K-SSO version 8
Update notes
This major version is released to account for major changes in the following Atlassian product releases:
Jira 11,
Confluence 10,
Bitbucket 10, and
Bamboo 11
Together, these releases constitute Platform 8, a major platform change across all Atlassian Data Center products.
Caution is recommended before upgrading due to the many under-the-hood changes. Make sure to thoroughly test this major version in a test environment before upgrading in production.
New version format
To account for support on three different “platforms” with breaking changes, we have made a change to the version number format. The old version format used the major version number to signify a difference between platform 6 and 7. Now releases for all platforms have the same version number in K-SSO, instead using a suffix to show compatibility. In this major release, we have feature-copies built for each of the three currently supported Atlassian Data Center platforms, ranging three major versions as shown in suffices. The versions tagged with the suffix .p6 are compatible with the oldest versions that are not EOL, .p7 with major releases introduced in 2024, and .p8 with the major releases introduced in 2025. See the table below for details of compatibility. The version format is now <major>.<minor>.<patch>.<platform modifier>.
K-SSO version | Compatibility range for Data Center versions |
8.x.y.p6
| Jira 9.x |
Confluence 8.x | |
Bitbucket 8.x | |
Bamboo 9.x | |
8.x.y.p7
| Jira 10.x |
Confluence 9.x | |
Bitbucket 9.x | |
Bamboo 10.x | |
8.x.y.p8
| Jira 11.x |
Confluence 10.x | |
Bitbucket 10.x | |
Bamboo 11.x |
Changelog and release notes
New functionality and major improvements will be released as 8.x versions compatible with the oldest LTS versions. Security patches and critical fixes will still occasionally be released as 7.x and 6.x versions.
Kantega SSO Enterprise version 8.4.x release notes
Changes in 8.4.0
Fix issues with HTTP request wrapping and oidc improvements
Improvements
OIDC More flexible support of content-type header in jwks dokument if using a custom content-type with json syntax like
Content-Type: application/jwk-set+jsonOIDC Support
RSASSA-PSSalgorithms PS256, PS385 and PS512
Bug fixes
GLOBAL Fix HTTP request wrapping introduced in major version 8 that lead to some integration issues with other plugins that use websockets, Agile Poker for Jira, as well as strict tomcat server compliance
org.apache.catalina.STRICT_SERVLET_COMPLIANCEhttps://tomcat.apache.org/tomcat-5.5-doc/config/systemprops.html.
Kantega SSO Enterprise version 8.3.x release notes
Changes in 8.3.3
Bugfix release and re-release 8.3.1
Bug fixes
Release 8.3.1 had problems with a bug in OpenID connect login that gave 500 error pages upon login due to erroneous parsing of ID tokens. 8.3.1 was withdrawn from Marketplace after the bug was discovered.
Changes in 8.3.2
Version 8.3.2 was skipped
Changes in 8.3.1
Bugfixes and improve SSO-verified anonymous browsing
Improvements
SAML/OIDC SSO-verified browsing now works better by not automatically logging our user when visiting login page. This cause problems when using plugins such as Gliffy diagrams, which occasionally triggers a visit to the login page and ended in a login loop
Bug fixes
OIDC OpenID Connect call to token endpoint did not URL encode Basic Auth client authentication parameters, which is not compliant with OpenID federation that requires that the Client ID is a URL identifier to be globally unique.
API CONNECTOR Sometimes the Connector configuration was deleted when the user directory was disabled, as a side effect of the earlier changes related to encryption of secret parameters that was released in version 7.41.0
Changes in 8.3.0
Support for 150+ groups (group.link) on Entra ID SAML login and other fixes
Improvements
SAML Support for 150+ groups (group.link) on Entra ID SAML login. When user has more than 150 groups Entra ID gives a link to the groups instead of the actual groups. See about this here: https://kantega-sso.atlassian.net/wiki/x/AoA0iQ
Diverse minor improvements and refactoring
Bug fixes
SAML/OIDC Improve performance on loading login page
BITBUCKET End up at return URL on login via Identity Provider for all types of URLs when “Instant redirect” and “Force SSO” has been selected
ENTRA ID Avoid avatar fetch job logging error when a Entra ID user directory has been disabled
Kantega SSO Enterprise version 8.2.x release notes
Changes in 8.2.6
Security fix
Security fixes
There was a privilege escalation vulnerability that allows authenticated users to disrupt the server. This affects all installations of Kantega SSO Enterprise. Upgrading the plugin will mitigate the issue. If you are unable to upgrade, there is an action that can be taken on your current installation. Contact support to get this information. A security advisory will be published eventually. A backport patch is also available in versions 6.43.11 and 7.43.11
Changes in 8.2.5
Re-release attempt of 8.2.3 after Atlassian release automation stopped it. Was stuck until Friday.
Changes in 8.2.4
Skipped.
Changes in 8.2.3
Release summary: Fix commons-codec library incompatibility
VULNERABILITY Solve vulnerability in json-smart library
VULNERABILITY Solve vulnerability in commons-io library
SECURITY Dedact authorization header in trace log
JSM Allow JSM installations to use contextPath: "/servicedesk"
Changes in 8.2.2
Release summary: Vulnerability and security fixes and minor JSM fix
VULNERABILITY Solve reported vulnerability in json-smart library by updating package
VULNERABILITY Solve reported vulnerability in commons-io library by updating package
SECURITY Redact authorization header content in trace logs
JSM Allow JSM installations to use contextPath: "/servicedesk"
Changes in 8.2.1
Release summary: Atlassian login page on failing SSO. Allow disabling "Re-authenticate with SSO"
SAML/OIDC Show Atlassian login page if SSO server call fail
SAML/OIDC Introduce switch to allow to disable "Re-authenticate with SSO"
Changes in 8.2.0
Release summary: User Cleanup dry run performance, SCIM excluded from force login
Improvements
USER CLEANUP User cleanup dry run will now store the membership data so for cleanup jobs with many affected users, the data will be available without a long delay.
Added “Start fetching live data from user directories” an option to toggle fetching of live data from User cleanup dry run.
USER CLEANUP Allow scheduled run to continue if the user that set it up was removed, prevents breaking of the setup if an admin is not in the system anymore
SAML/OIDC Hardcoded favicon into HTML to reduce unnecessary requests on redirect pages
SCIM Exclude SCIM paths from force login by default
Updated dependencies
Bug fixes
USER CLEANUP Unused JSM cleanup UI fix, the data from dry run should show up after completion
USER CLEANUP More robust User cleanup Confluence last login date handling, missing user data should not cause crash
Deprecation notice
MS TEAMS Microsoft Teams with SSO feature is being marked for deprecation, please contact us if you are using this feature. For now it is moved to dark-features:
/plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features
Or
/plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/msteams
Kantega SSO Enterprise version 8.1.x release notes
Changes in 8.1.10
Bug fix: os_destination with encoded full URL breaks post login destination
Bug fixes
SAML/OIDC I some special cases when the
os_destinationparameter gets populated with a full encoded URL rather than a relative URI (for example https://jira.example.com/login.jsp?os_destination=https%3A%2F%2Fjira%2Ddev%2Eexample%2Ecom%2Fbrowse%2FSCRUM%2D2 instead of https://jira.example.com/login.jsp?os_destination=%2Fbrowse%2FSCRUM%2D2), the redirect engine was not able to properly parse it when deciding the destination after a successful SAML/OIDC login. As a result, the destination after authentication then becomes https://jira.example.com/https://jira.example.com/browse/SCRUM-2
Changes in 8.1.9
Bug fix: active object API token sql namespace for Confluence, Bitbucket, Bamboo
Bug fixes
API TOKENS CONFLUENCE BITBUCKET BAMBOO Fix an additional namespace error that came from fixing the issue with the ORM framework fix for the Jira edition of the app in version 8.1.6, that adversely broke namespace for the Confluence, Bamboo and Bitbucket editions of the app. This means that what was good for the above products broke in versions 8.1.6 and 8.1.7. If you have Kantega SSO API tokens and have been upgraded via versions 8.1.6 or 8.1.7, you should contact Kantega SSO support to sort out the issues with a duplicated AO table.
Changes in 8.1.8
This version was skipped
Changes in 8.1.7
Redirect URL bug fix, other bug fixes and improvements
Bug fixes
SAML/OIDC KERBEROS During SSO authentication our plugin used to have a redirect deep linking policy that can theoretically be exploited by crafting a clever URL with URL parameters, which was fixed in version 7.43.7 / 6.43.7. This security fix had some unintended side effects that in some special cases breaks URLs when hitting the root / base url of the host
KERBEROS API TOKENS The configuration UI of Ip restrictions was broken after a new internal change to our IP restrictions engine related to improvements in version 7.40.0 / 6.40.0. This means you could not save the IP restriction mode in Kerberos or API token ip restrictions after that version. The saved configuration and the enforced policy already saved before this release was still working
Improvements
API TOKENS Improve API tokens living alongside other authentication mechanisms like OAuth or Atlassian personal access token (PAT), without interfering with the other auth mechanisms.
Changes in 8.1.6
Active objects API Tokens table unlinked from app bug fix, and internal improvements
Bug fixes
API TOKENS Because of a manifest change, active objects tables were accidentally unlinked from the app, causing the API Tokens table to be unavailable after upgrate to to releases 8.1.0 - 8.1.4. This was first only observed on the Jira edition of the app, but after deeper investigation it also occurs on Confluence. Related to namespace issue https://ecosystem.atlassian.net/browse/AO-3423
Other improvements
User management functionality in dark features received visual and stability improvements
Upgrade npm packages
Changes in 8.1.5
This version was skipped because of a technical hiccup in the release pipeline
Changes in 8.1.4
Bug fix: SAML/OIDC not working properly when user is in Crowd directory
Bug fixes
SAML/OIDC During SAML/OIDC login, a user session is invalidated and re-established towards Crowd. During the architecture rewrite this part of the login flow was broken, and leads to a 500 error page when a user logs in via SAML/OIDC and are found in a Crowd directory. Other users logging in are not affected
The 8.x versions 8.1.0 - 8.1.4 for Jira have been withdrawn because of a bug that changes the namespace of AO (activeobjects) tables which conversely affects API token integrations. The problem is related to changed namespace (see https://ecosystem.atlassian.net/browse/AO-3423 ), and will be fixed in the next release.
Changes in 8.1.3
Security dependency patches and technical upgrades
Security patches
Upgrade various Maven dependencies.
Notably commons-beanutils was upgraded to 1.11.0 (contains fix to CVE-2025-48734)
The rest of the dependencies can be inspected in the SBOM file or within the binary.
Upgrade various npm packages (they can be inspected in the SBOM file which is packaged within the jar file).
Technical upgrades
Upgrade node to version 22.x
Changes in 8.1.2
Bug fix: websudo not properly supported after architecture rewrite
Bug fixes
Websudo via SSO was not properly activated after the rewrite of architecture in 8.x.
Changes in 8.1.1
Major architecture changes with cross-platform compatibility, added search in admin pages
Now, new architecture rewrite that adopts the Jakarta EE changes made available for Platforms 6 and 7.
New search capability in Kantega SSO enterprise. Can now search globally for settings within the plugin instead of navigating in UI.
Released for all compatible products (see table above).
Changes in 8.1.0
Major release with compatibility for newest major releases of Jira, Confluence, Bitbucket
A major internal rewrite ensures that the product can be built and packaged for three simultaneous platforms from the same code base. That way, the versions built for the different major versions are mostly feature copies of each other.
Because of further compatibilty testing, 8.1.0 was released only for Platform 8:
Jira 11, Confluence 10, Bitbucket 10