SAML SSO Service Provider

Fixed

• Craft 5.0 compatibility

Feature

• Add samlSpLogoutUrl for easier logout url generation

Fixed

• Fixing issue with multi-site linking for the external id field

Fixed

• bumping saml-core to use pinned psr/log at 1.1.4

Fixed

• revert: issue with logger interface compatibility #197

Fixed

• issue with logger interface compatibility #197

Fixed

• issue with ui https://github.com/flipboxfactory/saml-sp/issues/182

Fixed

• issue with craft version being off compared to the composer version 🤪. fixes #179

Fixed

• issue with custom attributes not being picked up by the validation #177

Fixed

• excluding disabled IdPs in login controller findByEntityId() closing #175

Fixed

• issue with using the default settings for entity id instead of the provider entity id, closing #171

Fixed

• excluding disabled IdPs in login controller findByEntityId() closing #175

Fixed

• updated saml-core: When "This site has it's own base URL" isn't checked but the site is selected. ref: https://github.com/flipboxfactory/saml-sp/issues/139

Fixed

• fixed missing config being passed to the validator for controls on assertions being signed (thanks @lindseydiloreto for catching this and PR). Ref: https://github.com/flipboxfactory/saml-sp/issues/126

Encrypted Assertions are now set to be decrypted before events may interact with them. If you currently decrypt assertions in an custom event, verify the assertion is an instance of \SAML2\EncryptedAssertion before decryption.

Added

• Event \flipbox\saml\sp\events\UserGroupAssign and \flipbox\saml\sp\services\login\UserGroups::EVENT_BEFORE_USER_GROUP_ASSIGN manipulate groups to be assigned before assignment #133
• Config (which can be added in config/saml-sp.php) mergeExistingGroups to opt-in to merging groups if desired. Default is true, the groups will be merged. #133

Changed

• Add decrypted assertions to Response after assertions are initially decrypted. See above warning.

Setting have been added to improve security (requireResponseToBeSigned and requireAssertionToBeSigned). It's recommend to update ASAP and leave these enabled. Test login before deploying.

Fixed

• Adding controls to require Response and assertions to be signed. Ref: https://github.com/flipboxfactory/saml-sp/issues/126

Added

• \flipbox\saml\sp\validators\Response
• \flipbox\saml\sp\validators\Assertion
• \flipbox\saml\sp\validators\SignedElement
• \flipbox\saml\sp\models\Settings::$requireResponseToBeSigned
• \flipbox\saml\sp\models\Settings::$requireAssertionToBeSigned

Fixed

• Fixing validation errors that don't throw exceptions: https://github.com/flipboxfactory/saml-sp/issues/126

Fixed

• Issue with clipboard (using navigator.clipboard with a fallback of the previous method) #113
• Disallow viewing to settings when allowAdminChanges is false #114

Fixed

• Possible issue with SP initiated SSO. Result from 2.6.7 controller changes.

Added

• Ability to be explicit with internal provider when passing a request url.
• docs updates

Fixed

• adding support for when there is not NameID sent and admin is using nameIDOverride.

Fixed

• Fixing migration issue with duplicate metadataOptions error.

Fixed

• Forcing core update for those updating to Craft CMS 3.6 (from a lower version).

Fixed

• Fixing latest login page.dashboard isn't a variable, it's the destination (string).

Fixed

• Updated login for Craft version 3.5.18 and greater.

Breaking changes: There are significant endpoint and metadata changes with this release. Please make sure you have a testing site and test this upgrade with your code when you apply this change.

Added

• Better multisite support.
• EntityID is is now editible

Added

• Github Actions CICD! 🚀

Fixed

• Issue where SP and IdP plugin couldn't be installed on the same craft db due to table conflicts.

Fixed

• Issue with EntityID override (added in 2.5.0), fixing https://github.com/flipboxfactory/saml-sp/issues/84

Breaking changes

Changed

• Breaking change: Changed \flipbox\saml\sp\services\login\User::getByResponse parameters.

Added

• Added ability to set NameId Override per IdP provider in the backend.
• Added event for before user save, \flipbox\saml\sp\services\login\User::EVENT_BEFORE_USER_SAVE.

Fixed

• Missing event EVENT_AFTER_RESPONSE_TO_USER. Event was added back in.

Breaking changes: Changed \flipbox\saml\sp\services\messages\AuthnRequest::EVENT_AFTER_MESSAGE_CREATED event to use new class \flipbox\saml\sp\events\AuthnRequest instead of \yii\base\Event

Changed

• Changed the event object used from \flipbox\saml\sp\services\messages\AuthnRequest::EVENT_AFTER_MESSAGE_CREATED event to use new class \flipbox\saml\sp\events\AuthnRequest instead of \yii\base\Event. AuthnRequest message is now in the $message property instead of $data.

Fixed

• Issue with constraint on the Provider Identity table when the user's NameID changes.

autoCreateGroups functionality has been removed. Automatic creation of user groups, has been removed. This is due to the project >config changes in Craft CMS 3.5. Users are still assigned to a user group when the group >match one existing within Craft. If a user group is not in Craft, the group is logged (as a warning) >and no error is thrown.

responseAttributeMap functionality has been removed. Please use the admin panel interface.

Added

• Added nameIdAttributeOverride setting. This is a system level setting override allowing you to map a username to a different assertion attribute, besides the NameID.

Fixed

• Issue with the createUser setting which allowed the user to be created but not login. The user will no longer be created.

Removed / Deprecated

• The following settings have been deprecated while the functionality of the those settings have been removed:
  • mergeLocalUsers
  • autoCreateGroups
  • responseAttributeMap

Added

• More unit testing!

Changed

• Updated saml-core which upgraded the simplesamlphp/saml2 library.
• \flipbox\saml\sp\services\login\UserGroups::assignDefaultGroups to a protected method
• \flipbox\saml\sp\services\login\UserGroups::syncByAssertion to a protected method
• \flipbox\saml\sp\services\login\UserGroups::getDefaultGroups to a protected method

Removed

• \flipbox\saml\sp\services\Login::login

Fixed

• Issue with diabled provider (My Provider) being picked as own provider when there's an enabled and disable provider with the same EntityId #68

Fixed

• Issue with autoCreateGroups plugin setting not doing what it's supposed to do. #65

Fixed

• Issue with saving groups with non-ascii conforming groups.

Added

• Adding Yii events to allow devs to modify RelayState

Added

• Adding setting to turn off base64 encoding of the RelayState: encodeRelayState.

Fixed

• Missed a spot with https://github.com/flipboxfactory/saml-sp/issues/57

Fixed

• Issue with missing Assertion Consumer Service URL: Fixing https://github.com/flipboxfactory/saml-sp/issues/58
• Issue CP panel presenting the SLO endpoint, fixing: https://github.com/flipboxfactory/saml-sp/issues/57

Fixed

• Fixed issue with Metadata URL not overwriting the metadata correctly via the control panel and cli.

Added

• CLI command for listing all providers. See ./craft saml-sp/metadata.

Fixed

• Fixed issue introduced in 2.1.3 Fixes: https://github.com/flipboxfactory/saml-sp/issues/53
• Fixed issue with attributes statements with one attribute (they'd be skipped over). Fixes: https://github.com/flipboxfactory/saml-sp/issues/54

Fixed

• Fixes issue with GeneralConfig::headlessMode by explicitly setting response to HTML. Fixes: https://github.com/flipboxfactory/saml-sp/issues/53
• Fixed issue with setting custom fields in Craft 3.4. Now using setFieldValue. Fixes: https://github.com/flipboxfactory/saml-sp/issues/53

Fixed

• Fixing issue with migration from 1.x to 2.x. Fixes: https://github.com/flipboxfactory/saml-sp/issues/51

Fixed

• Fixing issue with Craft 3.2 twig error within the editableTable

Fixed

• Fixing table name for craft installs with prefixes.

Fixed

• Fixing issue with postgres uid - https://github.com/flipboxfactory/saml-sp/issues/49

Fixed

• Fixing issue with requiring admin when project config when allowAdminChanges general config is set.
• Duplicate metadata html attribute id on the edit page
• Fixed issue with large Metadata too big for the db metadata column (requires migration) https://github.com/flipboxfactory/saml-sp/issues/48

Added

• Support for Saving Metadata via url (requires migration) https://github.com/flipboxfactory/saml-sp/issues/47
• Support for 3.4 login page

Fixed

• RelayState when going directly to /admin/login. If the siteUrl matches the returnUrl, the user will now be redirected to the dashboard (cpUrl('dashboard')).

Added

• Fixed admin login Via <IdP> button relay state, redirecting properly now.

Added

• Added support for HTTP-Redirect https://github.com/flipboxfactory/saml-sp/issues/41

Fixed

• Fixed issue with too many redirects when the site is set to offline. https://github.com/flipboxfactory/saml-sp/issues/42

Added

• Added support for parsing multiple assertions. Possibly related to https://github.com/flipboxfactory/saml-sp/issues/40

Removed

• Removed flipboxfactory/craft-ember package for easier updates with dependancies.

Fixed

• Fixed issue with decrypting assertions

Fixed

• Fixing more xsd schema compatibility. Changed message ids to be compatible.
• Fixed exception when the user tries to logout (SLO) when they are already logged out.

THE 2.0 UPGRADE HAS BREAKING CHANGES. All existing events have changed. Please reference: https://saml-sp.flipboxfactory.com/installation.html#upgrading-to-2-0

Fixed

• Added protocolSupportEnumeration in the metadata. That is required by SAML and stricter IdPs will complain.

THE 2.0 UPGRADE HAS BREAKING CHANGES. All existing events have changed. Please reference: https://saml-sp.flipboxfactory.com/installation.html#upgrading-to-2-0

Fixed

• Fixed AssertionConsumerServiceIndex type. Made it an int like it's intended to be.

Added

• More friendly exceptions when there are configuration issues with IdP or SP, therefore not being found.

THE 2.0 UPGRADE HAS BREAKING CHANGES. All existing events have changed. Please reference: https://saml-sp.flipboxfactory.com/installation.html#upgrading-to-2-0

Fixed

• Issue with the Via buttons on the login page pointing to the incorrect endpoint. https://github.com/flipboxfactory/saml-sp/issues/31

THE 2.0 UPGRADE HAS BREAKING CHANGES. All existing events have changed. Please reference: https://saml-sp.flipboxfactory.com/installation.html#upgrading-to-2-0

THE 2.0 UPGRADE HAS BREAKING CHANGES. All existing events have changed. Please reference: https://saml-sp.flipboxfactory.com/installation.html#upgrading-to-2-0

THE 2.0 UPGRADE HAS BREAKING CHANGES. All existing events have changed. If you have hooked or have a custom attributeMap (within config/saml-sp.php), please test the upgrade and sso login completely. Changes will most likely be needed.

Any references to the LightSaml php package need to be changed. LightSAML has been swapped out for the simplesamlphp core package simplesamlphp

Removed

• Remove static method and associated (deprecated) constants: \flipbox\saml\sp\services\messages\Metadata::getLoginLocation. Get this from the settings model now.
• Remove static method and associated (deprecated) constants: \flipbox\saml\sp\services\messages\Metadata::getLogoutRequestLocation. Get this from the settings model now.
• Remove static method and associated (deprecated) constants: \flipbox\saml\sp\services\messages\Metadata::getLogoutResponseLocation. Get this from the settings model now.
• Removed the LightSaml package

Changed

• Switched from the php LightSaml package to the simplesamlphp core lib

Fixed

• Typo in attribute map in the provider table (requires migration)

Added

• Support for environmental variables in the plugin settings. Works better with the project config.

Fixed

• Fixed issues with \flipbox\saml\sp\services\login\UserGroups::syncByAssertion deleting existing user groups

Added

• Added config defaultGroupAssignments to give the ability to add users by default to certain groups.

Fixed

• issue with ACS within the auth and request presented in 1.0.3

Changed

• Broke/cleaned up the Login service

Added

• New Docs! and Tests!