/
KSSO version 6

KSSO version 6

Owned by Elias Brattli Sørensen
Last updated: sep. 27, 2023

Update notes: Kantega SSO Enterprise 6.x. update notes

Change log and release notes for different versions in Kantega SSO Enterprise version 6:

Kantega SSO Enterprise 6.42.x release notes

Changes in 6.42.2

Release summary: Security patches and remove license expiry warning banner

Security fixes

  • BEANUTILS Upgrade apache commons beanutils from version 1.9.4 to 1.11.0 to patch CVE-2025-48734 and CVE-2020-15250 from the dependency.

Improvements

  • PLUGIN LICENSE BANNER When the plugin license closed to expiry, we used to issue a warning to administrators, warning them to update the SSO license. This warning caused some annoyance, particularly because the “dismiss” button did not behave consistently. To avoid this annoyance, the banner was removed.

Changes in 6.42.1

Release only relevant to version 7.42.1.

Changes in 6.42.0

Release summary: Better performance API connector calls, fixes for user redirect and lookup

Improvements

  • API CONNECTOR Introduce cache to avoid background sync calls from Atlassian products creating a full sync over API. Now only ordinary syncs will do full sync.

  • SAML/OIDC Support for redirect by group and directory also when user gives built-in username when configuration is using other lookup attribute, e.g. email or userPrincipalName as username

    SAML/OIDC Ignore disabled user accounts when user lookup via e-mail is configured so the one active account is allowed to be used

Bug fixes

  • JIRA Fix websudo login to work Jira has contextPath (for example runs on server.com/jira)

  • CONFLUENCE Fix setting userProperties when other lookup attributes like email or userPrincipalName has been used for SAML/OIDC logins.

  • SAML/OIDC fix so updateUser can be used in combination with other username lookup attribute

Kantega SSO Enterprise 6.41.x release notes

Changes in 6.41.0

Release summary: OIDC secret and Entra ID Connector secret overrides via environment variables

New features

  • OIDC Secrets overrides for OIDC IDP via environment variables, set at startup.

    Secrets can be provided by setting inline variable before the startup command
    ORG_KANTEGA_ATLASKERB_IDENTITYPROVIDERS_OIDCSTATIC_CLIENTSECRET=SECRET ./startup.sh
    Setting variables via JVM -D arguments is possible but is more prone to leakage since it will be visible in process monitors like ps or top, so it is not recommended.
    OIDC Identity provider Client Secret

  • API CONNECTORSecrets overrides via environment variables, set at startup.
    Visit Cloud user provisioning->EntraID Connector->Cloud integration for configuration details
    ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_STATIC_CLIENTSECRET=YOUR_SECRET ./startup.sh
    Entra ID Client Secret

Bug fixes

  • JIT PROVISIONING Fixes an error where setting additional parameters could cause an exception when user is not available

Kantega SSO Enterprise 6.40.x release notes

Changes in 6.40.0

Release summary: More powerful and user friendly Basic Auth block. Fix redirect in JSM login

Improvements

  • BASIC AUTH New UI Basic Auth configuration page with more flexibility

Bug fixes

  • JSM Fix redirect when JSM is running with a contextPath

Kantega SSO Enterprise 6.39.x release notes

Changes in 6.39.0

Release summary: Filter API tokens, EntraID connector rate limiting, Kerberos username from file

Features

Improvements

  • SAML/OIDC Minor changes on SSO login pages

Bug fixes

  • JSM Avoid JSM logins are sometimes redirected to Jira login page (login.jsp)

  • API CONNECTOR Better responsibility in GUI during initial sync after setup

  • BAMBOO Support for Bamboo 11, which introduced some changed requirements, in admin pages

  • Remove support for deprecated Refined Mobile app

Kantega SSO Enterprise 6.38.x release notes

Changes in 6.38.6

Release summary: Bug fixes

Bug fixes

  • Bug fixes for newer compatibility versions: see release 7.38.6.

Other changes

  • DARK FEATURE Introduced a dark feature for Content-security policy customization and and set-cookie property SameSite=None to offer the capability to still render the host in an iframe when it’s needed. Hidden in a dark feature, navigate directly to the setting through `/plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/samesiteContentSecurityPolicyHeaders
    See more: https://kantega-sso.atlassian.net/wiki/x/kwCOdg

Changes in 6.38.5

Release summary: Bug fixes and improvements

Improvements

  • KERBEROS The kerberos test page now shows group based permission checks more clearly

  • SAML/OIDC Add more DEBUG level log lines to JIT group memberships provisioning for better troubleshooting

Bug fixes

  • SAML/OIDC The user properties feature had a nullpointer bug if the user was not found

  • KERBEROS Fix broken link to the “disable kerberos for specific users” page

Changes in 6.38.4

Release summary: Jira feature to set properties on login and other improvements

Features

Improvements

  • FORCE LOGIN Better UI for presenting default Force paths

  • JUST-IN-TIME PROVISIONING Better feedback when a non-writable directory has been selected for creating users

Changes in 6.38.3

Bug fixes

  • Fixed a bug that would cause the restore backup function to fail if one of the IDP configurations (or subfolders of jira-home/kerberos) had been deleted between creating of the backup and restore attempt.
    The issue shows a 500 error page upon backup restore:
    /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/restore-backup
    And an entry in the logs:
    java.nio.file.NoSuchFileException
    If that happens you should still have the configuration before the restore attempt in the Atlassian Data Center app home folder (jira-home or on with cluster jira-shared)
    jira-home/kerberos_oldhome
    First you can disable Kantega SSO plugin
    Move
    jira-home/kerberos to jira-home/kerberos-failed-restore
    and then move
    jira-home/kerberos_oldhome to jira-home/kerberos
    Then enable Kantega SSO plugin

Changes in 6.38.2

Bug fixes

  • Fixed a bug introduced in 6.38.1 that caused instances with “Prevent traditional login” on to have problems with REST endpoints resulting in exceptions.

  • Fixed an issue that could cause User Cleanup page to not display at all when license was not present

Changes in 6.38.1

Release summary: Bug fixes and dark feature user administration

Bug fixes

  • JIRA Fix combinations all of prevent traditional login for JSM and Jira

  • JIRA Allow SSO websudo for all admin URLs

  • BITBUCKET: Allow really large git requests to pass successfully through SSO filters

Improvements

  • DARK FEATURE Directory admin: Allow to create, rename and delete internal directories on URL:
    /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/manageInternalDirectories

  • DARK FEATURE User admin: Allow search for and to move specified users from one directory to another on URL:
    /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/manageUsersInDirectories

Improvements

  • SAML/OIDC Internal rewrites to standardise login behavior and to prepare for new features in Just-in-time and anonymous browsing coming soon

Bug fixes

  • OIDC resume login will now verify that IdP config is enabled

Changes in 6.38.0

Release summary: Major internal rewrite SAML/OIDC to make login behavior the same

Improvements

  • SAML/OIDC Internal rewrites to standardise login behavior and to prepare for new features in Just-in-time and anonymous browsing coming soon

Bug fixes

  • OIDC resume login will now verify that IdP config is enabled

  • SAML/OIDC Managed groups fails to provision group memberships

Kantega SSO Enterprise 6.37.x release notes

Changes in 6.37.17

Release summary: SAML/OIDC related minor bug fixes

Bug fixes

  • SAML/OIDC Allow whitespace to hide specific texts on login pages like

  • MISC Better handling of internal URLs for Force login

  • SAML/OIDC Fix default redirect rules override for JSM

Changes in 6.37.15

Release summary: Fixed bug with websudo button showing up without websudo being enabled

Bug fixes

  • SAML/OIDC Fixed issue where the “Reauthenticate with SSO” button for websudo was shown without Jira prompting the user for reauthentication.

Changes in 6.37.14

Release summary: Bug fixes

Bug fixes

  • SAML/OIDC Newly introduced Bitbucket & Bamboo websudo (secure admin session) did not isolate to the given host product and gave failure on Jira.

  • SAML/OIDC Config upgrade logic introduced in 6.33.0 incorrectly checks for breaking changes comparing incorrect versions when running on Kantega SSO major version 6

Changes in 6.37.13

Release summary: Google Workspace API connector bug fix

Improvements

  • Added a utility page under dark-features for viewing and editing groups in specific user directories on the URI /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/showGroupsInDirectories

Bug fixes

  • API CONNECTOR Google Workspace API connector sync failed after incorrect JSON object key for isArchived and isSuspended on the fix in 6.37.10

Changes in 6.37.12

Release summary: Bug fixes

Bug fixes

  • SAML/OIDC Managed groups evaluation used the incorrect configured group collection when evaluating managed groups.

Changes in 6.37.11

Release summary: Bug fix of config upgrade logic and dependency update

Improvements

  • MISC Update bouncy castle dependency from 1.78 to 1.80 to patch CVE-2024-29857, CVE-2024-30171, CVE-2024-30172.

Bug fixes

  • KERBEROS Config upgrade logic introduced in 6.37.4 incorrectly checks for breaking changes comparing incorrect versions.

Changes in 6.37.10

Release summary: Improvements, bug fixes and dependency updates

Improvements

  • SAML/OIDC Websudo SSO is now available for Bitbucket and Bamboo

  • MISC Update dependencies

Bug fixes

  • API CONNECTOR Google Workspace API connector did not update archived users as “not active” during sync

  • SAML/OIDC Make manual redirect more available on login page when users enter username

Changes in 6.37.9

Release summary: Bug fix for prevent traditional login

Bug fixes

  • MISC Fixed a bug with prevent traditional login introduced with 6.37.8

Changes in 6.37.8

This release has been made private due to a discovered bug with prevent traditional login. Please use 6.37.9 instead.

Release summary: Improvements and bug fixes for Jira and JSM only

Bug fixes

  • MISC Better handling prevent traditional login (with username / password) for unlicensed users

Changes in 6.37.7

Release summary: Improvements and bug fixes

Improvements

  • CLOUD USER PROVISIONING The cloud user provisioning overview now shows if a connected user directory is disabled

  • SAML/OIDC Login widget on Jira dashboard now scales better height-wise with more content.

Bug fixes

  • MISC Fixed bug where some group selectors were unable to load groups

Changes in 6.37.6

Release summary: Bug fixes for API tokens

Bug fixes

  • API TOKEN Fixed bug where non-admin users could not create tokens if maximum token lifetime was set to forever

  • API TOKEN Fixed unnecessarily noisy logging in some scenarios

  • KERBEROS Fixed Kerberos logging in users trying to log out on Jira 10

Changes in 6.37.5

Release summary: Fixed SAML/OIDC bug with target after redirect containing the entire URL

Bug fixes

  • SAML/OIDC Fixed SAML/OIDC bug with target after redirect containing the entire URL.

Changes in 6.37.4

Release summary: Bug fixes. Improved UX on disable Kerberos.

Improvements

  • KERBEROS Reworked “Disable Kerberos” to improve UX and make the feature easier to understand. This triggers a config upgrade.

Bug fixes

  • SAML/OIDC Fixed issue with Single Logout in Jira.

  • SAML/OIDC Fixed issue with IdP button not being clickable with certain configurations.

  • SAML/OIDC Fixed bug where using SAML/OIDC would remove the title of Jira dashboards.

Changes in 6.37.3

Release summary: Bug fixes for prevent traditional login and initial SAML signing certificate

Bug fixes

  • SAML/OIDC Bug fixes for prevent traditional login for some users

  • SAML/OIDC Fixed problem when setup of first identity provider where SAML signing certificate was created

Changes in 6.37.2

Release summary: Added support for generating 4096 bit certificate for SAML Request Signing

Improvements

  • SAML/OIDC Added option to generate certificate for SAML Request Signing with size of 4096 bits

Bug fixes

  • SAML/OIDC Fixed problem with reactivating users who are both deactivated and missing license group

Changes in 6.37.1

Release summary: Various bug fixes and improvements

Improvements

  • KERBEROS Improved error handling for LDAP test

  • SCIM Updated UI for SCIM setup wizard

  • SCIM Added lozenge for showing local groups in group list

  • USER MANAGEMENT Added the option to copy groups and memberships to read-only directories

  • USER MANAGEMENT Added an overview to make discovering duplicate groups easier at /showGroupsInDirectories

Bug fixes

  • SAML/OIDC Fixed instant redirect trigger on JSM despite being disabled

  • SAML/OIDC Fixed redirecting user to the page they attempted to visit before being sent to IdP for Bitbucket

  • USER MANAGEMENT Fixed issue with viewing groups containing &

Changes in 6.37.0

Release summary: Added support for custom API token authorization header

Improvements

  • API TOKEN Added support for custom API token authorization header

Bug fixes

  • API CONNECTOR Entra ID API connector will no longer crash during synchronization when user or group filtering is enabled and a nested group matching the filter contains a group not matched by the filter.

Kantega SSO Enterprise 6.36.x release notes

Changes in 6.36.0

Release summary: Architectural changes

Improvements

  • Architectural changes to better support maintaining Kantega SSO on both platform 6 and 7.

Bug fixes

  • IP restrictions with CIDR notation no longer exclude the first and last address of the range

  • Forgot password URL will now redirect the user to the correct page

  • Exceptions to prevent traditional login should now work correctly

  • Improved config upgrade management

Kantega SSO Enterprise 6.35.x release notes

Changes in 6.35.3

10:30 CET

Release summary: Bug fix related to REST endpoint annotations

Bug fixes

  • KSSO REST API REST endpoints failed serialization due to breaking changes in Jackson Databind across platform 6 and 7

Changes in 6.35.2

08:30 CET

Release summary: Fix SCIM startIndex for Jira

Bug fixes

  • SCIM Fixed startIndex used for pagination when searching for users and groups

Changes in 6.35.1

15:15 CET

Release summary: Bug fixes

Bug fixes

  • API TOKENS Fixed 500-error introduced by last release on Bamboo and Bitbucket

  • SAML/OIDC Fixed error where pasting an entire HTML page in the custom info boxes broke the configuration page on Confluence.

Changes in 6.35.0

15:30 CET

Release summary: Added custom API token duration

Improvements

  • API TOKENS Added the option to select a custom API token duration.

Kantega SSO Enterprise 6.34.x release notes

Changes in 6.34.0

14:30 CEST

Release summary: Added option to redirect when user is not found for Group and Directory redirect

Improvements

  • SAML/OIDC Added option to redirect when user is not found for Group and Directory redirect

Kantega SSO Enterprise 6.33.x release notes

Changes in 6.33.0

11:30 CEST

Release summary: Improved assignment of group membership for various log in methods.

Improvements

  • KERBEROS Added assign group memberships during Kerberos login

  • SAML/OIDC Added assign group memberships during SAML/OIDC login

  • SAML/OIDC Re-activate users with JIT based on groups from Federated SSO

  • TRADITIONAL LOGIN Added assign group memberships during traditional login

  • SCIM + SAML/OIDC JIT can now create users in SCIM directories if "Link users upon creation" is enabled

  • JSM Changed JSM info box (Informing external users about traditional login being prevented) to be independent of Prevent traditional login

Kantega SSO Enterprise 6.31.x release notes

Changes in 6.31.0

08:00 CEST

Release summary: Allow for SCIM to reuse users already existing in user directory

Improvements

Bug fixes

Kantega SSO Enterprise 6.30.x release notes

Changes in 6.30.0

13:00 CEST

Release summary: Under-the-hood changes to enable future development

More details

  • Under-the-hood change code base after introduction of Platform 7 in Jira 10, Confluence 9, Bitbucket 9, Bamboo 10 in order to handle development for both newer version and older LTS version.

Kantega SSO Enterprise 6.29.x release notes

Changes in 6.29.1

10:30 CEST

Release summary: Minor internal bug fix in setting default value for userPrincipalName as selected username attribute

New features

  • BITBUCKET Re-introduce support for SSO-verified Anonymous Access to require some users to log and avoid using a license. This feature is already in Jira and Confluence.

Bug fixes

  • API CONNECTOR Minor internal bug fix in setting default value for userPrincipalName as selected username attribute

Changes in 6.29.0

10:40 CEST

Release summary: Use email as username attribute for Cloud API connectors. Other minor bug fixes.

New features

  • API CONNECTOR Added possibility to use email as username attribute for Cloud API connectors

Improvements

  • GLOBAL Improve usability of partial restore of backups.

Bug fixes

  • KERBEROS Fixed Kerberos test page sometimes failing to recognize NTLM tokens

  • JIRA Added “/projects/” to default force login URLs

  • Fixed KSSO not searching for non-standard username attributes in delegated LDAP authentication

Kantega SSO Enterprise 6.28.x release notes

Changes in 6.28.0

15:00 CEST

Release summary: Regular expressions support for user lookup in Kerberos and Cloud API connectors. Lookup via e-mail on SAML/OIDC login.

Improvement

  • Cloud API connector: Support for transforming username multiple using regular expressions

  • KERBEROS Support for transforming username using multiple regular expressions

  • SAML OIDC Lookup via e-mail address from any user directory

  • SCIM Re-establish user directory after database and config is out of sync

  • SAML OIDC Customisable infobox above SSO login menu

  • SAML OIDC Customisable infobox when traditional login is disabled on Jira Service Management login page

Bug fixes

KERBEROS Fix Kerberos when called from certain external scripts in Python and other

BITBUCKET ONLY Allow to edit other attributes than username, e-mail and name in Cloud user provisioned directories

Kantega SSO Enterprise 6.27.x release notes

Changes in 6.27.0

09:00 CEST

Release summary: Make users in cloud sync directories read-only and other improvements

Improvements

  • SCIMMake user details like username, name and e-mail read-only for users in cloud sync directories

  • Improved GUI on HTTP Basic Auth page for better understanding

  • Security improvements and library upgrades

Bug fixes

  • API TOKENS Fix token names listed on API Tokes page

  • SCIMRemove errors in log related to SCIM user and group searches

  • USER CLEANUP Fix links in menu for User cleanup/JSM cleanup

  • KERBEROSFix $key.realm shown on Kerberos test page

  • Remove error in log from Avatar sync job

Kantega SSO Enterprise 6.26.x release notes

Changes in 6.26.2

15:30 CEST

Release summary: Allow pipe sign in SCIM names, read-only support in Confluence

Improvements

  • SCIM Allow pipe sign in names

  • Support Read-only mode in Confluence

  • Minor UX adjustments

Bug fixes

  • SCIM In Jira/JSM Fix SCIM error in log related to RequestCacheImpl

  • SAML OIDC Store correct redirect settings after setup wizard

Changes in 6.26.0

15:00 CEST

Release summary: Updated Kerberos implementation.

Improvements

  • KERBEROS Updated Kerberos implementation. A feature toggle to use the old version of Kerberos is available on the dark-features page in case any problems occur. For more information about our dark features see the following page: Dark Features

Bug fixes

  • SAML OIDC POST requests on IdP overview now properly render HTML on Bitbucket.

Kantega SSO Enterprise 6.25.x release notes

Changes in 6.25.0

11:00 CEST

Release summary: Preparations for Kantega SSO app in Okta marketplace and other fixes

Improvements

  • SCIM Support for middle name in names. Support for userType and allow patching of empty groups.

  • Support for partial restore of Kantega SSO config after backup

Bug fixes

  • Fix incorrect error message given in log during Just-in-time provisioning

  • SAML OIDC More robust cleanup of Identity Provider drafts after setup

  • KERBEROS Fix view of keytab during Import from Active Directory wizard

Kantega SSO Enterprise 6.24.x release notes

Changes in 6.24.1

13:30 CEST

Release summary: API token legacy backup fix and other fixes

Improvements

  • SCIM Make it possible to edit and change SCIM directory without renaming it.

  • CLOUD USER SYNC Introduce crowd server config in dark features (/plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features) that allows you to specify whether a connected user directory is an Atlassian crowd directory or a Jira directory impersonating crowd. Useful to avoid noisy logs that occur when crowd calls expect an Atlassian crowd that is actually a connected Jira crowd directory.

Bug fixes

  • API TOKENS During upgrade from an older version using a different database table for API tokens (like version < 4.2.4 or version < 5.7.0), the backup of configuration did not include the older data before migrating. As a result, if rolling back to the older version, these data were lost.

  • API TOKENS Thunderbird was not connecting through CalDAV with API Tokens due to header not set correctly with status code 207 after authentication.

  • SAML SAML test on disabled identity provider didn’t work, because read SAML private key was disabled when the SAML provider config was disabled.

Changes in 6.24.0

09:00 CET

Release summary: Improved SAML login performance. Other minor fixes and improvements

Improvements

  • SAML Introduced cache to improve login performance

  • USER CLEANUP Add TRACE log to better understand user cleanup searches

  • JSM Allow JSM logins to land on URLs starting with /plugins/servlet/

  • SCIM Better handling of delete and rename of existing SCIM directories.

Bug fixes

  • COMMON Allow header authentication to work alone without having other SSOs configured

Kantega SSO Enterprise 6.23.x release notes

Changes in 6.23.0

11:00 CET

Release summary: Added dark mode support. Fixed bug with error message at /config-status.

Features

GLOBAL Added dark mode support for Kantega SSO.

Bug fixes

COMMON Fixed an file permission error message showing up at /config-status despite the instance having the proper file permissions.

Kantega SSO Enterprise 6.22.x release notes

Changes in 6.22.3

16:00 CET

Release summary: Dependency update and bug fix.

Improvements

  • GLOBAL Updated dependencies.

Bug fixes

  • SAML OIDC Fixed switching between full name and first and last name on Just-In-Time User Provisioning page.

Changes in 6.22.2

14:15 CET

Release summary: Under-the-hood improvements and bug fixes

Improvements

  • API CONNECTOR Comply with user directory encryption in Bamboo

  • SAML OIDC Validate IDP priority during deletion and removal of Identity Provider settings.

  • GLOBAL Remove insistent warning flag of expired license.

  • KERBEROS Improve explanations on Kerberos testpage

Bug fixes

  • SAML OIDC Fix visual issues and broken link in federated SSO for Jira Service Management

  • USER CLEANUP Fix broken API reference after changes with unintentional removal of GET method for get cleanup rule.

Changes in 6.22.1

15:45 CET

Release summary: Performance & visual improvements, bug fixes

Improvements

  • GLOBAL Fix performance issue with plugin collecting user agent info because of high-frequent rotation. Now togglable (off by default) and persisted in cache replicated across nodes

  • SAML Support uid as an LDAP user mapping attribute relevant for Sun Directory Server LDAP

  • SCIM Fetch name from display_name attribute in sync because Okta syncs updated value in display_name and not in the formatted attribute

  • Rename references to Azure AD to new product name: Entra ID.

  • SAMLOIDC Improve test page since certain attributes were out of sync on dirty settings before save

Bug fixes

  • SAML OIDC Fix broken navigation links between dashboards

  • GLOBAL Fix issue with a specific user agent that doesn’t persist sessions at least in Confluence because a cookie is set during username/password login

Changes in 6.22.0

15:00 CET

Release summary: SCIM PATCH request adjustments for Okta OIN applications

Features

SCIM User linking on creation: Enable this option to link existing users automatically when they are created in Confluence. This results in POST requests with duplicate username to look up the user by externalId and link them to the existing user. If your SCIM source causes POST requests to fail with 409 response codes on user creation, this option may be a solution linking existing users with the same externalId. This behaviour is outside SCIM standard and may cause unexpected behavior and some SCIM test suits to fail. Disabled by default.

Improvements

SCIM Performance improvements to group membership assignments and group creation.
Patch operations will now be compatible with Okta OIN applications that uses PATCH requests instead of PUT like the default Okta Application.
Applications supported in the Okta OIN catalogue:
For Bearer token authentication:
https://www.okta.com/integrations/scim-2-0-test-app-oauth-bearer-token/
For Basic authentication:
https://www.okta.com/integrations/scim-2-0-test-app-basic-auth/

Bug fixes

SCIM Response codes for some operations like DELETE GROUP or DELETE USER that didn’t have any content returned, changed from 200 to 204

Kantega SSO Enterprise 6.21.x release notes

Changes in 6.21.4

15:30 CET

Release summary: Added select redirect mode and option to disable IDP during IDP setup wizard.

Improvements

  • SAML OIDC Added select redirect mode and option to disable IDP during IDP setup wizard.

  • SAML OIDC Added the possibility to test IDPs while they are disabled.

Changes in 6.21.3

Release summary: Login page look and feel, kerberos bug fixes

Improvements

  • SAML OIDC Login page look and feel: ability to hide the username field on the login page to lessen confusion about login method

Bug fixes

  • KERBEROS Fix broken DNS analysis on Kerberos test page

  • KERBEROS Bamboo only: Fix issue with manual login after logout cookie being deleted for Bamboo, which makes it harder to switch user after logging out.

Changes in 6.21.2

Release summary: Fix adminpage URL encoding host product compatibility issue

Compatibility fixes

  • Fix issue with relative Kantega SSO Enterprise Identity Providers admin page URLs added in URL parameter losing encoding on the way out to rendering, leading to un-encoded URL parameters. It broke the linking between admin pages on Confluence 8.7. Suspected similar issue possible on other host products.

Changes in 6.21.1

17:39 CET

Release summary: Bug fix: concurrency issue with maintaining user agents list

Bug fixes

  • KERBEROS Thread-unsafe handling of last lookup names

  • GLOBAL Thread unsafe handling of user agents list which sometime may lead to stack traces and crashed threads in the system

Changes in 6.21.0

08:00 CET

A concurrency bug has been discovered in version 6.21.0, which has been withdrawn from the marketplace

Release summary: Unused JSM agent cleanup. Avoid IdP auto for user agent. User Cleanup improved.

Features

JSM ONLY Clean unused Jira Service Management agents based on their inactivity in Service Management projects. This way the user may be inactivated as an JSM agent, freeing licenses, even though (s)he is actively using other Jira projects.

USER CLEANUPAdditional user cleanup functionality:

  • In User Cleanup analysis show each user’s license status and group membership/active status.

  • Offer for each user found to remove/add to group or deactivate/activate.

  • Possibilities to filter/search User Cleanup analysis list.

SAML OIDC Offer to avoid auto/instant redirect for specified user agents. May be useful if some user agents should always log in with other user.

Improvements

KERBEROS New design for User Agent Kerberos restrict list

OIDC Allow to use incoming email attribute from Azure B2C, which comes as array with one element, to be used as username attribute

Bug fixes

BAMBOO Fix Identity Provider list icons blinking

Kantega SSO Enterprise 6.20.x release notes

Changes in 6.20.3

16:00 CET

Release summary: SAML/OIDC improvements anonymous browsing and automatic login

Improvements

  • SAML OIDC Rename “Authenticated Anonymous Browsing” to “SSO-Protected Anonymous Browsing” for clarity. Introduce option in “Known domains login restriction” to have SSO-Protected Anonymous Browsing as a fallback instead of authentication error

  • SAML OIDC Improve and clarify automatic login triggering when the username / password link is shown on the login page

  • SAML OIDC Improve UI navigation bar structure so it’s easier to reach common identity provider settings like SAML key management and IDP Icons

  • SAML OIDC JIRA ONLY Add a switch for Jira to decide whether the user should have the login page as destination URL after logging in.

  • COPY USER DIRECTORY Fix SSL issue in Common > Copy User Directory for newer versions of Atlassian host products with changed classpath

Changes in 6.20.2

15:55 CET

Release summary: Bug fix

Bug fixes

  • DARK FEATURES Introduce capability to remove update errors in /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features

Changes in 6.20.1

13:00 CET

Release summary: Reintroduce implicit IPv6 support

Improvements

  • IP RESTRICTIONS Reintroduce partial IPv6 support to avoid unnecessary errors. Ipv6 is now computed in the same level as domain-name lookups. It is not recommended to use these formats unless necessary, as they can lead to perfomance issues.

Changes in 6.20.0

15:45 CET

Release summary: Improve IP restrictions and security patch XSS in SAML POST binding

Improvements

  • IP RESTRICTIONS Improve performance of IP permissions saved in Kerberos IP addresses, API Tokens IP permissions, Username from header and Basic Auth IP permissions, by reducing unnecessary DNS lookups. DNS lookups are now only done if adding a domain name. Removed implicit support for Ipv6. Domain names are still only supported implicitly, and may potentially lead to performance issues.

Security patches

Kantega SSO Enterprise 6.19.x release notes

Changes in 6.19.0

16:00 CEST

Release summary: Updated login buttons and added support for logos and custom images for IdPs.

Features

  • SAMLOIDC Changed identity provider URLs to be buttons instead of links. Added support for showing icons to the login buttons.

Improvements

  • SCIM Add external ID to group GET-calls.

  • Dependency updates of maven and npm packages

Kantega SSO Enterprise 6.18.x release notes

Changes in 6.18.5

15:30 CEST

Release summary: Fixed a bug causing Kerberos to look for the wrong keytab file

Bug fixes

  • KERBEROS Fixed a bug causing Kerberos to look for the wrong keytab file.

Changes in 6.18.4

10:30 CEST

Due to a bug with Kerberos in 6.18.4 this version is no longer available.

Release summary: Fixed a null pointer exception while updating API connector for Entra ID.

Bug fixes

  • ENTRA ID API CONNECTOR Fixed a null pointer exception while updating API connector for Microsoft Entra ID (formerly Azure AD)

Changes in 6.18.3

09:15 CEST

Release summary: Bug fix: upgrade issue with groups and directory redirect

Bug fixes

  • SAMLOIDC After adding the “not in” directory redirect mode in addition to “in directory” redirect, upgrading the plugin flipped the value of “not in” groups redirect mode.

  • SAMLOIDCJIRA Issues with saving JSM redirect rules after adding the “not in” directory redirect mode in addition to “in directory” redirect

Changes in 6.18.2

15:45 CEST

Release summary: Bug fix: user directory redirect mode had wrong default value

Bug fixes

  • SAMLOIDC After adding the “not in” directory redirect mode in addition to “in directory” redirect, the redirect behavior was flipped to “not in” as a wrong default value after upgrade

Changes in 6.18.1

08:30 CEST

Release summary: Fixed a bug where missing license flag was incorrectly shown.

Bug fixes

  • SAMLOIDC Missing license flag were sometimes shown despite the application having a valid license.

Changes in 6.18.0

13:00 CEST

Release summary: Improved SAML/OIDC redirect for multi-IdP setups.

Features

  • SAMLOIDC Added a toggle for ordering identity providers. This feature allows you to configure conditional redirects while ensuring that users are automatically redirected to the correct Identity Provider.

Improvements

  • SAMLOIDC Redirecting users based on directory now supports redirecting users not in the selected directories.

Kantega SSO Enterprise 6.17.x release notes

Changes in 6.17.0

13:00 CEST

Under-the-hood architecture changes

Improvements

  • Change the underlying structure and architecture of the servlet filters to improve error-handling, logging and lay foundation for future product improvements. This rewrite is not supposed to incur any functional changes to the product

Kantega SSO Enterprise 6.16.x release notes

Changes in 6.16.1

11:00 CEST

Performance improvements for SCIM cloud user sync

Features

  • SCIM Added a user attributes cache for performance improvement for sync of users and groups

Changes in 6.16.0

12:00 CEST

Configure JIT managed groups with REST API
Documentation available here:
https://kantega-sso.atlassian.net/l/cp/C013AJtk

Features

  • SAML OIDC Added REST API configuration of Managed groups (for Just-in-time provisioning). See details in API documentation, or review the API using REST API browser.

Kantega SSO Enterprise 6.15.x release notes

Changes in 6.15.5

17:00 CEST

Bug fix: update to 6.15.x from 6.3.0 broke basic auth IP restrictions

Bug fixes

  • BASIC AUTH Update to 6.15.x and above has breaking changes for Basic Auth since group and directory restrictions are added. Due to an error in the update range, updates from 6.3.0 did not trigger the update procedure, but all other versions in the range [6.3.1, 6.15>

Changes in 6.15.4

14:00 CEST

Bug fix: logged out users redirected back to the login page after login

Bug fixes

  • INSTANT REDIRECT Broken support for context path, so systems like https://company-jira.com/contextpath/login.jsp got redirected to a 404 page after logging out and logging in again on instant redirect for SAML / OIDC

  • INSTANT REDIRECT While fixing the support for deep linking for instant redirect, the user is now taken to the login form after being logged in, instead of redirected to the login page. With this fix, deep linking is preserved. The login respects the os_destination parameter if present, but otherwise users are redirected to the root page (dashboard) for SAML/OIDC

Changes in 6.15.3

09:15 CEST

REMOVED Skipped due to issue with release publishing

Changes in 6.15.2

09:15 CEST

Fix another issue with deep broken deep linking on redirect

Bug fixes

  • Another change in the same release had a similar, but not as intrusive effect that broke deep linking in some cases.

Changes in 6.15.1

13:00 CEST

Bug fix redirect to root page after login

Bug fixes

  • A change to the redirect engine redirecting already logged in users to the root page broke deep linking and lead to possible redirect loops when a proxy rule is interfering with the same URI

Changes in 6.15.0

14:30 CEST

SSO on logout and group / directory rules to Prevent Basic Auth

Features

  • SAML OIDC Added support for triggering single sign-on redirect upon logout in redirect rules. Note that this will for automatic redirect modes render users unable to properly log out of the application unless Single Logout (SLO) is configured

  • HTTP BASIC AUTHENTICATION Change switch from “enabling / disabling” basic auth to Prevent Basic Auth, which is matching the similar feature, Prevent Traditional Login. This change will trigger an update of configuration. If you have already configured IP restrictions to Basic Auth, these will persist

Kantega SSO Enterprise 6.14.x release notes

Changes in 6.14.1

16:15 CEST

Bug fixes OIDC/SAML redirect, API Tokens, username from header, SCIM

Improvements

  • MSTEAMS Msteams client is now using the matching OIDC client’s user lookup and transformation rules.

  • CONFLUENCE Get rid of warnings about last login count in the logs when logging in to Confluence due to incorrect reference.

Bug fixes

  • API TOKENS USERNAME FROM HEADER MSTEAMS Fixed a bug where settings for Kerberos user lookup affected API token authentication and username from header auth as well as MS teams auth

  • SAML OIDC A change to instant redirect introduced in version 6.12.0 didn’t account for context path in the URL

  • SCIM Fixed a bug introduced in 6.14.0 that caused PATCH calls that added groups to groups (nested groups) to fail with a 500 error

Changes in 6.14.0

14:00 CEST

This version is deprecated because of discovered bugs in SCIM implementation, please upgrade to later version or revert to previous working version.

Caching of user attributes in SCIM and OIDC/SAML bug fixes

Features

  • SCIM Added a cache of user attributes to reduce DB traffic and improve performance for SCIM synchronizations.

Bug fixes

  • OIDC BITBUCKET OIDC for bitbucket was broken due to a bug introduced in version 6.12, which lead to a serialization issue with a cache.

  • SAML OIDC Custom user attributes had bad handling of whitespaces and of empty string in userattributename for user lookup

Kantega SSO Enterprise 6.13.x release notes

Changes in 6.13.0

16:00 CEST

Azure AD B2C wizard and just-in-time user provisioning bug fix and improvements

Features

Improvements

  • OIDC SAML Better error handling when connecting to a delegated LDAP directory that is not writable when Update User attributes on Login is selected in a delegated LDAP, since this breaks just-in-time user provisioning.

Bug fixes

  • OIDC SAML Just-in-time user provisioning to reactivate an inactive user didn’t work when only the “reactivate inactive users” box is checked

Kantega SSO Enterprise 6.12.x release notes

Changes in 6.12.0

13:00 CEST

OIDC signed jwt userinfo, API token security and CORS allowlist URLs

Features

  • GLOBAL SETTINGS Allow AJAX calls from allowlisted URLs

  • OIDC Added support for signed JWT responses from the UserInfo endpoint. Only RSA-based algorithms (RS256, RS384, RS512) are supported.

Improvements

  • API TOKENS Previously API Tokens lead to a brute force attack vector, since a successful API token authentication reset the CAPTCHA lock for passwords. Security improvement: API Tokens are now completely independent of CAPTCHA lock, which was previously reset so API tokens could work even though the user had a captcha. The CAPTCHA lock / failed login attempts count is now maintained even when a successful API Token login happens.

  • KERBEROS Fix issue that didn’t trigger fallback instant redirect federated login when the user has been exempted from logging in using their valid Kerberos ticket

  • Dependency updates of maven and npm packages

Kantega SSO Enterprise 6.11.x release notes

Changes in 6.11.0

15:30 CEST

Added Only lookup based on transformation to Username transformations

Features

  • KERBEROS Added “Only lookup based on transformation” to Kerberos -> Username transformations

Improvements

  • KERBEROS Improved UI in Kerberos -> Username transformations

Kantega SSO Enterprise 6.10.x release notes

Changes in 6.10.2

15:30 CEST

Added “Only lookup based on transformation” to Username transformations

Dependency updates

Changes in 6.10.1

12:00 CEST

Fixed fallback attribute order in some scenarios introduced in 6.7.0

Dependency updates

Changes in 6.10.0

09:00 CEST

User avatar sync for Jira and fix SCIM user attributes

Features

  • Synchronize user avatar (profile picture) in Cloud user sync from Azure AD in Kantega SSO Enterprise for Jira only

Improvements

  • Handle missing SCIM sync attributes for manually added local users in SCIM user directory and in SCIM groups

Kantega SSO Enterprise 6.9.x release notes

Changes in 6.9.5

Add id_token_hint and client_id to OIDC RP-initated Single logout flow

Improvements

OIDC Identity providers have started to require the RECOMMENDED parameter id_token_hint in the RP-initiated Single Logout flow. Our single logout calls now include the parameters id_token_hint and client_id when redirecting to the logout endpoint at the Identity Provider.

Changes in 6.9.4

Fix Kerberos from clients requiring mutual authentication. Smaller fixes.

Improvements

LDAP Introduced optional disabling LDAP/AD query escaping for backwards compatibility. Feature switch found in /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features

KERBEROS Introducing support for mutual authentication required in Python and other Kerberos clients.
KERBEROS Added “Allow using Kerberos for REST calls containing the 'referer' header” option.

Confluence users can experience that when “Allow using Kerberos for REST calls containing the 'referer' header” option is off, confluence-search-ui-plugin will navigate the browser to login.action if the session expires and a call to /rest/api/search returns 401 or 403.
If the option has to be off, a mitigation might be to increase the session expiry timeout:
https://confluence.atlassian.com/confkb/how-to-adjust-the-session-timeout-for-confluence-126910597.html

Bug fixes

KERBEROS Fixed bug introduced in v. 6.6.2 that caused Python clients not be able to use Kerberos if mutual authentication was required or optional.

BITBUCKET Avoid IllegalArgumentException errors in log in certain situations during log

Changes in 6.9.3

Same as 6.9.2, re-release for Atlassian Marketplace due to broken upload

Changes in 6.9.2

18:30 CEST

Fixed max valid for parameter validation when API tokens created by users

Bug fixes

  • Fixed 'max valid for' parameter validation when API tokens created by non System Administrator users

  • Api tokens page will no longer create tokens on page refresh after a token has been created

  • Increased http client connection and read timeout for OIDC requests

Features

  • MFA tab Request for Comments (RFC), please send us feedback on what you would like to see in Multi-factor authentication tab, supported standards, supported apps

Changes in 6.9.1

12:30 CEST

Dependency updates. SCIM additional characters. More git URL configure options

Security patches

Dependency updates

Features

SCIM Support for additional characters / and + in group names

BITBUCKET GIT Allow sysadmin to configure Kerberos git URL format with username@ or :@ to be compatible with different git clients.

Changes in 6.9.0

15:30 CEST
Confluence SSO sign-ins logged in audit log at FULL level. User Cleanup performance revamp.

Features

  • User cleanup performance revamp, the cleanup will now work in a background process also for test run, much faster performance.

  • User cleanup group selector will now support very large numbers of groups, above 500 groups will require the user to start typing to see top 500 search results. It’s possible to search for multiple words separated by space.

  • User cleanup will now use start of the day timestamp as base for comparing with last login date/user creation date.

  • User cleanup remove from group action will now search groups in read only directories and respect the directory exclusions. The users in read only directories are not modified but their group membership might be modified.

  • Confluence SSO sign-ins logged in audit log at FULL level. Event emitted on successful login.

Kantega SSO Enterprise 6.8.x release notes

Changes in 6.8.0

17:30 CET
Fallback SAML/OIDC username attributes, improvements and bug fixes

Features

  • Introducing option to use SamAccountName as username with fallback to UserPrincipalName if SamAccountName doesn't exist for Azure AD cloud provisioning

  • Whitelisted domains for JSM (Jira Service Management) will no longer be listed during login if there are more than 10 domains

Bugfixes

  • Catch for exception that could be thrown when an attempt to create a group failed in read only directory

Kantega SSO Enterprise 6.7.x release notes

Changes in 6.7.1

11:30 CET
Fallback SAML/OIDC username attributes, improvements and bug fixes

Features

  • SAML OIDC You may now configure up to three user lookup attributes. This way, you may have some users that are are looked up with the email claim which is present in the federated response. For other users, you may configure another attribute like for instance upn, and they will be looked up by upn when the email claim was not present.

Improvements

  • UPDATE OF CONFIG Now you will get a proper error message if config update fails due to missing write permissions to the home directory for the Jira / Confluence etc. process in the system.

  • SAML OIDC Authenticated anonymous browsing didn’t persist target URI / SAML relaystate, and lost deep links to items like Jira issues or Confluence pages. Instead the anonymous user was only redirected to the root page. Now deeplinks are kept also for authenticated anonymous users.

Bug fixes

  • USER CLEANUP Scheduled run of User Cleanup didn’t trigger due to a state error which resolved the job as run before it had run.

  • SAML OIDC Fix bug in the new username attributes feature from version 6.7.0

  • SAML OIDC Auto create groups in group memberships on Just-in-time provisioning created groups even when only run in test login.

  • KERBEROS User transformations gave an error message for regular expressions even when nothing is wrong.

Changes in 6.7.0

17:00 CET

Fallback SAML/OIDC username attributes and user cleanup fixes

The features in 6.7.0 were withdrawn from marketplace due to a bug in the new feature, and made accessible again in 6.7.1.

Kantega SSO Enterprise 6.6.x release notes

Changes in 6.6.3

11:30 CET

Bug fixes, redirect rules improvement, security patch

Improvements

  • SAML OIDC Improvement to redirect rules: you can now choose to redirect the users that DO NOT have a certain group membership, as opposed to only redirect users with the group membership

  • SAML OIDC Fix a wider clickable area for the selects in Just-in-time provisioning

  • SAML Added a switch to show or hide the SAML certificate expired warning flag

  • SAML OIDC AUDIT log the identity provider’s name and ID for the logged in user in a successful login event

Bug fixes

  • SAMLOIDC The redirect mode was missing from the Identity Provider overview page

  • USER CLEANUP The last logged in attribute on users came as null for certain confluence users on the users API, leading to a match on users that were in fact not inactive.

Security

  • KERBEROS Tag RC4-HMAC encryption as deprecated in Kerberos setup wizard

  • Patch CVE-2022-25927 in transitive dependency to an npm json library. We are still awaiting a released patch for CVE-2022-25927 in the maven package org.json/json, but since we do not use the affected component this is not critical.

Changes in 6.6.2

12:00 CET

Bug fixes, cache improvements and dependency updates

Improvements

  • SAML OIDC Disable browser history on client secret input field in setup wizard. This way the browser doesn’t save the values to it can auto-suggest them later.

  • PREVENT TRADITIONAL LOGIN Improve caching in lookup of resources used in every-request filters when Exception groups for Prevent Traditional Login is configured

  • GOOGLE API CONNECTOR Update in-app setup guide for Google Workspace API Connector (Cloud user sync)

Bug fixes

  • GOOGLE API CONNECTORFix improper pagination support in the group sync membership API which meant that only the group members in the last “page” were persisted. This likely affects all groups with more that 200 members.

  • SAML The certificate expired warning leads to a broken URL.

Security

  • Added Software Bill of Materials for frontend resources. It can be found packaged with the jar bundle, under SBOM, acting as a bill for the packages javascript resources bundled with the app. The maven SBOM can be found in the release notes text in the given release in the Marketplace listing.

  • Patch dependencies. Update maven-dependency-check plugin to 8.0.1.

Changes in 6.6.1

17:30 CET

Bug fixes

  • Bug fix for User Cleanup config ui

Changes in 6.6.0

10:30 CET

Just-in-time into AD, improve performance user lookup , and other improvements

Features

  • SAML OIDC Just-in-time provisioning can create users in Active Directory

  • JIRA Publish BeforeUserAuthenticate event to help Atlassian cache handle logins over multiple servers https://community.developer.atlassian.com/t/publishing-beforeuserauthenticate-event/63352

  • PREVENT TRADITIONAL LOGIN Notify admin user if username/password was used to log into K-SSO admin and he is about to lock himself out with this user

  • KERBEROS Improved user lookup to reduce the number of username searches during login

Improvments

  • SAML Support for SAML key storage in other filename than SHA256 thumbprint. Created guide on how to use CA signed SAML request keys: https://kantega-sso.atlassian.net/l/cp/0K81JBjR

  • SAML OIDC Allow username to be sent as login_hint to IdPs when redirect mode is set to Fallback

  • Remove cancel link during instant redirect. As before you may add ?noredirect in URL to stop instant redirect.

Bug fixes

  • SAML OIDCKERBEROS Fix behaviour on Force login when using up instant redirect to IdP in combination with Kerberos login

Kantega SSO Enterprise 6.5.x release notes

Changes in 6.5.0

11:00 CET

User cleanup and security patches

Features

  • USER CLEANUP User cleanup feature revamped after a round of beta testing, group selectors will now support larger amounts of groups and search

Security patches

  • Updated dependencies for internal libraries

Kantega SSO Enterprise 6.4.x release notes

Changes in 6.4.1

15:20 CET

Changed behavior for visits to login.jsp for automatic redirect

Improvements

  • SAML/OIDC KERBEROS Changed behavior for direct visits to login.jsp page in JIra regarding automatic sending to identity provider

  • Improved UX on Force login page (changed name from Forced SSO)

Changes in 6.4.0

19:00 CET

Nested groups Azure user sync, improvements and security patch

Features

  • AZURE API CONNECTOR We have added nested groups to the Cloud user sync for the Azure AD API Connector. This means that when a group is member of another group, the members of a “child group” will also get memberships to the “parent” group.

Improvements

  • SAML/OIDC KERBEROS Reset captcha counter on SSO login.

  • API TOKENS Improved UX on API token main settings page

  • KERBEROS Improved UX on Kerberos for JSM page

Security patches

  • Patch apache-commons text to 3.9.0 to patch CVE-2021-37533 information exposure

Kantega SSO Enterprise 6.3.x release notes

Changes in 6.3.0

13:00 CET

New features in IP restriction basic auth, cloud user sync, traditional login

Features

  • TRADITIONAL LOGIN ‘Disable Traditional Login’ has been renamed to Prevent Traditional Login, and the UI has been improved with more precise texts. The ‘Disable Basic Auth’ feature has been separated into its own page and is no longer dependent on Traditional Login. You can now also prevent traditional login for JSM users (non-licensed customers) and Jira users (jira-software or jsm agents) separately, with other under-the-hood improvements as well. This change incurs a breaking change, and you will get an “Update Config” prompt.

  • BASIC AUTH Basic Auth settings has been moved to its own page, and you can now configure IP restrictions to control which clients should be able to use Basic Auth.

  • KEYCLOAK API CONNECTOR We are happy to announce that we have added API Connector user sync support for Keycloak, with equivalent capabilities to the user sync capabilities for Azure, Okta and Google.

  • GOOGLE API CONNECTOR We have added nested groups to the Google Workspace (previously Google GSuite) Connector. This means that when a group is member of another group, the members of a “child group” will also get memberships to the “parent” group.

Improvements

  • SAML/OIDC KERBEROS Reset captcha counter on SSO login.

Bug fixes

  • API CONNECTORS The “Set up provider” link from API Connectors (which is present when you have no IDP, but have configured an API connector) gave a proxy error due to method POST on the link to the IDP setup Wizard

  • PROXY RULE The /proxy-rule page gave an incorrect back-link when not visited from a page with IP restriction settings.

Kantega SSO Enterprise 6.2.x release notes

Changes in 6.2.3

21:30 CET

Bug fix: SAML certificate expired warning crashes the config status endpoint

Bug fixes

  • CONFIG UPDATE Calls to the /rest/ksso/internal/config/1.0/status REST endpoint, which is invoked whenever a configuration update is needed, will crash with a FileNotFoundException when on an instance where SAML is not configured in Kantega SSO Enterprise, since the Kantega SSO SAML warning made an incorrect assumption about a certificate file being present in the file system.

Changes in 6.2.2

14:30 CET

Special release for Jira. Retry bugfix release for Jira server due to Atlassian Marketplace API failure

Bug fixes

See bug fix description in 6.2.1 above. We had to release another patch since the Atlassian Marketplace API is unstable and failed after successfully releasing the DC version of 6.2.1 to Jira. Unfortunately there is no way to upload the server version of the same app version after the fact, so we had to rebuild the code with an incremented version in attempt to also publish the Server version.

Changes in 6.2.1

14:00 CET

Bug fix: SAML certificate expired warning crashes non-saml configs

Bug fixes

  • GLOBAL CONFIG Visiting any admin page will crash with a FileNotFoundException when on an instance where SAML is not configured in Kantega SSO Enterprise, since the Kantega SSO SAML warning made an incorrect assumption about a certificate file being present in the file system.

Changes in 6.2.0

9:00 CET

JIT user provisioning improvements and new SAML certificate expired warning

Features

  • SAML Kantega SSO Enterprise will now give a visible warning when the SAML request signing certificate is about to expire. This will allow you to renew the certificate well before expiry, and avoid SAML being broken at any point.

Improvements

  • SAML Include the target URL in the HTTP session for Identity Providers that are unable to send the correct target URL back with the relay state

  • SAML/OIDC Just-in-time (JIT) provisioning now allows you to update names and emails separately, while previouly both could only be updated at the same time.

Bug fixes

  • SAML/OIDC During JIT provisioning, when reactivating a deactivated user, the name and email were updated even if the settings said that name and email are not supposed to be updated from the claims.

  • SAML/OIDC Test result page had a weakness with default values of email and name attribute

  • The MSTeams security filter unintentionally blocked JSM knowledgebase lookup.

Kantega SSO Enterprise 6.1.x release notes

Changes in 6.1.3

14:00 CET

Improvements

  • BAMBOO Added decryption of LDAP password in Bamboo to fix LDAP connection after encryption was introduced in 9.0.3.

Dependency updates

  • Updated a library with jackson-databind dependency that patches CVE-2022-42003

Changes in 6.1.2

19:30 CET

Fix: Changed log level from error to debug on user not found

Improvements

The debug level was error on user not found, which lead to too much noise in the logs.

Changes in 6.1.1

19:00 CET

Improvements, dependency updates and bug fixes

Improvements

  • SAML Offer ACS URL validator in wizard for OneLogin, as this is a required field in the OneLogin SAML setup

  • SAML Save target URL in HTTP session for IDPs that are unable to give the correct relayState back after redirect. Use proper UTF-8 encoding for sending relay state URLs to IDP.

  • WEBSUDO More logging for websudo and minor improvement to SSO-websudo flow

  • KERBEROS Improve Kerberos test page with more insights when DNS lookup fails

Bug fixes

  • SCIM Backup / restore of SCIM was broken in 6.1.0 due to a deserialization and file-handling issue.

  • COMMON The authentication menu item turned up twice in the Common tab for global settings

Dependency updates

  • Minor npm packages patched with npm audit. Due do incompatibilities with @emotion/utils in different @atlaskit packages, we had to add a temporary override to even build npm. This will hopefully be unneccessary soon.

  • New minor versions of maven packages

Changes in 6.1.0

11:00 CET

Cleanup inactive users, improvements and bug fixes

Features

  • USER CLEANUP Found in the Common tab. Cleanup inactive users automatically. Combines well with Just-in-time user provisioning to automatically keep active accounts licensed, but disabling or de-licensing user that haven’t logged in for a while. Can also configure a schedule that checks in a configurable interval for users that have gone inactive. The user cleanup feature also offers a REST API that can be used if you’d like to perform automation with scrips.

Improvements

  • KERBEROS Improve Kerberos test page with a check of inconsistent base URL that indicates incorrect proxy config.

Bug fixes

  • SAML/OIDC IDP setup drafts were not deleted on Windows server due to an unreleased lock that came from an unclosed resource.

  • SAML/OIDC Test result page had a weakness with default values of email and name attribute

Kantega SSO Enterprise 6.0.x release notes

Changes in 6.0.1

13:30

Security update to patch CVE-2022-42889

Security patches

Update apache sommons-text to 1.10.0 to patch vulnerability in CVE-2022-42889:https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Changes in 6.0.0

15:00 - 11:30

Under-the-hood changes, Teams SSO, JSM signup, name attibutes and dependencies

Features

  • GLOBAL CONFIG Microsoft Teams SSO. When an Atlassian product is embedded as an iframe app in Teams, Kantega SSO supports relaying the identity from the Identity Provider.

  • JSM GLOBAL Email domain allowlist for signup of user in Jira Service Management (JSM).

  • SAML/OIDC Map separate firstName / lastName claims to the Name attribute for Just-in-time user provisioning

Improvements

  • Under-the hood update of the OSGI plugin version. This has lead us to change annotations and maven scopes for certain dependencies. This will hopefully offer more stability and lay the foundation for future development.

  • SCIM Allow more special characters in group names during SCIM sync

Bug fixes

Dependency updates

Diff from org.kantega.atlaskerb, higlighting the most relevant changes:

--- a/pom.xml
+++ b/pom.xml
@@ -118,12 +118,12 @@
       <plugin>
         <groupId>com.github.spotbugs</groupId>
         <artifactId>spotbugs-maven-plugin</artifactId>
-        <version>4.5.0.0</version>
+        <version>4.7.2.0</version>
         <dependencies>
           <dependency>
             <groupId>com.github.spotbugs</groupId>
             <artifactId>spotbugs</artifactId>
-            <version>4.5.2</version>
+            <version>4.7.2</version>
           </dependency>
         </dependencies>
         <configuration>
@@ -151,7 +151,7 @@
       <plugin>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>
-        <version>6.5.1</version>
+        <version>7.2.1</version>
@@ -797,13 +797,13 @@
     <dependency>
       <groupId>org.assertj</groupId>
       <artifactId>assertj-core</artifactId>
-      <version>3.10.0</version>
+      <version>3.23.1</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.12</version>
+      <version>4.13.2</version>
       <scope>test</scope>
     </dependency>
@@ -839,7 +839,7 @@
     <dependency>
       <groupId>org.json</groupId>
       <artifactId>json</artifactId>
-      <version>20210307</version>
+      <version>20220320</version>
     </dependency>
@@ -1031,7 +1031,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.70</version>
+      <version>1.71</version>
     </dependency>
@@ -1114,7 +1114,7 @@
     <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
-      <version>31.0.1-jre</version>
+      <version>31.1-jre</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
      <groupId>com.atlassian.sal</groupId>
      <artifactId>sal-api</artifactId>
-     <version>3.1.2</version>
+     <version>4.2.0</version>
      <scope>provided</scope>
    </dependency>
     <dependency>
-    <fasterxml.jackson.version>2.13.3</fasterxml.jackson.version>
+    <fasterxml.jackson.version>2.13.4</fasterxml.jackson.version>
-    <activeobjects.version>3.0.0</activeobjects.version>
+    <activeobjects.version>3.2.4</activeobjects.version>
-    <amps.version>8.0.0</amps.version>
+    <amps.version>8.2.3</amps.version>