Patch release description


  • PHX-3293 SignatureValue has whitespace/newlines in payload
    SignatureValue includes whitespace/newlines which is correct according to specification but som SP' fails to parse. Issue resolves - by default no whitespaces/newlines are added in payload 
  • PHX-3335 Not possible to set "embedded EncryptoinKey" at encryptassertion in Assertionprovider
    Add the possibility to configure if KeyPlacement.PEER or KeyPlacement.INLINE should be used in AssertionProvider configuration. Today only KeyPlacement.PEER is supported. Enhancement added, now possible to select PEER or INLINE
  • PHX-3341 SAML AuthnRequest ACS-URL validation
    If request isnt signed, AssertionConsumerService in SAML AuthnRequest should only be used if the ACS is present in the metadata. Issue resolved
  • PHX-3358 DSS-Signing: Problem with chain trust for POE (timestamps)
    When adding new signatures in PDF document, the trust of already embedded timestamps is incorrectly validated while validating already embedded signatures proof of existence . Issue resolved
  • PHX-3361 SAML2SithsEid authenticator fails to parse response from Inera
    The SAML2SithsEID authenticator fails with “DecodeException” when the initialization of the eID authentication is requested from the Inera server . Issue resolved


  • PHX-2963 resp_attributes type 6 (Service-Type) value returned incorrectly
    Re-released since it was not possible to activate in 4.7.1
  • PHX-3126 Add BankIDPhoneSignValve
    Re-released since it was not possible to activate in 4.7.1. See BankIDPhoneSignValve for properties and configuration 
  • PHX-3168 Vulnerabilities in moment.js
    Library moment.js updated to mitigate CVE-2017-18214, CVE-2022-24785 and CVE-2022-31129is missing. Issue resolved
  • PHX-3202 Add support for more attributes in FrejaEIDInternalAuthenticator and FrejaEIDSAML
    Add the possibility to fetch attributes documentType, documentExpirationDate, documentCountry, documentSerialNumber, registrationLevel and photo. Enhancemet implemented - properties updated, see FrejaEIDInternalAuthenticator and FrejaEIDSAML
  • PHX-3205 Requests with large querystring (4k+) are rejected
    Sending large SAML requests via redirect binding doesnt work. Issue resolved
  • PHX-3206 AuthnRequest and SAMLResponse can mismatch
    The response in AuthnRequest and SampleResponse could be sent to a different AssertionConsumerService than what is requested. Issue resolved
  • PHX-3216 Intern federations could fail to load at restart
    In case of using multiple internal federations, sometimes several restarts could be required to be established. Issue resolved
  • PHX-3217 Error in log when scope is missing
    If scope is missing in login when acting as SP, there is an error in log each login attempt (however the login is successful). Issue resolved
  • PHX-3222 App switch on iOS17 not working correctly (BankID)
    Users on iOS17 is redirected to default browser (Safari) after successful verification via BankID. Issue resolved 
  • PHX-3229 validateSchema for SAML SignMessage still does not work
    valideteSchema for SAML SignMessage fails to validete even if the information is correctly formatted. Issue resolved
  • PHX-3231 App switch on iOS17 not working correctly (FrejaID)
    After verification using FrejaEID on iOS17 devices the user needs to manually switch to service web page and refresh it. Issue resolved
  • PHX-3232 App switch on iOS17 not working correctly (Siths eID)
    Users on iOS17 is redirected to default browser (Safari) after successful verification via SITHs eID. Issue resolved
  • PHX-3250 OIDC: Wrong state value returned in promp=none scenarios
    When a promp=none request is received by the OIDCToSAMLBroker authenticator in a session, the wrong state value is returned. Issue resolved
  • PHX-3260 Possible to bypass viewing SAML SignMessage by adding 'proceed=true' to the initial querystring of the request
    If SP add "process=true" in the initial SAML message the SAML SignMessage is bypassed and not shown to the user. Issue resolved 
  • PHX-3263 SAMLSPBroker RequestedAuthnContext in the AuthnRequest + bugfix AuthnContextClassRef in Assertion
    AuthnContextClassRef isnt included in assertion unless previously authenticated. Issue resolved - configuration updated, see SAMLSPBroker
  • PHX-3284 AttributeConsumingServiceIndex=0 is always sent when PAS is acting as SP
    Unless configured otherwise, attributeConsumingServiceIndex=0 is always sent causing problems if SP doesnt have attributeConsumingServices declared. Issue resolved
  • PHX-3286 Add possibility to add alwaysRunPipe in PipeAuthentictor
    To always trigger a PupeAuthenticator, add the possibility to configure an "alwaysRunPipe" attribute. Enhancement implemented - configuration updated, see PipeAuthenticator


  • PHX-2963 resp_attributes type 6 (Service-Type) value returned incorrectly
    Service-Type attribute in RADIUS always returned the wrong value.Now updated and the Service-Type attribute can now be set using PropertyAddValve. Issue resolved
  • PHX-3021 Add support for basic authorization in bankid proxy module
    Support basic authorization header in BankID proxy/api
  • PHX-3030 Wrong language is show in PSS if brower is set to Swedish
    If Chromium based browser have Swedish as default language, the Password Selfservice service would show a mix of English and Swedish. Issue resolved
  • PHX-3068 Signing, OCSP/CRL: Incorrect validation
    Validation of OSCP/CRL tokens failes since wrong value is compared. Issue resolved
  • PHX-3102 SithsEidCollectAuthenticationStatusValve that returns Inera response intact as json
    Return the intact Inera response as json 
  • PHX-3108 BankID 6.0 Phoneauth via proxy/api
    Phoneauth endpoint according to BankID 6.0 added in BankID proxy/api
  • PHX-3110 BankID - 400 response when signing gives Java error
    BankIDSignValve and BankIDCollectValve woudl generate a java error if BankID returns a 400 response.The solution also includes an update where the errorcode of the 400 response is forwarded to the application. Issue resolved
  • PHX-3112  OpenID Connect Session Management 1.0
    Support for OpenID Connect Session management 1.0 implemented
  • PHX-3122 IOS redirect to native browser when using non native browser
    Independent of which browser is used when initiating a BankID authentication, iOS devices will redirected back to default web browser . Issue resolved 
  • PHX-3126 Add BankIDPhoneSignValve
    Add BankIDPhoneSignValve according to BankID 6.0
  • PHX-3127 Make it possible to expand requirement from request in BankIDAuthenticateValve and BankIDSignValve
    Add the possibility to add requirements in a request when using HTTP API with BankID valves
  • PHX-3170 Add loginhint to OIDC to auth-request
    Support for "login_hint" in OIDC auth-request is missing. Issue resolved
  • PHX-3171 BankID 6.0 Phonesign via proxy/api
    Add Phonesign endpoint according to BankID 6.0 to BankID proxy/api 
  • PHX-3187 Make AssertionConsumer strict scoped attribute validation option
    Let the administrator decide by config if AssertionConsumer should use strict scoped valdiation or not
  • PHX-3188 Clear "SAMLSignApproved" with the rest of the SAML attributes on a new SAMLRequest
    Attribute SAMLSignApproved is not cleared. Issue resolved
  • PHX-3189 validateSchema for SAML SignMessage causes freeze/crash in some environments
    validateSchema function in SAMLAuthRequestDecoder freezes/chrashes, preventing SignMessage to be parsed. Issu resolved