Kantega SSO Enterprise 6.9.x release notes
We are pleased to announce Kantega SSO Enterprise 6.9.
Note that changes introduced in Kantega SSO Enterprise 6.3 will trigger an update of config warning in the Configuration status page upon install. It will convert your settings for Disable Traditional Login and Disable Basic Auth to a new format.
Read the update notes for important information about this release if you’re updating from major versions 5.x or 4.x, and see the full changelog below.
Compatible applications
In general, the latest version of Kantega SSO Enterprise is compatible with the oldest version that has not been ended of life. See Atlassian’s End-of-life (EOL) policy to get an overview of versions and EOL dates.
Changelog
Changes in 6.9.5
Jun 26, 2023
Add id_token_hint and client_id to OIDC RP-initated Single logout flow
Improvements
oidc Identity providers have started to require the RECOMMENDED parameter id_token_hint
in the RP-initiated Single Logout flow. Our single logout calls now include the parameters id_token_hint
and client_id
when redirecting to the logout endpoint at the Identity Provider.
Changes in 6.9.4
May 26, 2023
Fix Kerberos from clients requiring mutual authentication. Smaller fixes.
Improvements
LDAP Introduced optional disabling LDAP/AD query escaping for backwards compatibility. Feature switch found in /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features
kerberos Introducing support for mutual authentication required in Python and other Kerberos clients.
kerberos Added “Allow using Kerberos for REST calls containing the 'referer' header” option.
Confluence users can experience that when “Allow using Kerberos for REST calls containing the 'referer' header” option is off, confluence-search-ui-plugin will navigate the browser to login.action if the session expires and a call to /rest/api/search returns 401 or 403.
If the option has to be off, a mitigation might be to increase the session expiry timeout:
https://confluence.atlassian.com/confkb/how-to-adjust-the-session-timeout-for-confluence-126910597.html
Bug fixes
kerberos Fixed bug introduced in v. 6.6.2 that caused Python clients not be able to use Kerberos if mutual authentication was required or optional.
BITBUCKET Avoid IllegalArgumentException
errors in log in certain situations during log
Changes in 6.9.3
May 18, 2023
Same as 6.9.2, re-release for Atlassian Marketplace due to broken upload
Changes in 6.9.2
May 15, 2023 18:30 CEST
Fixed max valid for parameter validation when API tokens created by users
Bug fixes
Fixed 'max valid for' parameter validation when API tokens created by non System Administrator users
Api tokens page will no longer create tokens on page refresh after a token has been created
Increased http client connection and read timeout for OIDC requests
Features
MFA tab Request for Comments (RFC), please send us feedback on what you would like to see in Multi-factor authentication tab, supported standards, supported apps
Changes in 6.9.1
May 12, 2023 12:30 CEST
Dependency updates. SCIM additional characters. More git URL configure options
Security patches
Dependency updates
Features
SCim Support for additional characters /
and +
in group names
BITBUCKET GIT Allow sysadmin to configure Kerberos git URL format with username@
or :@
to be compatible with different git clients.
Changes in 6.9.0
Apr 18, 2023 15:30 CEST
Confluence SSO sign-ins logged in audit log at FULL level. User Cleanup performance revamp.
Features
User cleanup performance revamp, the cleanup will now work in a background process also for test run, much faster performance.
User cleanup group selector will now support very large numbers of groups, above 500 groups will require the user to start typing to see top 500 search results. It’s possible to search for multiple words separated by space.
User cleanup will now use start of the day timestamp as base for comparing with last login date/user creation date.
User cleanup remove from group action will now search groups in read only directories and respect the directory exclusions. The users in read only directories are not modified but their group membership might be modified.
Confluence SSO sign-ins logged in audit log at FULL level. Event emitted on successful login.