Kantega SSO Enterprise 6.9.x release notes

We are pleased to announce Kantega SSO Enterprise 6.9.

Note that changes introduced in Kantega SSO Enterprise 6.3 will trigger an update of config warning in the Configuration status page upon install. It will convert your settings for Disable Traditional Login and Disable Basic Auth to a new format.


Read the update notes for important information about this release if you’re updating from major versions 5.x or 4.x, and see the full changelog below.


Compatible applications

In general, the latest version of Kantega SSO Enterprise is compatible with the oldest version that has not been ended of life. See Atlassian’s End-of-life (EOL) policy to get an overview of versions and EOL dates.


Changes in 6.9.5

Jun 26, 2023

Add id_token_hint and client_id to OIDC RP-initated Single logout flow


oidc Identity providers have started to require the RECOMMENDED parameter id_token_hint in the RP-initiated Single Logout flow. Our single logout calls now include the parameters id_token_hint and client_id when redirecting to the logout endpoint at the Identity Provider.


Changes in 6.9.4

May 26, 2023

Fix Kerberos from clients requiring mutual authentication. Smaller fixes.


LDAP Introduced optional disabling LDAP/AD query escaping for backwards compatibility. Feature switch found in /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features

kerberos Introducing support for mutual authentication required in Python and other Kerberos clients.
kerberos Added “Allow using Kerberos for REST calls containing the 'referer' header” option.

Confluence users can experience that when “Allow using Kerberos for REST calls containing the 'referer' header” option is off, confluence-search-ui-plugin will navigate the browser to login.action if the session expires and a call to /rest/api/search returns 401 or 403.
If the option has to be off, a mitigation might be to increase the session expiry timeout:

Bug fixes

kerberos Fixed bug introduced in v. 6.6.2 that caused Python clients not be able to use Kerberos if mutual authentication was required or optional.

BITBUCKET Avoid IllegalArgumentException errors in log in certain situations during log

Changes in 6.9.3

May 18, 2023

Same as 6.9.2, re-release for Atlassian Marketplace due to broken upload

Changes in 6.9.2

May 15, 2023 18:30 CEST

Fixed max valid for parameter validation when API tokens created by users

Bug fixes

  • Fixed 'max valid for' parameter validation when API tokens created by non System Administrator users

  • Api tokens page will no longer create tokens on page refresh after a token has been created

  • Increased http client connection and read timeout for OIDC requests


  • MFA tab Request for Comments (RFC), please send us feedback on what you would like to see in Multi-factor authentication tab, supported standards, supported apps

Changes in 6.9.1

May 12, 2023 12:30 CEST

Dependency updates. SCIM additional characters. More git URL configure options

Security patches

Dependency updates


SCim Support for additional characters / and + in group names

BITBUCKET GIT Allow sysadmin to configure Kerberos git URL format with username@ or :@ to be compatible with different git clients.

Changes in 6.9.0

Apr 18, 2023 15:30 CEST
Confluence SSO sign-ins logged in audit log at FULL level. User Cleanup performance revamp.


  • User cleanup performance revamp, the cleanup will now work in a background process also for test run, much faster performance.

  • User cleanup group selector will now support very large numbers of groups, above 500 groups will require the user to start typing to see top 500 search results. It’s possible to search for multiple words separated by space.

  • User cleanup will now use start of the day timestamp as base for comparing with last login date/user creation date.

  • User cleanup remove from group action will now search groups in read only directories and respect the directory exclusions. The users in read only directories are not modified but their group membership might be modified.

  • Confluence SSO sign-ins logged in audit log at FULL level. Event emitted on successful login.