdpMetadataParser#parse
Recover issuers method

1.4.0 (October 13, 2016)

Several security improvements:
- Conditions element required and unique.
- AuthnStatement element required and unique.
- SPNameQualifier must math the SP EntityID
- Reject saml:Attribute element with same “Name” attribute
- Reject empty nameID
- Require Issuer element. (Must match IdP EntityID).
- Destination value can't be blank (if present must match ACS URL).
- Check that the EncryptedAssertion element only contains 1 Assertion element.
#335 Explicitly parse as XML and fix setting of Nokogiri options.
#345Support multiple settings.auth_context
More tests to prevent XML Signature Wrapping
#342 Correct the usage of Mutex
352 Support multiple AttributeStatement tags

1.3.1 (July 10, 2016)

Fix response_test.rb of gem 1.3.0
Add reference to Security Guidelines
Update License
#334 Keep API backward-compatibility on IdpMetadataParser fingerprint method.

1.3.0 (June 24, 2016)

Security Fix Add extra validations to prevent Signature wrapping attacks
Fix XMLSecurity SHA256 and SHA512 uris
#326 Fix Destination validation

1.2.0 (April 29, 2016)

#269 Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
#289 Remove uuid gem in favor of SecureRandom
#297 Implement EncryptedKey RetrievalMethod support
#298 IDP metadata parsing improved: binding parsing, fingerprint_algorithm support)
#299 Make 'signing' at KeyDescriptor optional
#308 Support name_id_format on SAMLResponse
#315 Support for canonicalization with comments
#316 Fix Misspelling of transation_id to transaction_id
#321 Support Attribute Names on IDPSSODescriptor parser
Changes on empty URI of Signature reference management
#320 Dont mutate document to fix lack of reference URI
#306 Support WantAssertionsSigned

1.1.2 (February 15, 2016)

Improve signature validation. Add tests. #302 Add Destination validation.
#292 Improve the error message when validating the audience.
#287 Keep the extracted certificate when parsing IdP metadata.

1.1.1 (November 10, 2015)

#275 Fix a bug on signature validations that invalidates valid SAML messages.

1.1.0 (October 27, 2015)

#273 Support SAMLResponse without ds:x509certificate
#270 Allow SAML elements to come from any namespace (at decryption process)
#261 Allow validate_subject_confirmation Response validation to be skipped
#258 Fix allowed_clock_drift on the validate_session_expiration test
#256 Separate the create_authentication_xml_doc in two methods.
#255 Refactor validate signature.
#254 Handle empty URI references
#251 Support qualified and unqualified NameID in attributes
#234 Add explicit support for JRuby

1.0.0 (June 30, 2015)

#247 Avoid entity expansion (XEE attacks)
#246 Fix bug generating Logout Response (issuer was at wrong order)
#243 and #244 Fix metadata builder errors. Fix metadata xsd.
#241 Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
#240 and #238 Improve test coverage and refactor.
#239 Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
#237 Don't pretty print metadata by default.
#235 Remove the soft parameter from validation methods. Now can be configured on the settings and each class read it and store as an attribute of the class. Adding some validations and refactor old ones.
#232 Improve validations: Store the causes in the errors array, code refactor
#231 Refactor HTTP-Redirect Sign method, Move test data to right folder
#226 Ensure IdP certificate is formatted properly
#225 Add documentation to several methods. Fix xpath injection on xml_security.rb
#223 Allow logging to be delegated to an arbitrary Logger
#222 No more silent failure fetching idp metadata (OneLogin::RubySaml::HttpError raised).

0.9.2 (Apr 28, 2015)

#216 Add fingerprint algorithm support
#218 Update README.md
#214 Cleanup SamlMessage class
#213 Add ability to sign metadata. (Improved)
#212 Rename library entry point
#210 Call assert in tests
#208 Update tests and CI for Ruby 2.2.0
#205 Allow requirement of single files
#204 Require ‘net/http’ library
#201 Freeze and duplicate default security settings hash so that it doesn't get modified.
#200 Set default SSL certificate store in Ruby 1.8.
#199 Change Nokogiri's runtime dependency to fix support for Ruby 1.8.7.
#179 Add support for setting the entity ID and name ID format when parsing metadata
#175 Introduce thread safety to SAML schema validation
#171 Fix inconsistent results with using regex matches in decode_raw_saml

0.9.1 (Feb 10, 2015)

#194 Relax nokogiri gem requirements
#191 Use Minitest instead of Test::Unit

0.9 (Jan 26, 2015)

#169 WantAssertionSigned should be either true or false
#167 (doc update) make unit of clock drift obvious
#160 Extended solution for Attributes method [] can raise NoMethodError
#158 Added ability to specify attribute services in metadata
#154 Fix incorrect gem declaration statement
#152 Fix the PR #99
#150 Nokogiri already in gemspec
#147 Fix LogoutResponse issuer validation and implement SAML Response issuer validation.
#144 Fix DigestMethod lookup bug
#139 Fixes handling of some soft and hard validation failures
#138 Change logoutrequest.rb to UTC time
#136 Remote idp metadata
#135 Restored support for NIL as well as empty AttributeValues
#134 explicitly require "onelogin/ruby-saml/logging"
#133 Added license to gemspec
#132 Support AttributeConsumingServiceIndex in AuthnRequest
#131 Add ruby 2.1.1 to .travis.yml
#122 Fixes #112 and #117 in a backwards compatible manner
#119 Add support for extracting IdP details from metadata xml

0.8.2 (Jan 26, 2015)

#183 Resolved a security vulnerability where string interpolation in a REXML::XPath.first() method call allowed for arbitrary code execution.

0.8.0 (Feb 21, 2014)

IMPORTANT: This release changed namespace of the gem from OneLogin::Saml to OneLogin::RubySaml. Please update your implementations of the gem accordingly.

#111 Onelogin:: is OneLogin::
#108 Change namespacing from Onelogin::Saml to Onelogin::Rubysaml

0.7.3 (Feb 20, 2014)

Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary canonix gem dependency.

#107 Relax nokogiri version requirement to >= 1.5.0
#105 Lock Gem versions, fix to resolve possible namespace collision

Files

CHANGELOG.md

Latest commit

History