Patch release description

4.7.4

  • PHX-3368 Incorrect icon after new installation is completed -- Issue resolved
  • PHX-3475 BankID QR codes go out of sync
    Qr code sync implementation is remade in a way that will allow for any polling interval -- Issue resolved
  • PHX-3479 Personnummer exposed in the URL for the NIAS authenticator.
    Request containing PNR is now sent via POST request instead of GET -- Issue resolved
  • PHX-3481 Outdated and vulnerable dependencies updated
    Vulnerabilities mitigated: CVE-2020-23064, CVE-2020-11022, CVE-2020-11023, CVE-2019-11358, CVE-2021-23337 and CVE-2020-28500. -- Issue resolved

  • PHX-3490 External SAML metadata can disappear on rare occasions
    Internal requests toward the configuration store will now retry before failing -- Issue partially resolved

  • PHX-3494 SAML SP cannot handle inbound Redirect-binding for deflated requests
    When receiving a deflated SAMLResponse over the Redirect-binding, the SAML SP could not read the response correctly -- Issue resolved.

  • PHX-3495 SAML "Sign Assertion" configuration parameter only works on outbound POST binding, not on Redirect
    When the target of the SAMLResponse only has a Redirect binding available, the "sign assertion" configuration parameter would not result in a signed assertion -- Issue resolved.

  • PHX-3496 SAML SP will not verify detached signatures
    When receiving a SAMLResponse over a Redirect-binding with a detached signature, the signature would not be verified as it is detached -- Issue resolved

  • PHX-3497 SAML IdP will return invalid signature if returning SAMLResponse over Redirect-binding
    When returning a detached signature on a SAMLResponse via Redirect-binding, the signature was invalid -- Issue resolved

  • PHX-3501 SAMLNias breaks if forceReauthenticate is enabled -- Issue resolved

  • PHX-3502 Improve NiasAuth to send extended certificate information as SAMLNias does -- Improvement added

  • PHX-3544 BankID HintCode "userCallConfirm" is mapped to "Unknown" causing errors -- Issue resolved

  • PHX-3553 BankIDClient has an info-level log that should be on a debug level -- Issue resolved

  • PHX-3555 Legacy FIDO2 authenticators are stateless
    Legacy FIDO2 authenticators could possibly be open for replay attacks -- Issue resolved

  • PHX-3674 PDF-related dependencies updated to mitigate vulnerabilities
    Vulnerabilities mitigated: CVE-2024-34342, CVE-2024-4367, CVE-2024-34342, CVE-2024-4367

4.7.3

  • PHX-3293 SignatureValue has whitespace/newlines in payload
    SignatureValue includes whitespace/newlines which is correct according to specification but som SP' fails to parse. Issue resolves - by default no whitespaces/newlines are added in payload 
  • PHX-3335 Not possible to set "embedded EncryptoinKey" at encryptassertion in Assertionprovider
    Add the possibility to configure if KeyPlacement.PEER or KeyPlacement.INLINE should be used in AssertionProvider configuration. Today only KeyPlacement.PEER is supported. Enhancement added, now possible to select PEER or INLINE
  • PHX-3341 SAML AuthnRequest ACS-URL validation
    If request isnt signed, AssertionConsumerService in SAML AuthnRequest should only be used if the ACS is present in the metadata. Issue resolved
  • PHX-3358 DSS-Signing: Problem with chain trust for POE (timestamps)
    When adding new signatures in PDF document, the trust of already embedded timestamps is incorrectly validated while validating already embedded signatures proof of existence . Issue resolved
  • PHX-3361 SAML2SithsEid authenticator fails to parse response from Inera
    The SAML2SithsEID authenticator fails with “DecodeException” when the initialization of the eID authentication is requested from the Inera server . Issue resolved

4.7.2

  • PHX-2963 resp_attributes type 6 (Service-Type) value returned incorrectly
    Re-released since it was not possible to activate in 4.7.1
  • PHX-3126 Add BankIDPhoneSignValve
    Re-released since it was not possible to activate in 4.7.1. See BankIDPhoneSignValve for properties and configuration 
  • PHX-3168 Vulnerabilities in moment.js
    Library moment.js updated to mitigate CVE-2017-18214, CVE-2022-24785 and CVE-2022-31129is missing. Issue resolved
  • PHX-3202 Add support for more attributes in FrejaEIDInternalAuthenticator and FrejaEIDSAML
    Add the possibility to fetch attributes documentType, documentExpirationDate, documentCountry, documentSerialNumber, registrationLevel and photo. Enhancemet implemented - properties updated, see FrejaEIDInternalAuthenticator and FrejaEIDSAML
  • PHX-3205 Requests with large querystring (4k+) are rejected
    Sending large SAML requests via redirect binding doesnt work. Issue resolved
  • PHX-3206 AuthnRequest and SAMLResponse can mismatch
    The response in AuthnRequest and SampleResponse could be sent to a different AssertionConsumerService than what is requested. Issue resolved
  • PHX-3216 Intern federations could fail to load at restart
    In case of using multiple internal federations, sometimes several restarts could be required to be established. Issue resolved
  • PHX-3217 Error in log when scope is missing
    If scope is missing in login when acting as SP, there is an error in log each login attempt (however the login is successful). Issue resolved
  • PHX-3222 App switch on iOS17 not working correctly (BankID)
    Users on iOS17 is redirected to default browser (Safari) after successful verification via BankID. Issue resolved 
  • PHX-3229 validateSchema for SAML SignMessage still does not work
    valideteSchema for SAML SignMessage fails to validete even if the information is correctly formatted. Issue resolved
  • PHX-3231 App switch on iOS17 not working correctly (FrejaID)
    After verification using FrejaEID on iOS17 devices the user needs to manually switch to service web page and refresh it. Issue resolved
  • PHX-3232 App switch on iOS17 not working correctly (Siths eID)
    Users on iOS17 is redirected to default browser (Safari) after successful verification via SITHs eID. Issue resolved
  • PHX-3250 OIDC: Wrong state value returned in promp=none scenarios
    When a promp=none request is received by the OIDCToSAMLBroker authenticator in a session, the wrong state value is returned. Issue resolved
  • PHX-3260 Possible to bypass viewing SAML SignMessage by adding 'proceed=true' to the initial querystring of the request
    If SP add "process=true" in the initial SAML message the SAML SignMessage is bypassed and not shown to the user. Issue resolved 
  • PHX-3263 SAMLSPBroker RequestedAuthnContext in the AuthnRequest + bugfix AuthnContextClassRef in Assertion
    AuthnContextClassRef isnt included in assertion unless previously authenticated. Issue resolved - configuration updated, see SAMLSPBroker
  • PHX-3284 AttributeConsumingServiceIndex=0 is always sent when PAS is acting as SP
    Unless configured otherwise, attributeConsumingServiceIndex=0 is always sent causing problems if SP doesnt have attributeConsumingServices declared. Issue resolved
  • PHX-3286 Add possibility to add alwaysRunPipe in PipeAuthentictor
    To always trigger a PupeAuthenticator, add the possibility to configure an "alwaysRunPipe" attribute. Enhancement implemented - configuration updated, see PipeAuthenticator

4.7.1

  • PHX-2963 resp_attributes type 6 (Service-Type) value returned incorrectly
    Service-Type attribute in RADIUS always returned the wrong value.Now updated and the Service-Type attribute can now be set using PropertyAddValve. Issue resolved
  • PHX-3021 Add support for basic authorization in bankid proxy module
    Support basic authorization header in BankID proxy/api
  • PHX-3030 Wrong language is show in PSS if brower is set to Swedish
    If Chromium based browser have Swedish as default language, the Password Selfservice service would show a mix of English and Swedish. Issue resolved
  • PHX-3068 Signing, OCSP/CRL: Incorrect validation
    Validation of OSCP/CRL tokens failes since wrong value is compared. Issue resolved
  • PHX-3102 SithsEidCollectAuthenticationStatusValve that returns Inera response intact as json
    Return the intact Inera response as json 
  • PHX-3108 BankID 6.0 Phoneauth via proxy/api
    Phoneauth endpoint according to BankID 6.0 added in BankID proxy/api
  • PHX-3110 BankID - 400 response when signing gives Java error
    BankIDSignValve and BankIDCollectValve woudl generate a java error if BankID returns a 400 response.The solution also includes an update where the errorcode of the 400 response is forwarded to the application. Issue resolved
  • PHX-3112  OpenID Connect Session Management 1.0
    Support for OpenID Connect Session management 1.0 implemented
  • PHX-3122 IOS redirect to native browser when using non native browser
    Independent of which browser is used when initiating a BankID authentication, iOS devices will redirected back to default web browser . Issue resolved 
  • PHX-3126 Add BankIDPhoneSignValve
    Add BankIDPhoneSignValve according to BankID 6.0
  • PHX-3127 Make it possible to expand requirement from request in BankIDAuthenticateValve and BankIDSignValve
    Add the possibility to add requirements in a request when using HTTP API with BankID valves
  • PHX-3170 Add loginhint to OIDC to auth-request
    Support for "login_hint" in OIDC auth-request is missing. Issue resolved
  • PHX-3171 BankID 6.0 Phonesign via proxy/api
    Add Phonesign endpoint according to BankID 6.0 to BankID proxy/api 
  • PHX-3187 Make AssertionConsumer strict scoped attribute validation option
    Let the administrator decide by config if AssertionConsumer should use strict scoped valdiation or not
  • PHX-3188 Clear "SAMLSignApproved" with the rest of the SAML attributes on a new SAMLRequest
    Attribute SAMLSignApproved is not cleared. Issue resolved
  • PHX-3189 validateSchema for SAML SignMessage causes freeze/crash in some environments
    validateSchema function in SAMLAuthRequestDecoder freezes/chrashes, preventing SignMessage to be parsed. Issu resolved