/
KSSO version 7

KSSO version 7

Owned by Steinar Line
Last updated: aug. 27, 2024

Update notes:

7.x versions of Kantega SSO Enterprise works for The new Platform 7 versions of the Atlassian products which are introduced in versions: Confluence 9, Jira 10, Bitbucket 9, and Bamboo 10. These introduce several architectural changes.

Also note that 6.x versions of Kantega SSO Enterprise will only work on versions lower than the above mentioned Atlassian versions.

Change log and release notes for different versions in Kantega SSO Enterprise version 7:

 

Kantega SSO Enterprise 7.42.x release notes

Changes in 7.42.2

Release summary: Security patches and remove license expiry warning banner

Security fixes

  • BEANUTILS Upgrade apache commons beanutils from version 1.9.4 to 1.11.0 to patch CVE-2025-48734 and CVE-2020-15250 from the dependency.

Improvements

  • PLUGIN LICENSE BANNER When the plugin license closed to expiry, we used to issue a warning to administrators, warning them to update the SSO license. This warning caused some annoyance, particularly because the “dismiss” button did not behave consistently. To avoid this annoyance, the banner was removed.

Changes in 7.42.1

Release summary: License check in filter crashed host upon expired license

Bug fixes

  • LICENSE CHECK The code used by the license check in the filter crashes due to a deprecated type in the UPM licensing API suddenly removed from OSGI in newer versions of UPM. Only occurs when license expired. The error handling for this part of the license check was lacking. Introduced a catch-all fix to avoid crash, looking for more robust solution to come.

Changes in 7.42.0

Release summary: Better performance API connector calls, fixes for user redirect and lookup

Improvements

  • API CONNECTOR Introduce cache to avoid background sync calls from Atlassian products creating a full sync over API. Now only ordinary syncs will do full sync.

  • SAML/OIDC Support for redirect by group and directory also when user gives built-in username when configuration is using other lookup attribute, e.g. email or userPrincipalName as username

    SAML/OIDC Ignore disabled user accounts when user lookup via e-mail is configured so the one active account is allowed to be used

Bug fixes

  • JIRA Fix websudo login to work Jira has contextPath (for example runs on server.com/jira)

  • CONFLUENCE Fix setting userProperties when other lookup attributes like email or userPrincipalName has been used for SAML/OIDC logins.

  • SAML/OIDC fix so updateUser can be used in combination with other username lookup attribute

Kantega SSO Enterprise 7.41.x release notes

Changes in 7.41.0

Release summary: OIDC secret and Entra ID Connector secret overrides via environment variables

New features

  • OIDC Secrets overrides for OIDC IDP via environment variables, set at startup.

    Secrets can be provided by setting inline variable before the startup command
    ORG_KANTEGA_ATLASKERB_IDENTITYPROVIDERS_OIDCSTATIC_CLIENTSECRET=SECRET ./startup.sh
    Setting variables via JVM -D arguments is possible but is more prone to leakage since it will be visible in process monitors like ps or top, so it is not recommended.
    Configuring OIDC Client Secret

  • API CONNECTORSecrets overrides via environment variables, set at startup.
    Visit Cloud user provisioning->EntraID Connector->Cloud integration for configuration details
    ORG_KANTEGA_ATLASKERB_CONNECTOR_AZURE_AZUREADCONNECTORTYPE_STATIC_CLIENTSECRET=YOUR_SECRET ./startup.sh
    Configuring Entra ID Client Secret

Bug fixes

  • JIT PROVISIONING Fixes an error where setting additional parameters could cause an exception when user is not available

Kantega SSO Enterprise 7.40.x release notes

Changes in 7.40.0

Release summary: More powerful and user friendly Basic Auth block. Fix redirect in JSM login

Improvements

  • BASIC AUTH New UI Basic Auth configuration page with more flexibility

Bug fixes

  • JSM Fix redirect when JSM is running with a contextPath

Kantega SSO Enterprise 7.39.x release notes

Changes in 7.39.0

Release summary: Filter API tokens, EntraID connector rate limiting, Kerberos username from file

Features

Improvements

  • SAML/OIDC Minor changes on SSO login pages

Bug fixes

  • JSM Avoid JSM logins are sometimes redirected to Jira login page (login.jsp)

  • API CONNECTOR Better responsibility in GUI during initial sync after setup

  • BAMBOO Support for Bamboo 11, which introduced some changed requirements, in admin pages

  • Remove support for deprecated Refined Mobile app

Kantega SSO Enterprise 7.38.x release notes

Changes in 7.38.6

Release summary: Bug fixes

Bug fixes

  • SAML/OIDC Web sudo SSO broke in newer Bitbucket

  • WEBSUDO Prevent traditional login block not blocking local users in Bitbucket websudo

Other changes

  • DARK FEATURE Introduced a dark feature for Content-security policy customization and and set-cookie property SameSite=None to offer the capability to still render the host in an iframe when it’s needed. Hidden in a dark feature, navigate directly to the setting through /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/samesiteContentSecurityPolicyHeaders
    See more: https://kantega-sso.atlassian.net/wiki/x/kwCOdg


Changes in 7.38.5

Release summary: Bug fixes and improvements

Improvements

  • KERBEROS The kerberos test page now shows group based permission checks more clearly

  • SAML/OIDC Add more DEBUG level log lines to JIT group memberships provisioning for better troubleshooting

Bug fixes

  • SAML/OIDC The user properties feature was missing a couple velocity allowlist entries

  • SAML/OIDC The user properties feature had a nullpointer bug if the user was not found

  • KERBEROS Fix broken link to the “disable kerberos for specific users” page

  • BAMBOO Add null handling for when servlet request can be null on “should login manually” check in SSO logic for customizable login page. Currently only a known problem on Bamboo.

Changes in 7.38.4

Release summary: Jira feature to set properties on login and other improvements

Features

Improvements

  • FORCE LOGIN Better UI for presenting default Force paths

  • JUST-IN-TIME PROVISIONING Better feedback when a non-writable directory has been selected for creating users

Changes in 7.38.3

Bug fixes

  • Fixed a bug that would cause the restore backup function to fail if one of the IDP configurations (or subfolders of jira-home/kerberos) had been deleted between creating of the backup and restore attempt.
    The issue shows a 500 error page upon backup restore:
    /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/restore-backup
    And an entry in the logs:
    java.nio.file.NoSuchFileException
    If that happens you should still have the configuration before the restore attempt in the Atlassian Data Center app home folder (jira-home or on with cluster jira-shared)
    jira-home/kerberos_oldhome
    First you can disable Kantega SSO plugin
    Move
    jira-home/kerberos to jira-home/kerberos-failed-restore
    and then move
    jira-home/kerberos_oldhome to jira-home/kerberos
    Then enable Kantega SSO plugin

Changes in 7.38.2

Bug fixes

  • Fixed a bug introduced in 7.38.1 that caused instances with “Prevent traditional login” on to have problems with REST endpoints resulting in exceptions.

  • Fixed an issue that could cause User Cleanup page to not display at all when license was not present

Changes in 7.38.1

Release summary: Bug fixes and dark feature user administration

Bug fixes

  • JIRA Fix combinations all of prevent traditional login for JSM and Jira

  • JIRA Allow SSO websudo for all admin URLs

  • CONFLUENCE Fix landing flow after Single Logout

  • BITBUCKET: Allow really large git requests to pass successfully through SSO filters

Improvements

  • DARK FEATURE Directory admin: Allow to create, rename and delete internal directories on URL:
    /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/manageInternalDirectories

  • DARK FEATURE User admin: Allow search for and to move specified users from one directory to another on URL:
    /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/manageUsersInDirectories

Changes in 7.38.0

Release summary: Major internal rewrite SAML/OIDC to make login behavior the same

Improvements

  • SAML/OIDC Internal rewrites to standardise login behavior and to prepare for new features in Just-in-time and anonymous browsing coming soon

Bug fixes

  • OIDC Resume login will now verify that IdP config is enabled

  • SAML/OIDC Managed groups fails to provision group memberships

Kantega SSO Enterprise 7.37.x release notes

Changes in 7.37.17

Release summary: SAML/OIDC related minor bug fixes

Bug fixes

  • SAML/OIDC Allow whitespace to hide specific texts on login pages like

  • MISC Better handling of internal URLs for Force login

  • SAML/OIDC Fix default redirect rules override for JSM

  • SAML/OIDC Fix ability to disable IdP icons

Changes in 7.37.16

Release summary: Fixed bug on scim user and group sync

Bug fixes

  • SCIM Fixed bug on scim user and group sync occurring on newest Atlassian platforms

Changes in 7.37.15

Release summary: Fixed bug with websudo button showing up without websudo being enabled

Bug fixes

  • SAML/OIDC Fixed issue where the “Reauthenticate with SSO” button for websudo was shown without Jira prompting the user for reauthentication.

Changes in 7.37.14

Release summary: Bug fixes

Bug fixes

  • SAML/OIDC Newly introduced Bitbucket & Bamboo websudo (secure admin session) did not isolate to the given host product and gave failure on Jira

  • SAML/OIDC An additional closing bracket ')' snuck into the DOM of the SAML/OIDC login page

Changes in 7.37.13

Release summary: Google Workspace API connector bug fix

Improvements

  • Added a utility page under dark-features for viewing and editing groups in specific user directories on the URI /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/showGroupsInDirectories

Bug fixes

  • API CONNECTOR Google Workspace API connector sync failed after incorrect JSON object key for isArchived and isSuspended on the fix in 7.37.10

Changes in 7.37.12

Release summary: Bug fixes

Bug fixes

  • FEDERATED SSO Fixed the Continue-button on the login screen not working when trying to log in with username/password.

  • KERBEROS Config upgrade logic introduced in 7.37.4 incorrectly checks for breaking changes comparing incorrect versions.

Changes in 7.37.11

Release summary: Bug fix of config upgrade logic and dependency update

Improvements

  • MISC Update bouncy castle dependency from 1.78 to 1.80 to patch CVE-2024-29857, CVE-2024-30171, CVE-2024-30172.

Bug fixes

  • KERBEROS Config upgrade logic introduced in 7.37.4 incorrectly checks for breaking changes comparing incorrect versions.

Changes in 7.37.10

Release summary: Improvements, bug fixes and dependency updates

Improvements

  • SAML/OIDC Websudo SSO is now available for Bitbucket and Bamboo

  • MISC Update dependencies

Bug fixes

  • API CONNECTOR Google Workspace API connector did not update archived users as “not active” during sync

  • SAML/OIDC Make manual redirect more available on login page when users enter username

Changes in 7.37.9

Release summary: Bug fix for prevent traditional login

Bug fixes

  • MISC Fixed a bug with prevent traditional login introduced with 7.37.8

Changes in 7.37.8

This release has been made private due to a discovered bug with prevent traditional login. Please use 7.37.9 instead.

Changes in 7.37.8

Release summary: Fixes in JSM and in Jira handling root page “/” better on Jira 10+

Bug fixes

  • KERBEROS Make Kerberos work in all cases for JSM portal login page

  • MISC Handle SSO login for root page

  • MISC Better handling prevent traditional login (with username / password) for unlicensed users

Changes in 7.37.7

Release summary: Added support for Confluence 9.3

Improvements

  • CLOUD USER PROVISIONING The cloud user provisioning overview now shows if a connected user directory is disabled

  • MISCAdded support for Confluence 9.3

Bug fixes

  • MISC Fixed bug where some group selectors were unable to load groups

  • TRADITIONAL LOGIN Fixed assigning groups on traditional login

Changes in 7.37.6

Release summary: Bug fixes for API tokens

Bug fixes

  • API TOKEN Fixed bug where non-admin users could not create tokens if maximum token lifetime was set to forever

  • API TOKEN Fixed unnecessarily noisy logging in some scenarios

  • KERBEROS Fixed Kerberos logging in users trying to log out on Jira 10

Changes in 7.37.5

Release summary: Fixed SAML/OIDC bug with target after redirect containing the entire URL

Bug fixes

  • SAML/OIDC Fixed SAML/OIDC bug with target after redirect containing the entire URL.

Changes in 7.37.4

This release removes the login logic from Jira dashboards since the login widget does not exist with the new login interface. This means that Kerberos will no longer trigger when visiting the dashboard unless Force Login is enabled and configured to use /* as a force path.

Force login

Release summary: Bug fixes. Improved UX on disable Kerberos.

Improvements

  • KERBEROS Reworked “Disable Kerberos” to improve UX and make the feature easier to understand.

Bug fixes

  • SAML/OIDC Fixed issue with Single Logout in Jira.

  • SAML/OIDC Fixed issue with IdP button not being clickable with certain configurations.

  • SAML/OIDC Fixed bug where using SAML/OIDC would remove the title of Jira dashboards.

Changes in 7.37.3

Release summary: Bug fixes for prevent traditional login and initial SAML signing certificate

Bug fixes

  • SAML/OIDC Fixed prevent traditional login not working well with manual redirect for users permitted to log in with username/password

  • SAML/OIDC Fixed problem when setup of first identity provider where SAML signing certificate was created

Changes in 7.37.2

Release summary: Added support for generating 4096 bit certificate for SAML Request Signing

Improvements

  • SAML/OIDC Added option to generate certificate for SAML Request Signing with size of 4096 bits

Bug fixes

  • SAML/OIDC Fixed problem with reactivating users who are both deactivated and missing license group

Changes in 7.37.1

Release summary: Various bug fixes and improvements

Improvements

  • KERBEROS Improved error handling for LDAP test

  • SAML/OIDC Changed default behaviour to include username/password link

  • SCIM Updated UI for SCIM setup wizard

  • SCIM Added lozenge for showing local groups in group list

  • USER MANAGEMENT Added the option to copy groups and memberships to read-only directories

  • USER MANAGEMENT Added an overview to make discovering duplicate groups easier at /showGroupsInDirectories

Bug fixes

  • SAML/OIDC Fixed instant redirect trigger on JSM despite being disabled

  • SAML/OIDC Fixed redirecting user to the page they attempted to visit before being sent to IdP for Bitbucket

  • USER MANAGEMENT Fixed issue with viewing groups containing &

  • SAML/OIDC Fixed SSO for Bamboo and JSM

Changes in 7.37.0

Release summary: Added support for custom API token authorization header

Improvements

  • API TOKEN Added support for custom API token authorization header

Bug fixes

  • API CONNECTOR Entra ID API connector will no longer crash during synchronization when user or group filtering is enabled and a nested group matching the filter contains a group not matched by the filter.

Kantega SSO Enterprise 7.36.x release notes

Changes in 7.36.0

Release summary: Architectural changes

Features

Bug fixes

  • IP restrictions with CIDR notation no longer exclude the first and last address of the range

  • Forgot password URL will now redirect the user to the correct page

  • Exceptions to prevent traditional login should now work correctly

  • Improved config upgrade management

Kantega SSO Enterprise 7.35.x release notes

Changes in 7.35.3

10:30 CET

Release summary: Bug fix related to REST endpoint annotations

Bug fixes

  • KSSO REST API REST endpoints failed serialization due to breaking changes in Jackson Databind across platform 6 and 7

Changes in 7.35.2

08:30 CET

Release summary: Fix SCIM startIndex for Jira

Features

Changes in 7.35.1

15:30 CET

Release summary: Bug fixes

Features

Changes in 7.35.0

15:30 CET

Release summary: Added custom API token duration.

Features

Kantega SSO Enterprise 7.34.x release notes

Changes in 7.34.0

14:45 CEST

Release summary: This is a functional copy of 6.34.0.

Features

Kantega SSO Enterprise 7.33.x release notes

Changes in 7.33.1

15:40 CEST

Release summary: Fixed redirect target with SAML/OIDC.

Bug fixes

  • SAML/OIDC Fixed SAML/OIDC redirect not sending user to the page they attempted to visit before being sent to the login page.

Changes in 7.33.0

12:00 CEST

Release summary: This is a functional copy of 6.33.0.

Features

Kantega SSO Enterprise 7.32.x release notes

Changes in 7.32.1

12:30 CEST

Release summary: Customization for new login screen

Improvements

  • SAML/OIDC Added customization for the new login screen. This release is only available for Bitbucket and Confluence since Jira and Bamboo do not have the new login screen yet.

Changes in 7.32.0

16:00 CEST

Release summary: Support for new Atlassian login screen

Improvements

  • SAML/OIDC Support for new Atlassian login screen. This release is only available for Bitbucket and Confluence since Jira and Bamboo do not have the new login screen yet.

Kantega SSO Enterprise 7.31.x release notes

Changes in 7.31.0

08:00 CEST

Release summary: Allow for SCIM to reuse users already existing in user directory

Improvements

Bug fixes

Kantega SSO Enterprise 7.30.x release notes

Changes in 7.30.0

13:00 CEST

Release summary: Velocity Allowlist fix and under-the-hood changes

More details

  • Under-the-hood change code base after introduction of Platform 7 in Jira 10, Confluence 9, Bitbucket 9, Bamboo 10 in order to handle development for both newer version and older LTS version.

  • Fix some issues with velocity template variables rendering incorrectly due to velocity allowlist.

Kantega SSO Enterprise 7.29.x release notes

Changes in 7.29.1

10:30 CEST

Release summary: Minor internal bug fix in setting default value for userPrincipalName as selected username attribute

New features

  • BITBUCKET Re-introduce support for SSO-verified Anonymous Access to require some users to log and avoid using a license. This feature is already in Jira and Confluence.

Bug fixes

  • API CONNECTOR Minor internal bug fix in setting default value for userPrincipalName as selected username attribute

Changes in 7.29.0

10:40 CEST

Release summary: Use email as username attribute for Cloud API connectors. Other minor bug fixes.

This release introduces changes equal to the changes in version 6.29.0.

New features

  • API CONNECTOR Added possibility to use email as username attribute for Cloud API connectors

Improvements

  • GLOBAL Improve usability of partial restore of backups.

Bug fixes

  • KERBEROS Fixed Kerberos test page sometimes failing to recognize NTLM tokens

  • JIRA Added “/projects/” to default force login URLs

  • Fixed KSSO not searching for non-standard username attributes in delegated LDAP authentication

  • API CONNECTOR Fix Synchronize now button response

Kantega SSO Enterprise 7.28.x release notes

Changes in 7.28.0

15:00 CEST

Release summary: This is an exact functional copy of release 6.28.0 in addition to fixing missing variables in GUI shown with $ sign including fix of possible license expired warning.

Kantega SSO Enterprise 7.27.x release notes

Changes in 7.27.2

10:30 CEST

Release summary: Support for Bamboo 10. This is an exact functional copy of release 6.27.0.

Changes in 7.27.1

13:30 CEST

Release summary: Support for Jira 10. This is an exact functional copy of release 6.27.0.

API CLOUD CONNECTOR Fix missing API connectors in drop-down list in Confluence

Changes in 7.27.0

14:00 CEST

Release summary: Support for Confluence 9 and Bitbucket 9. This is an exact functional copy of release 6.27.0.