Google Git
Sign in
apache / cxf-fediz / refs/tags/fediz-1.5.1 / . / release_notes.txt
blob: 93b6491c102ea5f061ccd58238b7e8c7c0ecb40c [file] [log] [blame]
Apache CXF Fediz 1.5.0 Release Notes
------------------------------------
1. Overview
Apache CXF Fediz provide the following features:
* WS-Federation 1.0/1.1/1.2
* SAML 1.1/2.0 Tokens
* Custom token support
* Publish WS-Federation Metadata document for RP and IDP
* Role information encoded as AttributeStatement in SAML 1.1/2.0 tokens
* Claims information provided by FederationPrincipal interface
* Fediz IdP supports Resource and Requestor IDP role, Home Realm Discovery Service, ...
* Support for Jetty, Tomcat, Websphere and Spring Security 4.x
* Support for logout in the RP and IdP
* Support for logging on to the IdP via UsernamePassword, Kerberos and TLS
client authentication
* A container independent CXF plugin for WS-Federation
* A REST API for the IDP
* Support to use the IDP as an identity broker with a remote SAML SSO IdP
* Support to use the IDP as an identity broker with a remote OpenId Connect IdP
* SAML SSO support in the IdP
* OpenId Connect (OIDC)
2. Installation Prerequisites
Before installing Apache CXF Fediz, make sure the following products,
with the specified versions, are installed on your system:
* Java 8 Development Kit or higher
* Apache Maven 3.x to build the samples
3. Installation Procedures
Follow the Getting Started instructions at
http://cxf.apache.org/fediz.html#Fediz-Gettingstarted for information
on installing the Fediz IDP and IdP STS.
4. Building the Samples
Building the samples included in the binary distribution is easy. Change to
the examples directory and follow the build instructions in the README.txt file
included with each sample.
5. Replacing provided keystores
The sample keystores provided are fine for development and prototyping use
but make sure to replace them for any production use, see
see examples/samplekeys/HowToGenerateKeysREADME.html for key generation
information.
6. Reporting Problems
If you have any problems or want to send feedback of any kind, please e-mail the
CXF user list, users@cxf.apache.org. You can also file issues in JIRA at:
http://issues.apache.org/jira/browse/FEDIZ
7. Migration notes:
N.A.
8. Specific issues, features, and improvements fixed in this version
Release Notes - CXF-Fediz - Version 1.5.0
Bug
[FEDIZ-232] - 'wctx' parameter mandatory but protocol does not require
[FEDIZ-234] - Escape logging output in LoginHintHomeRealmDiscovery
[FEDIZ-235] - Set unique=true for the OpenJPA Index values
[FEDIZ-239] - Add an underscore prefix to the SAML Ids to make them schema compliant
[FEDIZ-243] - Fediz tomcat valve is broken with recent tomcat version
New Feature
[FEDIZ-245] - OIDC: Client Update
Improvement
[FEDIZ-242] - Remove Swagger UI from IdP
[FEDIZ-244] - Update to Tomcat 9.0.35
[FEDIZ-248] - OIDC UI: shared stylesheet
Task
[FEDIZ-204] - Drop Tomcat7, Jetty8, Spring Sec 2, 3 containers
[FEDIZ-230] - Support Jetty 9.4
[FEDIZ-231] - Upgrade to Tomcat 9
[FEDIZ-246] - Update IdP to use Spring Security 4
[FEDIZ-247] - Add support for EncryptedAssertions for SAML SSO
Release Notes - CXF-Fediz - Version 1.4.6
Bug
[FEDIZ-232] - 'wctx' parameter mandatory but protocol does not require
[FEDIZ-234] - Escape logging output in LoginHintHomeRealmDiscovery
[FEDIZ-236] - Geeting HTTP 401 error on first login using SAML
[FEDIZ-239] - Add an underscore prefix to the SAML Ids to make them schema compliant
Release Notes - CXF-Fediz - Version 1.4.5
Bug
[FEDIZ-220] - http 400 when logout with redirect to constraint
[FEDIZ-224] - Saml SSO spring plugin does not work
[FEDIZ-226] - authnRequestBuilder cofiguration property for samlProtocolType ignored
New Feature
[FEDIZ-158] - Support Fediz OIDC Login for Trusted IDP
[FEDIZ-223] - Support custom claim handler within Fediz Plugin
Task
[FEDIZ-221] - Support SAML SSO Logout in the IdP
[FEDIZ-222] - Support SAML SSO Logout in the RP
[FEDIZ-225] - Add support to specify the AssertionConsumerService URL via the "reply" configuration parameter for SAML SSO
[FEDIZ-227] - Support SAML SSO in the Jetty plugin
[FEDIZ-228] - Add the "jti" claim in FedizSubjectCreator
[FEDIZ-229] - Provide a way to map JWT claims into SAML attributes when converting a third party JWT token into a SAML Token
Release Notes - CXF-Fediz - Version 1.4.4
Bug
[FEDIZ-217] - SAML authentication fails in plugin
New Feature
[FEDIZ-7] - Add support for SAML-P in the plugin
Improvement
[FEDIZ-216] - Support different signature algorithms for the SAML SSO Redirect Binding
[FEDIZ-219] - Add support for SAML SSO to the Tomcat 8 RP implementation
Release Notes - CXF-Fediz - Version 1.4.3
Bug
[FEDIZ-211] - Local IdP redirection (after token expiry) is not working
[FEDIZ-212] - Multiple OIDC logout return to login page
[FEDIZ-213] - Spring plugins don't handle token expiration properly
[FEDIZ-214] - OIDC generated already expired id_token
Improvement
[FEDIZ-210] - Limit IdP request parameter size
Release Notes - CXF-Fediz - Version 1.4.2
Improvement
[FEDIZ-206] - Revert FedizSubjectCreator changes
[FEDIZ-209] - Make FedizResponse properly serializable
Release Notes - CXF-Fediz - Version 1.4.1
Bug
[FEDIZ-201] - Spring3 plugin does not include jars in the distribution
[FEDIZ-202] - OIDC war files are being included in the plugin directories in the distribution
Improvement
[FEDIZ-205] - Support creating IdP Metadata for SAML SSO
New Feature
[FEDIZ-203] - Support "roles" scope
Release Notes - CXF-Fediz - Version 1.4.0
Bug
[FEDIZ-185] - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
[FEDIZ-189] - Add support for absolute URLs in the logoutRedirectTo parameter
[FEDIZ-191] - The HomeRealmReminder cookie is not deleted after logout in the IdP
[FEDIZ-192] - SAML customSTSParameter not propagated when using form-login
Improvement
[FEDIZ-155] - Move .java components out of idp webapp and into a separate JAR
[FEDIZ-175] - Refactor STS configuration to make the Fediz STS easier to customize.
[FEDIZ-176] - Refactor IdP configuration to make the Fediz IdP easier to customize.
[FEDIZ-177] - Upgrade dbcp to 2.1.1
[FEDIZ-178] - Update Webflow to 2.4.x
[FEDIZ-179] - Update IdP to Spring Security 3.2
[FEDIZ-180] - Support WS-Federation Trusted Third Party IdPs for the SAML SSO interface in the IdP
[FEDIZ-181] - Support SAML SSO Trusted Third Party IdPs for the SAML SSO interface in the IdP
[FEDIZ-182] - Support OIDC Trusted Third Party IdPs for the SAML SSO interface in the IdP
[FEDIZ-183] - Support logging out in the plugins via the "wa" parameter
[FEDIZ-184] - Remove OGNL parser from the IdP
[FEDIZ-186] - Add new logoutRedirectToConstraint plugin configuration parameter
[FEDIZ-188] - Make "Reply" a CallbackType in the Fediz plugin configuration
[FEDIZ-190] - Make the logoutRedirectToConstraint a CallbackType
[FEDIZ-193] - Add a way to support additional top level domains when registering OIDC clients
[FEDIZ-195] - OIDC: propagate URI fragment during authentication
[FEDIZ-197] - STSClientAction shouldn't change wsdlLocation when no port is set
[FEDIZ-199] - Update the Spring plugin to spring security 4
[FEDIZ-200] - Make one of logoutEndpoint or logoutEndpointConstraint mandatory in the IDP
New Feature
[FEDIZ-187] - Initial OIDC Logout Support
Task
[FEDIZ-196] - Add support for Apache Tomcat 8.5.x
Release Notes - CXF-Fediz - Version 1.3.2
Bug
[FEDIZ-185] - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
[FEDIZ-189] - Add support for absolute URLs in the logoutRedirectTo parameter
[FEDIZ-191] - The HomeRealmReminder cookie is not deleted after logout in the IdP
[FEDIZ-194] - NPE when restarting Fediz OIDC after using dynamic registration
Improvement
[FEDIZ-173] - Cors support for js OIDC Implicit Flow
[FEDIZ-183] - Support logging out in the plugins via the "wa" parameter
[FEDIZ-186] - Add new logoutRedirectToConstraint plugin configuration parameter
[FEDIZ-193] - Add a way to support additional top level domains when registering OIDC clients
[FEDIZ-200] - Make one of logoutEndpoint or logoutEndpointConstraint mandatory in the IDP
Task
[FEDIZ-174] - Update CXF version to 3.1.8-SNAPSHOT
Release Notes - CXF-Fediz - Version 1.2.4
Bug
[FEDIZ-185] - Make one of passiveRequestorEndpoint or passiveRequestorEndpointConstraint mandatory in the IDP
[FEDIZ-191] - The HomeRealmReminder cookie is not deleted after logout in the IdP
Improvement
[FEDIZ-186] - Add new logoutRedirectToConstraint plugin configuration parameter
[FEDIZ-200] - Make one of logoutEndpoint or logoutEndpointConstraint mandatory in the IDP
Release Notes - CXF-Fediz - Version 1.2.3
Bug
[FEDIZ-161] - FederationConfigImpl.init() calls loadConfig(File) which fails for war files with special characters in its name
[FEDIZ-164] - IdP default flow doesn't support multiple realms
[FEDIZ-169] - Enforce mandatory requested claims on the RP side
[FEDIZ-170] - Load keystore/truststore resources in the container plugins
Improvement
[FEDIZ-154] - Example 'simpleWebapp' needs proper configuration of the FederationEntryPoint in IDP realm-b
[FEDIZ-159] - whr propagation can be disabled
[FEDIZ-168] - Support SAML Token without Audience Restriction
Release Notes - CXF-Fediz - Version 1.3.1
Bug
[FEDIZ-161] - FederationConfigImpl.init() calls loadConfig(File) which fails for war files with special characters in its name
[FEDIZ-164] - IdP default flow doesn't support multiple realms
[FEDIZ-165] - SAML SSO redirection on ForceAuthn or token expiry not working
[FEDIZ-166] - "No message body writer" error for OAuthError in the OIDC IdP
[FEDIZ-169] - Enforce mandatory requested claims on the RP side
[FEDIZ-170] - Load keystore/truststore resources in the container plugins
Improvement
[FEDIZ-160] - Replace Hibernate with Apache BVal
[FEDIZ-162] - Make it possible to disable the requirement for a Signature when validating a SAML SSO AuthnRequest in the IdP
[FEDIZ-163] - Default to disabling Deflate Encoding for the SAML SSO response
[FEDIZ-168] - Support SAML Token without Audience Restriction
[FEDIZ-171] - Add a configuration option to add the "Authenticated" role to the list of roles of the authenticated user
[FEDIZ-172] - OIDC DataProvider should support client_credentials clients
New Feature
[FEDIZ-76] - Support Facebook Login for Trusted IDP
Release Notes - CXF-Fediz - Version 1.3.0
Sub-task
[FEDIZ-74] - Support Google Login for Trusted IDP
Bug
[FEDIZ-118] - Allow securing root context applications
[FEDIZ-125] - Logout is not working in Fediz websphere plugin and cookie name is not configurable
[FEDIZ-128] - Parent POM dependencies wrong in Websphere artifacts
[FEDIZ-132] - Encoding Error by generated JAXB classes
[FEDIZ-139] - cxf-fediz plugin osgi export
[FEDIZ-140] - IDP caches outdated SAML Tokens
[FEDIZ-142] - TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work
[FEDIZ-146] - wtrealm should not be mandatory for 3rd party signin response
[FEDIZ-147] - IDP will be listed in HomeRealm Selection view, even if it should not be used directly
[FEDIZ-151] - Session Conflict with Cookies
[FEDIZ-156] - SAMLRequest ID must not start with a Number
[FEDIZ-157] - SAMLResponse Handler uses URL instead of Realm name for issuer validation
Improvement
[FEDIZ-113] - Support SAML SSO Metadata in the IdP
[FEDIZ-119] - Customizable Login-Page
[FEDIZ-120] - IDP Encoding of SignInResponse configurable
[FEDIZ-121] - Upgrade to Spring 4
[FEDIZ-122] - Replace Apache bval with Hibernate
[FEDIZ-123] - Update certificates to 2048 bits
[FEDIZ-130] - Add a Jetty 9 plugin
[FEDIZ-131] - Add JAXRS based demos
[FEDIZ-133] - Improve logout page customizability
[FEDIZ-135] - CXF plugin should let the initial successful sign in request proceed
[FEDIZ-141] - POST Binding for SAML SSO Remote IDP
[FEDIZ-145] - Swagger REST API Support
[FEDIZ-152] - Disable URL rewrites with SessionID to avoid session hijacking
[FEDIZ-154] - Example 'simpleWebapp' needs proper configuration of the FederationEntryPoint in IDP realm-b
[FEDIZ-159] - whr propagation can be disabled
New Feature
[FEDIZ-126] - Systests for websphere plugin
[FEDIZ-127] - Webshere example application doesn't fit to systemtests and is not buildable as ear file
[FEDIZ-143] - Home Realm Discovery based on OIDC login_hint
[FEDIZ-144] - HomeRealm Discovery Service based on Spring EL
[FEDIZ-153] - Support OpenId Connect bridging in the Fediz IdP
Question
[FEDIZ-124] - Fediz-plugin for Tomcat 8
Task
[FEDIZ-114] - Remove X509TokenValidator and DefaultSubjectProvider in the STS
Release Notes - CXF-Fediz - Version 1.2.2
Sub-task
[FEDIZ-106] - Spring plugin support for configurable token validation
[FEDIZ-107] - CXF plugin support for configurable token validation
[FEDIZ-108] - Jetty plugin support for configurable token validation
[FEDIZ-110] - Update Plugin Configuration Documentation
Bug
[FEDIZ-117] - Race condition in CXF plugin related to request restoration after redirect
[FEDIZ-125] - Logout is not working in Fediz websphere plugin and cookie name is not configurable
[FEDIZ-128] - Parent POM dependencies wrong in Websphere artifacts
[FEDIZ-129] - Default values in the schema are not actually used
[FEDIZ-139] - cxf-fediz plugin osgi export
[FEDIZ-140] - IDP caches outdated SAML Tokens
[FEDIZ-142] - TrustedIdpSAMLProtocolHandler.REQUIRE_KEYINFO does not work
[FEDIZ-146] - wtrealm should not be mandatory for 3rd party signin response
[FEDIZ-147] - IDP will be listed in HomeRealm Selection view, even if it should not be used directly
[FEDIZ-151] - Session Conflict with Cookies
Improvement
[FEDIZ-104] - Configurable (fediz_config.xml) token expiration validation
[FEDIZ-152] - Disable URL rewrites with SessionID to avoid session hijacking
New Feature
[FEDIZ-126] - Systests for websphere plugin
[FEDIZ-127] - Webshere example application doesn't fit to systemtests and is not buildable as ear file
[FEDIZ-144] - HomeRealm Discovery Service based on Spring EL
Release Notes - CXF-Fediz - Version 1.2.1
Bug
[FEDIZ-118] - Allow securing root context applications
Improvement
[FEDIZ-113] - Support SAML SSO Metadata in the IdP
[FEDIZ-120] - IDP Encoding of SignInResponse configurable
[FEDIZ-123] - Update certificates to 2048 bits
Task
[FEDIZ-114] - Remove X509TokenValidator and DefaultSubjectProvider in the STS
Release Notes - CXF-Fediz - Version 1.2.0
Sub-task
[FEDIZ-105] - Websphere plugin support for configurable token validation
[FEDIZ-109] - Tomcat plugin support for configurable token validation
Bug
[FEDIZ-70] - Missing support for Web Services Policy 1.2 (http://schemas.xmlsoap.org/ws/2004/09/policy)
[FEDIZ-83] - wfreshparser incorrectly treats a freshness of 0 as negative
[FEDIZ-88] - wreply parameter must be optional
[FEDIZ-96] - Nullpointer exception if logout is called before login
[FEDIZ-97] - Plugin configuration property naming conflict with WebSphere 8.5
[FEDIZ-99] - Wrong Address in PassiveRequestorEndpoint for ApplicationServiceType
[FEDIZ-100] - Wrong Value in EndpointReference for ApplicationServiceType
[FEDIZ-111] - NPE when ChainTrust is configured + no Subject is provided
[FEDIZ-112] - Race condition in tomcat plugin related to request restoration after redirect
Improvement
[FEDIZ-23] - Support different authentication mechanism
[FEDIZ-69] - Support starting IDP with jetty maven plugin
[FEDIZ-71] - Enable use of Apache CXF Fediz IDP with external third-party WS-Trust STS
[FEDIZ-72] - Make Trusted IDP protocol customizable
[FEDIZ-78] - Provide a configurable mechanism to load the DB initially
[FEDIZ-79] - Encoding of SignInResponse configurable
[FEDIZ-84] - Support wreq parameter in SP/IdP
[FEDIZ-93] - Provide correct fediz_config.xml to match with fedizhelloworld demo
[FEDIZ-94] - Provide correct fediz_config.xml to match with fedizhelloworld demo
[FEDIZ-95] - Moving Spring-Security configuration to central location
[FEDIZ-98] - Dynamic STS Realm Parser
[FEDIZ-101] - audienceUris as TargetScope in MetadataDocument
[FEDIZ-102] - Direct Logout at IDP with wsignoutcleanup1.0 action
New Feature
[FEDIZ-19] - Single Sign Out
[FEDIZ-27] - Support signout/cleanup message in Fediz plugin
[FEDIZ-46] - WS-FederationSupport for CXF JAX-RS
[FEDIZ-53] - Browser can pass the home realm to the Fediz plugin
[FEDIZ-65] - REST interface for IDP
[FEDIZ-73] - Support SAML-P protocol for Trusted IDP
[FEDIZ-77] - RBAC Support for REST Interface
[FEDIZ-89] - Kerberos/SPNEGO Authentication Support
[FEDIZ-90] - Identity Federation via Claim Mappings
Task
[FEDIZ-86] - Add support for Metadata to other plugins
Release Notes - CXF-Fediz - Version 1.1.2
Bug
[FEDIZ-88] - wreply parameter must be optional
New Feature
[FEDIZ-89] - Kerberos/SPNEGO Authentication Support
[FEDIZ-90] - Identity Federation via Claim Mappings
Release Notes - CXF-Fediz - Version 1.1.1
Bug
[FEDIZ-70] - Missing support for Web Services Policy 1.2 (http://schemas.xmlsoap.org/ws/2004/09/policy)
[FEDIZ-83] - wfreshparser incorrectly treats a freshness of 0 as negative
Improvement
[FEDIZ-79] - Encoding of SignInResponse configurable
[FEDIZ-84] - Support wreq parameter in SP/IdP
Release Notes - CXF-Fediz - Version 1.1.0
New Feature
[FEDIZ-2] - Support encrypted tokens in plugin
[FEDIZ-3] - Support the role "Resource IDP" in IDP
[FEDIZ-4] - Support SAML token with Holder-Of-Key SubjectConfirmationMethod
[FEDIZ-5] - Provide adapter for Jetty
[FEDIZ-9] - Provide plugin for CXF
[FEDIZ-36] - Http Form Based Login
[FEDIZ-38] - Integrate Fediz Plugin with Spring Security framework (Pre-Authentication)
[FEDIZ-39] - Spring Security Federation Authenticator
[FEDIZ-52] - Support wauth parameter in initial request to RP
[FEDIZ-53] - Browser can pass the home realm to the Fediz plugin
[FEDIZ-58] - Support LDAP groups for Maven profile ldap
[FEDIZ-59] - Support audit log in STS
[FEDIZ-61] - Support for Websphere WAS 7 / 8
[FEDIZ-62] - Customize SignIn Query
[FEDIZ-63] - Support PEM format for certificate store
Bug
[FEDIZ-40] - Can CXF Fediz IDP & RP work with SAML1.1 ?
[FEDIZ-45] - Do not convert a SAML Attribute with an empty AttributeValue into a Role
[FEDIZ-47] - OnBehalfOf Token does not expire in the IdP
[FEDIZ-49] - Support using wfresh parameter in the IdP for TTL
[FEDIZ-55] - Claims from LDAP can't be retrieved
Improvement
[FEDIZ-14] - Make the TokenReplayCache implementation configurable in the Fediz configuration
[FEDIZ-31] - Fix example package structure
[FEDIZ-37] - Dynamically assign ports for unit testing to avoid port conflict
[FEDIZ-41] - Fediz IDP refactored with Spring Web Flow
[FEDIZ-43] - No dependency on TCP port of IDP container in fedizidp.war
[FEDIZ-44] - Rename IDP + STS wars to use hypens (fediz-idp + fediz-idp-sts) and update documentation
[FEDIZ-48] - Support wfresh properly in the IdP
[FEDIZ-54] - Provide Maven profile to build STS with LDAP backend
[FEDIZ-64] - Add Callback support for the Realm (WTRealm) protocol property
[FEDIZ-66] - Token expiration validation configurable
[FEDIZ-67] - Use same Canonicalization Method for Signatures for Metadata document as for SAML tokens
Wish
[FEDIZ-15] - Support the publish of the WS-Federation Metadata document
[FEDIZ-35] - Allow to use a custom CXF bus for IdpSTSClient
Release Notes - CXF-Fediz - Version 1.0.3
Bug
[FEDIZ-40] - Can CXF Fediz IDP & RP work with SAML1.1 ?
[FEDIZ-45] - Do not convert a SAML Attribute with an empty AttributeValue into a Role
[FEDIZ-49] - Support using wfresh parameter in the IdP for TTL
Improvement
[FEDIZ-14] - Make the TokenReplayCache implementation configurable in the Fediz configuration
[FEDIZ-31] - Fix example package structure
[FEDIZ-44] - Rename IDP + STS wars to use hypens (fediz-idp + fediz-idp-sts) and update documentation
[FEDIZ-48] - Support wfresh properly in the IdP
Task
[FEDIZ-42] - Upgrade to use CXF 2.6.6
Wish
[FEDIZ-35] - Allow to use a custom CXF bus for IdpSTSClient
Release Notes - CXF-Fediz - Version 1.0.2
** Bug
* [FEDIZ-26] - SAMLTokenValidator throws a NPE when an Attribute of the Assertion does not have a NameFormat
** Improvement
* [FEDIZ-18] - Make supported claims configurable in FileClaimsHandler
* [FEDIZ-20] - IDP should maintain authentication state
* [FEDIZ-17] - Current Fediz STS exposes SOAP 1.1 end point
* [FEDIZ-25] - Look for fediz_config.xml in catalina base too
** New Feature
* [FEDIZ-30] - Relying Party can enforce re-authentication using wfresh parameter
* [FEDIZ-28] - Logout capability in IDP
** Task
* [FEDIZ-29] - Migrate to CXF 2.6.3
** Test
Release Notes - CXF-Fediz - Version 1.0.1
** Bug
* [FEDIZ-24] - maximumClockSkew is not optional
** Improvement
* [FEDIZ-22] - Improved support for other claims encoding in SAML attributes
** New Feature
** Task
** Test