simpleSAMLphp
SimpleSAMLphp version 1.6.2
Version 1.6.2 of simpleSAMLphp is available from:
SHA1SUM:
2f4e0b59f03af6fec79004546b439eeaaeac0182 simplesamlphp-1.6.2.tar.gz
This release contains security fixes since version 1.6.1.
During an inspection of the various templates, several cross-site scripting vulnerabilities were discovered. They are mostly related to displaying of metadata or user-attributes, and thus require the attacker to be able to change the metadata or attributes your installation receives.
Except for the issues with attributes and metadata, you may be vulnerable if:
- You use the InfoCard module.
- You use the openid authentication source.
- You use the oauth module.
All users of simpleSAMLphp are encouraged to upgrade.
Attribute Collector Implementation from Spain
The Spanish Andalusian federation, CONFIA, has implemented an attribute collector.
Documentation of "attribute collector" is available here:
SimpleSAMLphp version 1.6.1
Version 1.6.1 of simpleSAMLphp is now available for download at:
This release only contains bugfixes since version 1.6.0. No new features have been added. Changelog:
- saml:SP: Fix SingleLogoutService endpoint in SSP-format metadata array.
- Shib13:IdP: Add urn:mace:shibboleth:1.0 to supported protocols.
- Fix SAMLParser::parseElement().
- SAML2:IdP: Fix persistent NameID generation.
- Fix scoping on IdP discovery page.
- metaedit: Fix endpoints parsed from XML.
- Dictionary update.
- Documentation fixes.
SimpleSAMLphp version 1.6.0
simpleSAMLphp version 1.6 was made available earlier this summer. This release note was somewhat delayed here at rnd.feide.no, due to the fact that I was out of office.
Documentation is available at:
Changes include:
- Support for HTTP-Artifact binding on both IdP and SP (thanks to Danny Bollaert, Shoaib Ali and Bill Young).
- Better error reporting from single logout on the IdP- it will now respond with the correct error code to SPs.
- OpenID 2.0 support.
- Better support for specifying parameters in the SAML 2 authentication request.
- Error page when the user accesses the IdP with cookies disabled.
Also, several bug fixes and other changes. See the changelog for more details:
If you are upgrading from a previous version of simpleSAMLphp, you should have a look at the upgrade notes, as they list changes that may break existing installations:
New SimpleSAMLphp module: selfregister
selfregister is a simpleSAMLphp module that typically runs on an IdP. It contains a user interface for users to register new account. It also allows users to register some user attributes, like name, e-mail etc.
Features includes:
- E-Mail verification
- Editing user data
- Change password
- Password reset through e-mail verification
The module is available in the simplesamlphp-labs repository.
You may checkout the source code here:
Download a zip archive here:
Or install it using the new SimpleSAMLphp pack.php utility (experimental):
The module is implemented by Thomas Graff (UNINETT). If you encounter bugs, or have feature requests, please contact Thomas directly Thomas Graff thomas.graff@uninett.no and please CC the simpleSAMLphp mailinglist when possible.
The module is not proper documented yet. But Thomas is working on adding documentation, and it will be available soon.
The module is available in English, and is ready for translation at:
Create custom links on the login page
We've added support for including custom links on the login page, without modifying the theme. This support is already enabled in the subversion version of simpleSAMLphp.
In authsources.php, you may add links by doing something like this:
'core:loginpage_links' => array(
array(
'href' => SimpleSAML_Module::getModuleURL('openid/openidtest.php'),
'text' => '{openid:dictopenid:openidtestpage}',
),
array(
'href' => 'http://uninett.no',
'text' => array('en' => 'UNINETT Home page', 'no' => 'UNINETT sin hjemmeside'),
),
)
New Login Page
I've redesigned the OpenIdP login page.
This is checked in as the themefeidernd module in simpleSAMLphp, as an example of how you can create a theme module that overrides a template for the login page. You can test the theme module, by adding this to your config.php:
'theme.use' => 'themefeidernd:feidernd',
New SimpleSAMLphp Documentation Site
I'm happy to announce that today we are launching a new documentation site for SimpleSAMLphp.
This page will also hold a future version of the simpleSAMLphp home page.
If you want to link to the documentation index of the latest stable release of simplesamlphp; use this link:
Most of the old documentation is linked correctly over to the new portal. If you encounter some links on rnd.feide.no that is not redirecting; let me know, and I'll fix it.
Notice that documentation is now proper versioned; which means that you will be able to view all documents in revision 1.4, 1.5 and trunk, and easily switch between the revisions on a list on the upper right.
The search field is not yet working; we are waiting for google to index the new site. It should automatically start working in days or hours. We are using google custom search.
The new site should be snappy; I'm sorry for the inconvenience of the sluggish old site.
The new site is probably full of bugs; if you encounter some let me know.
The new site is automatically updated from subversion once an hour.
Identity Provider in a box
SurfNet has created a easy to setup virtual image of a SimpleSAMLphp Identity Provider, with a webbased UI configuration frontend.
arnes has a SimpleSAMLphp in a box solution as well (with eduroam support):
SimpleSAMLphp Release Plan
Not yet started
Work in progress
Completed
Release 1.6 (Late April 2010)
- Remove CC noncomercial icons (257)
- Introduce setAuthnRequest to new IdP core. (279)
- Include japanese translation (281)
- Accept multiple SAML and Shib endpoint at SP (20)
- Better understanding of SAML 2.0 LogoutResponse (169)
- Introduce ""dictionary format"", backward compatibility (263)
- SessionIndex should be unique per SP (44)
- Better support for WAYF-less URLs (262)
- Session association timeout (180)
- Improve error handling and error UI for iframe SLO (186)
- Single SPSSODescriptor in metadata for saml module (199)
- Generic Identity Provider Core Module (203)
- Metadata aggregator when endpoint is missing (224)
- AuthnInstant from Session (225)
- Export requested attributes in xml metadata (228)
- Self-register module (231)
- clean up flat file metadata output (233)
- OpenID 2.0 Support (235)
- Remove metadata validator code and config valiator code (236)
- Remove ldapstatus module (237)
- Upgrade translation portal and switch to JSON template format (239)
- SPENTITYID in privacy policy URL. (241)
- Fix or remove configuration check (243)
- openid classes depended on ini_set (259)
- Update documentation for authproc (287)
- SAML2 metadata classes (290)
Release 1.7 (Late summer / autumn 2010)
- Improve Attribute Translation (185)
- Merge in new version of xmlseclibs (277)
- Logic for Encrypting assertion when receiving endpoint is not secured (283)
- Merge MetaDataStorageHandlerXML.php and MetaDataStorageHandlerDynamicXML.php (113)
- Add an option at the SP to use the FriendlyName instead of the attribute name. (157)
- Reverse proxy support (189)
- Combine shib13-idp-remote and saml20-idp-remote. (197)
- UI for information about modules and enabling and disabling modules (210)
- Don't require consent for some attributes (220)
- Fully declarative SessionHandlers (226)
- Add AttributeSource API (238)
- Memcache should support locking of the session (240)
- Proper handling of disabled cookies (242)
- Generated transient NameID sent back as persistent. (247)
- HTTP proxy support for network metadata downloading (250)
- Parse embedded EntitiesDescriptors (253)
- New statistics format (254)
- SP API must support completion handlers for login (255)
- Make discopower the default SAML 2.0 identity provider discovery service (266)
- Consider including offered processing filters from Alex Mihicinac (291)
- Add support Common Domain Cookie in SAML SP module (297)
- Document IdP-initiated logout (328)
- Introduce a new cookie/session after authentication (329)