We are pleased to announce Kantega SSO Enterprise 5.0.
Read the upgrade notes for important information about this release, and see the full changelog below.
Compatible from version
Compatible from version
Kantega SSO is getting a massive improvement under the hood, laying the foundation for future functionality. The setup wizard for SAML and OpenID Connect has also been updated with new technology and provide a faster setup with better feedback.
Changes in 5.0.0
SCIM New setup wizard for SAML and OIDC identity providers
SAML/OIDC New identity provider overview page
OIDC Ability to only allow authentication from an OIDC identity provider when MFA is used for logging in
Global Configuration status page for compatibility and upgrades
SAML/OIDC Removed old onboarding, which was out of date with the rest of the app
KerberosAPI TokensUsername from header More powerful IP address restrictions for Kerberos, Username from Header and API tokens, now support Full IP addresses, CIDR, and stricter regex formats (start with ^ and ends with $) to specify ranges of IP addresses
SAML/OIDC Users are removed from and immediately added to the same group again
UNSAFE_HASH_EQUALS: Unsafe hash equals in API Token validation. An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched
Update io.jsonwebtoken jjwt libraries used for JWT validation in OpenID Connect to latest version 0.11.2
Increased CSRF protection: Origin header required in POST requests on Kantega SSO Enterprise pages
Changes in 5.0.1
SCIM Link to 'SCIM network requirements' is incorrect in step 'Network preparation in SCIM setup.
API Connector Link to 'Setup provider' in API Connector is incorrect.
SAML/OIDC Links to Identity Provider will not render in the JSM portal
SAML/OIDC Links to Identity Provider on Jira baseUrl (which is redirected to /secure/MyJiraHome.jspa) will not render
Update COnfig Regular expressions in IP restrictions on Kerberos, Username from header and API Tokens are not translated to new format upon update of config
Changes in 5.0.2
Fixed a bug that prevented certain internal plugin resources from being served from datacenter CDN. They will not show up in /rest/webResources/1.0/deprecatedDescriptors anymore.
Kerberos Allow # sign in LDAP username lookups
SCIM Not showing SCIM user directories as selectable for JIT
Temporarily disable origin requirement for CSRF when saving Kantega SSO changes to be according to Atlassian standards. Will be reintroduced as an optional security improvement later.
Changes in 5.0.3
SAML/OIDCKerberos Catch errors that may happen if Active Directory times out when updating groups during login
API Tokens Restrict API Authentication is no longer blocking Jira-Confluence @mention functionality
Kerberos Allow username containing \ sign for lookup from when userPrincipalName is username key in Active Directory
Soften CSRF check to allow empty origin and referer headers
API Tokens Fix handling active object errors sees in Postgres during upgrade from 4.x to 5.x
Kerberos Disable Kerberos for users in certain groups and directories not working
SAML/OIDC Allow upgrading from 4.x to 5.x with IdP type "Other"