Kantega SSO Enterprise 6.20.x release notes

We are pleased to announce Kantega SSO Enterprise 6.20.

Important security fix: This version patches an HTML injection/XSS vulnerability in SAML POST binding.

Update note: Updating to this version will trigger an Update of Config warning to account for a change in format for IP restrictions in Basic Auth, Kerberos, API Tokens and Username for header

Read the update notes for important information about this release if you’re updating from major versions 5.x or 4.x, and see the full changelog below.

1 Compatible applications
2 Changelog
- 2.1 Changes in 6.20.3
- 2.2 Changes in 6.20.2
- 2.3 Changes in 6.20.1
- 2.4 Changes in 6.20.0

Compatible applications

In general, the latest version of Kantega SSO Enterprise is compatible with the oldest version that has not been ended of life. See Atlassian’s End-of-life (EOL) policy to get an overview of versions and EOL dates.

Changelog

Changes in 6.20.3

Nov 15, 2023 16:00 CET

Release summary: SAML/OIDC improvements anonymous browsing and automatic login

Improvements

saml oidc Rename “Authenticated Anonymous Browsing” to “SSO-Protected Anonymous Browsing” for clarity. Introduce option in “Known domains login restriction” to have SSO-Protected Anonymous Browsing as a fallback instead of authentication error
saml oidc Improve and clarify automatic login triggering when the username / password link is shown on the login page
saml oidc Improve UI navigation bar structure so it’s easier to reach common identity provider settings like SAML key management and IDP Icons
saml oidc jira only Add a switch for Jira to decide whether the user should have the login page as destination URL after logging in.
copy user directory Fix SSL issue in Common > Copy User Directory for newer versions of Atlassian host products with changed classpath

Changes in 6.20.2

Nov 9, 2023 15:55 CET

Release summary: Bug fix

Bug fixes

dark features Introduce capability to remove update errors in /plugins/servlet/no.kantega.kerberosauth.kerberosauth-plugin/dark-features

Changes in 6.20.1

Nov 9, 2023 13:00 CET

Release summary: Reintroduce implicit IPv6 support

Improvements

ip restrictions Reintroduce partial IPv6 support to avoid unnecessary errors. Ipv6 is now computed in the same level as domain-name lookups. It is not recommended to use these formats unless necessary, as they can lead to perfomance issues.

Changes in 6.20.0

Nov 8, 2023 15:45 CET

Release summary: Improve IP restrictions and security patch XSS in SAML POST binding

Improvements

ip restrictions Improve performance of IP permissions saved in Kerberos IP addresses, API Tokens IP permissions, Username from header and Basic Auth IP permissions, by reducing unnecessary DNS lookups. DNS lookups are now only done if adding a domain name. Removed implicit support for Ipv6. Domain names are still only supported implicitly, and may potentially lead to performance issues.

Security patches

saml HTML injection to perform cross-site scripting in SAML POST binding by injecting HTML into SAML parameters before redirect. Read more in Security Vulnerability: Faulty URL parameter sanitization allows HTML injection into the SAML login page
saml Patch CVE-2023-44483 in org.apache.santuario.xmlsec