Patch release description
5.1.1
List of defects fixed
-
PHX-3432 PostUidAndPasswordSAML is missing default login.message.information.title/header/body.
Strings added to default translations -- Issue resolved. -
PHX-3479 Personnummer exposed in the URL for the NIAS authenticator.
Request containing PNR is now sent via POST request instead of GET -- Issue resolved. -
PHX-3485 External SAML metadata can disappear on rare occasions (Part 1)
Occasionally upon reconfiguration not all SAML metadata would be updated -- Issue resolved. - PHX-3490 External SAML metadata can disappear on rare occasions (Part 2) -- Issue resolved
-
PHX-3492 LDAP connections can leak upon reconfiguration
Upon undeployment of module there was no manual closing of LDAP connection pools -- Issue resolved. -
PHX-3494 SAML SP cannot handle inbound Redirect-binding for deflated requests
When receiving a deflated SAMLResponse over the Redirect-binding, the SAML SP could not read the response correctly -- Issue resolved. -
PHX-3495 SAML "Sign Assertion" configuration parameter only works on outbound POST binding, not on Redirect
When the target of the SAMLResponse only has a Redirect binding available, the "sign assertion" configuration parameter would not result in a signed assertion -- Issue resolved. -
PHX-3496 SAML SP will not verify detached signatures
When receiving a SAMLResponse over a Redirect-binding with a detached signature, the signature would not be verified as it is detached -- Issue resolved -
PHX-3497 SAML IdP will return invalid signature if returning SAMLResponse over Redirect-binding
When returning a detached signature on a SAMLResponse via Redirect-binding, the signature was invalid -- Issue resolved -
PHX-3498 PAS can lose connection with MySQL, requiring a restart
If a connection is lost it will now properly be removed -- Issue resolved - PHX-3501 SAMLNias breaks if forceReauthenticate is enabled -- Issue resolved
-
PHX-3521 The 5.1 version of OIDC has very little debug output
Since token / userinfo endpoints are no longer routed via the pipe API, there was too little debug output in the logs -- Issue resolved - PHX-3544 BankID HintCode "userCallConfirm" is mapped to "Unknown" causing errors -- Issue resolved
-
PHX-3545 Vulnerabilities identified - CVE-2024-30172(7.5), CVE-2024-29857(7.5)
Vulnerabilities mitigated -- Issue resolved - PHX-3553 BankIDClient has an info-level log that should be on a debug level -- Issue resolved
-
PHX-3555 Legacy FIDO2 authenticators are stateless
Legacy FIDO2 authenticators could possibly be open for replay attacks -- Issue resolved -
PHX-3578 100-continue not handled, leaves client lingering
Http status code 100 (continue) was not handled by default, leaving the client lingering -- Issue resolved -
PHX-3585 SPBroker / AssertionProvider "signMessage" cross contamination
Both the SPBroker and AssertionProvider would use the pipe property called "signMessage" causing interference between AssertionConsumer and AssertionProvider -- Issue resolved - PHX-3586 Userinfo endpoint in 5.1 OIDC does not return content-type -- Issue resolved
-
PHX-3598 Missing CEF dependency for authn
A JAR-file was missing causing issues in the authn-module -- Issue resolved -
PHX-3603 HttpGetRequestValve crashes if there is no response body (http status 204) -- Issue resolved
List of improvements
-
PHX-3345 Improve the EVT_10032 (token revoked) log to show more information about why the token was revoked
When deleting a OneTouch profile the event log would not show who revoked the token and how, now shows destination user name, source user name, and source service name. -- Improvement added -
PHX-3394 Docker logging: JSON to stdout
Added option to change logging from file to json-stdout. -- Improvement added -
PHX-3431 LDAP-connections: add support for round robin
If multiple LDAP connections are configured, previously all connections aside from the first were only used for failover reasons. Now load balancing via round robin is performed by default. New config parameter on the LDAP Connection store entity is added: "load_balance": "true/false" (default "true") -- Improvement added. -
PHX-3444 Add property to PADESSignVisibleSignatureValve to control fail behavior
Default behavior is for the valve to fail if a visible signature cannot be performed, added parameter that will add a non-visible signature if a visible signature cannot be added: "requireVisualSignature": "true/false" (default "true"). See documentation. -- Improvement added -
PHX-3446 Add support for parameter expansion in authenticator config
Some authenticators (mainly those providing broker functionality) require dynamic configuration. For example, SP Broker might want to send a RequestedAuthenticationContext depending on the context of the initial authentication request. SPBroker, RPBroker and AssignmentAgnostic have had dynamic parameters added to them. Syntax is the same as for valve parameter expansion: "configParam": "{{request.someParam}}". Example documentation can be seen in e.g. SPBroker-- Improvement added -
PHX-3451 Enable signature assignments in OneTouch authenticators
As a continuation of the "sign-enabled" authenticators introduced in 5.1.0, AssignmentAgnostic and AnonymousAssignmentAgnostic will now perform signature assignments if part of a flow that has a SAML SignMessage present. Both have a new parameter "signature_template_name" for AnonymousAssignmentAgnostic and "signTemplate" for AssignmentAgnostic which points to the JSON template used for the assignment. -- Improvement added -
PHX-3452 Add optional pipe to AssignmentAgnostic
As users may often want to execute valves after using AssignmentAgnostic in e.g. a step-up scenario, an optional pipe has been added. New config parameter: "pipeID". -- Improvement added -
PHX-3456 Create new endpoint in PRISM fedsigning app
The module phenix-prism-fedsigning can now handle remote signing, via two new configuration parameters: "create_dss_pipe" and "parse_dss_pipe". -- Improvement added. -
PHX-3457 PipeExecutorValve should accept pipes array
PipeExecutorValve has a new configuration parameter: "pipes" where you can (similarly to the Dispatch authenticator) list pipes and expressions, where the first pipe to match the expression is run. -- Improvement added - PHX-3502 Improve NiasAuth to send extended certificate information as SAMLNias does -- Improvement added
-
PHX-3516 RequestIssuer from context missing in pipes
Context-specific values like "requestIssuer" that are available in AgnosticDispatcher is now available in authenticator and IDP pipes too. They are available via "request.contextrequestissuer", "request.contextprotocol" etc. To see all context values that are available, see AgnosticDispatcher config -- Improvement added - PHX-3530 Make protocol agnostic authenticator for NiAS -- Improvement added
- PHX-3533 Make protocol agnostic authenticator for SITHs eID -- Improvement added
- PHX-3540 Make protocol agnostic authenticator for FIDO2 -- Improvement added
-
PHX-3587 Preserve queryparams in logout NextTarget
When using an OIDC flow that uses an SP Broker directed at legacy SAML authenticators, it is necessary to log out at both the /authentication path and /saml path. To allow for this combined with OIDC standards like post_logout_redirect_uri and id_token_hint an option has been added on the authentication module configuration to allow for query parameter preservation when navigating to nextTarget. It is configured on the authentication module config (in boot.json) -- "logoutNextTargetPreserveQueryParams": "true/false" (default: "false") -- Improvement added