Kantega SSO Enterprise 6.12.x release notes

We are pleased to announce Kantega SSO Enterprise 6.12.

Note that changes introduced in Kantega SSO Enterprise 6.3 will trigger an update of config warning in the Configuration status page upon install. It will convert your settings for Disable Traditional Login and Disable Basic Auth to a new format.


Read the update notes for important information about this release if you’re updating from major versions 5.x or 4.x, and see the full changelog below.



Compatible applications

In general, the latest version of Kantega SSO Enterprise is compatible with the oldest version that has not been ended of life. See Atlassian’s End-of-life (EOL) policy to get an overview of versions and EOL dates.


Changes in 6.12.0

Jul 20, 2023 13:00 CEST

OIDC signed jwt userinfo, API token security and CORS allowlist URLs


  • global settings Allow AJAX calls from allowlisted URLs

  • oidc Added support for signed JWT responses from the UserInfo endpoint. Only RSA-based algorithms (RS256, RS384, RS512) are supported.


  • api tokens Previously API Tokens lead to a brute force attack vector, since a successful API token authentication reset the CAPTCHA lock for passwords. Security improvement: API Tokens are now completely independent of CAPTCHA lock, which was previously reset so API tokens could work even though the user had a captcha. The CAPTCHA lock / failed login attempts count is now maintained even when a successful API Token login happens.

  • kerberos Fix issue that didn’t trigger fallback instant redirect federated login when the user has been exempted from logging in using their valid Kerberos ticket

  • Dependency updates of maven and npm packages