Kantega SSO Enterprise 6.43.x release notes

We are pleased to announce a new version of Kantega SSO Enterprise.

1 Compatible applications
2 Changelog
- 2.1 Changes in 6.43.10
- 2.2 Changes in 6.43.9
- 2.3 Changes in 6.43.8
- 2.4 Changes in 6.43.7
- 2.5 Changes in 6.43.6
- 2.6 Changes in 6.43.5
- 2.7 Changes in 6.43.4
- 2.8 Changes in 6.43.3
- 2.9 Changes in 6.43.2
- 2.10 Changes in 6.43.1
- 2.11 Changes in 6.43.0

Compatible applications

In general, the latest version of Kantega SSO Enterprise is compatible with the oldest version that has not reached end of life. See Atlassian’s End-of-life (EOL) policy to get an overview of versions and EOL dates.

Changelog

Changes in 6.43.10

Sep 26, 2025

Security dependency patches and technical upgrades

Security patches

Upgrade various Maven dependencies.
- Notably commons-beanutils was upgraded to 1.11.0 (contains fix to CVE-2025-48734)
- The rest of the dependencies can be inspected in the SBOM file or within the binary.
Upgrade various npm packages (they can be inspected in the SBOM file which is packaged within the jar file)

Technical upgrades

Upgrade node to version 22.x

Improvements

Allow user cleanup job to run even when the user who spawned the job is disabled or removed

Changes in 6.43.9

Sep 5, 2025

Release summary: Security bug fix: restrict phishing possibility on SAML/OIDC targetUrl

Bug fixes

SAML/OIDC Another bug with the the target URL security restriction in release 6.43.7 leads to a double contextpath in some cases when contextpath is parsed as part of the target URL, which will send the user back to a 404 page.

saml/oidc A deep linking fix from earlier broke extraction of target parameters from Bitbucket in some cases.

Changes in 6.43.8

Sep 4, 2025

Release summary: Security bug fix: restrict phishing possibility on SAML/OIDC targetUrl

Bug fixes

SAML/OIDC The target URL security restriction in release 6.43.7 did not properly handle contextpath, so a redirect back to https://jira.example.com/jira, gave an additional /jira to https://jira.example.com/jira/jira after successful login

Changes in 6.43.7

Sep 3, 2025

Release summary: Security fix: restrict phishing possibility on SAML/OIDC targetUrl parameter

Security fix

SAML/OIDC Fixed a security issue with redirection on the target-parameter. When the target parameter is retained after a successful SAML/OIDC, the user can be redirected to the destination they seeked before authenticating (for example accessing a specific URL and then getting asked to authenticate). This redirection engine was a bit to relaxed and could be tricked with some clever formatting of the parameter, which opens the theoretical risk of someone crafting a link towards Jira that after successful authentication will potentially send a user to evilpage.com. This was possible because the redirect engine worked on relative paths for redirection. For the new policy in our fix, it should now not be possible for the target url to cause a redirection outside of the host. There is a path validation, and any path that passes validation will be appended behind the host’s base URL, ensuring that the user agent remains with the same host.

Changes in 6.43.6

Aug 29, 2025

Release summary: Fix an edge-case causing problem with deep linking for SAML/OIDC

Bug fixes

SAML/OIDC Fixed bug with deep linking where Kantega SSO would fail to read the target-parameter

Changes in 6.43.5

Aug 15, 2025

Release summary: Fix login via IdP for certain deep link URLs, more improvements for single logout

Improvements

JSM Better handling of single logout. You must now explicitly set a return URL in single logout configuration to return from OIDC logout.
OIDC Have similar single logout return URL as with SAML to default logout/login pages. Some Identity providers bay need be configured to allow redirecting back to certain URLs after single logout.

Bug fixes

SAML/OIDC Fixed bug where certain deep link URLs like Confluence’s old format: https://confluence-dev.example.com/pages/viewpage.action?spaceKey=ds&title=Welcome+to+Confluence is allowed.

Changes in 6.43.4

Aug 7, 2025

Release summary: Improved login page logic.

Improvements

JSM Improved handling of prevent traditional login on JSM
SAML/OIDC Refactored login page logic for SAML and OIDC. This should not affect login page behavior.

Bug fixes

SAML/OIDC Kerberos Fixed bug where mechanism for preventing automatic logins was too aggressive

Changes in 6.43.3

Jul 31, 2025

Release summary: Fix incorrect landing destination when logging in with SSO

Bug fixes

SAML/OIDC Fix incorrect landing destination when logging in with SSO

Changes in 6.43.2

Jul 25, 2025

Release summary: Fix single logout triggering when not enabled for specific idp

Bug fixes

SAML Fix single logout triggering when not enabled for specific idp

Changes in 6.43.1

Jul 22, 2025

Release summary: Security fix, more advanced group-based JiT and many other features and fixes

Bug fixes

SAML Fix Single Logout that broke in 6.43.0

Changes in 6.43.0

We have withdrawn 6.43.0 due to a bug with SAML Single-Logout. This can cause Atlassian to give compatibility warnings if you are still on 6.43.0, but you can safely stay on this version if you’re not using that feature.

Jul 11, 2025

Release summary: Security fix, more advanced group-based JiT and many other features and fixes

Security fixes

SAML/OIDC Avoid possiblility to send users via logins to other server with targetURL pattern <server_url>.something.org

New features

SAML/OIDC Support for looking up users during login from the SCIM IdP external ID value
SAML/OIDC Advanced abilities to control Just-in-time provisioning, anonymous browsing and denying users from logging in based on groups

Bug fixes

JSM Fix Single Logout for JSM
CONFLUENCE Fix setting of user profile values which, when in use, blocked login, in newer versions of Confluence
bamboo Allow to save Basic Auth IP addresses
bitbucket Fix websudo in combination with prevent traditonal login