Release notes from SATOSA

Version 8.5.1

2025-02-10T16:01:17Z

8.5.1 (2025-02-10)

ldap_attribute_store plugin: Add configuration option use_all_results to
specify whether all LDAP results should be processed.
ldap_attribute_store plugin: Add configuration option provider_attribute to
define the extracted attribute (ie, domain) that will be used to select the LDAP
configuration.
ldap_attribute_store plugin: Add configuration option search_filter to define
complex LDAP queries, when the default search based on an identifier is not
good enough.
ldap_attribute_store plugin: Add configuration option pool_lifetime. The LDAP
Server may abandon connections after some time without notifying the client.
The new option allows to set the maximum pool lifetime, so that connections
close on the client side.

Version 8.5.0

2025-01-08T11:56:46Z

8.5.0 (2025-01-08)

openid connect backend: Add OAuth2/OIDC backend based on idpy-oidc (new extra requirement idpy_oidc_backend to pull the library dependency)
apple backend: Rework the Apple backend to be based on the generic OpenIDConnectBackend and fix the userinfo loading
Restructure fatal error messages to redirect to generic error page when an errors occur
Allow multiple values for the "resource" query param
Fix checks for missing state from cookie and missing relay state
Allow loading of tuples from YAML configs
docs: minor fixes

Version 8.4.0

2023-06-11T17:23:23Z

8.4.0 (2023-06-11)

Make cookie parameters configurable
Avoid setting duplicate set-cookie headers
Complete the support for the mdui:UIInfo element
satosa-saml-metadata: make signing optional
metadata_creation: for SAML backend, use sp.config to render metadata
tests: update markers of supported Python versions
deps: move away from pkg_resources when deriving the package version at runtime

Version 8.3.0

2023-06-11T17:22:59Z

8.3.0 (2023-06-08)

FilterAttributeValues plugin: add new filter types shibmdscope_match_scope and shibmdscope_match_value; add tests
FilterAttributeValues plugin: add example rules for saml-subject-id and saml-pairwise-id
FilterAttributeValues plugin: add example rules enforcing controlled vocabulary for eduPersonAffiliation and eduPersonScopedAffiliation attributes
DecideBackendByRequester plugin: add default_backend setting; add tests; minor fixes
opend_connect backend: use PyoidcSettings class to configure pyoidc/oic based clients
ping frontend: minor adjustments and fixes for interface compliance
tests: update code to use matchers API to mock responses
examples: improve configuration readability of the primary-identifier plugin
examples: minor fixes and enhancements for ContactPerson examples for SAML backend and frontend

Version 8.2.0

2022-11-17T18:07:07Z

8.2.0 (2022-11-17)

attribute_authorization: new configuration options force_attributes_presence_on_allow and force_attributes_presence_on_deny to enforce attribute presence enforcement
saml2 backend: new configuration option acs_selection_strategy to support different ways of selecting an ACS URL
saml2 backend: new configuration option is_passive to set whether the discovery service is allowed to visibly interact with the user agent.
orcid backend: make the name claim optional
apple backend: retrieve the name of user when available.
openid_connect frontend: new configuration option sub_mirror_subject the set sub to mirror the subject identifier as received in the backend.
openid_connect frontend: check for empty db_uri before using it with a storage backend
attribute_generation: try to render mustach tempate only on string values
logging: move cookie state log to the debug level
chore: fix non-formatting flake8 changes
tests: remove dependency on actual MongoDB instance
build: update links for the Docker image on Docker Hub
docs: properly document the name_id_format and name_id_policy_format options
docs attribute_generation: correct example configuration
docs: fix mailing list link.
docs: fix typos and grammar

Version 8.1.1

2022-06-22T22:44:22Z

8.1.1 (2022-06-23)

OIDC frontend: Set minimum pyop version to v3.4.0 to ensure the needed methods are available
docs: Fix orcid mapping in example internal_attributes

Version 8.1.0

2022-05-06T16:17:55Z

8.1.0 (2022-05-06)

OIDC frontend: support stateless code flow
OIDC frontend: support Redis and session expiration
orcid backend: allow family-name to be optional
docs: add references to external contributions
docs: update structure

Version 8.0.1

2022-02-22T13:46:10Z

8.0.1 (2022-02-22)

Reinitialize state if error occurs while loading state
VirtualCoFrontend: Expose metadata endpoint and fix duplicate entity ids with multiple backends
saml-backend: Allow request micro-services to affect the authn-context-class-ref
saml-backend: Keep the last authority from the authenticating authority list
minor fixes to the Apple and GitHub backends
micro_services: example config for attribute_policy
deps: bump minimum pyop version to 3.3.1
docs: fixes for example files and config options

Version 8.0.0

2021-09-07T12:10:07Z

8.0.0 (2021-09-07)

This is a breaking release, if you were using the openid_connect frontend. To
keep compatibility:

Install the proxy with pip install satosa[pyop_mongo] in order to fetch
the right dependencies.
If you were not using the client_db_path option then set the new option
client_db_uri to the value of db_uri.

The internal data now hold the authenticating authority as part of the
AuthenticationInformation object
(satosa.internal::AuthenticationInformation::authority).
The Context object now holds a dictionary of query string params
(context.qs_params).
The Context object now holds a dictionary of http headers
(context.http_headers).
The Context object now holds a dictionary of server headers
(context.server_headers).
The Context object now holds the request method (context.request_method).
The Context object now holds the request uri (context.request_uri).
The Context object now holds a dictionary of http headers.
frontends: the openid_connect frontend has a new configuration option
signing_key_id to set the kid field on the jwks endpoint.
frontends: the openid_connect frontend dependency pyop has been updated
to work with both Redis and MongoDB. This changed how its dependencies are
set. This is reflected in this package's new extras that can be set to
pyop_mongo (to preserve the previous behaviour), or pyop_redis.
frontends: the openid_connect frontend filters out unset claims.
frontends: the openid_connect frontend has a new option
extra_id_token_claims to define in the config per client which extra claims
should be added to the ID Token to also work with those clients.
frontends: the openid_connect frontend has a new option client_db_uri to
specify a database connection string for the client database. If unset,
client_db_path will be used to load the clients from a file.
Previously, the option db_uri was used to set the client database string.
If you were relying on this behaviour, add the client_db_uri option with
the same value as db_uri.
frontends: document the client_db_path option for openid_connect
frontends: the openid_connect frontend has a new configuration option
id_token_lifetime to set the lifetime of the ID token in seconds.
frontends: the saml2 frontend has a new option enable_metadata_reload to
expose an endpoint (/<module_name>/reload-metadata) that allows external
triggers to reload the frontend's metadata. This setting is disabled by
default. It is up to the user to protect the endpoint if enabled. This
feature requires pysaml2 > 7.0.1
backends: the saml2 backend derives the encryption keys based on the
encryption_keypairs configuration option, otherwise falling back to
the key_file and cert_file pair. This is now reflected in the internal
pysaml2 configuration.
backends: the saml2 backend sp property is now of type
saml2.client::Saml2Client instead of saml2.client_base::Base. This allows
us to call the higer level method
saml2.client::Saml2Client::prepare_for_negotiated_authenticate instead of
saml2.client_base::Base::create_authn_request to properly behave when
needing to sign the AuthnRequest using the Redirect binding.
backends: the saml2 backend has a new option enable_metadata_reload to
expose an endpoint (/<module_name>/reload-metadata) that allows external
triggers to reload the backend's metadata. This setting is disabled by
default. It is up to the user to protect the endpoint if enabled. This
feature requires pysaml2 > 7.0.1
backends: new ReflectorBackend to help with frontend debugging easier and
developing quicker.
backends: the saml2 backend has a new configuration option
send_requester_id to specify whether Scoping/RequesterID element should be
part of the AuthnRequest.
micro-services: new DecideBackendByTargetIssuer micro-service, to select
a target backend based on the target issuer.
micro-services: new DiscoToTargetIssuer micro-service, to set the discovery
protocol response to be the target issuer.
micro-services: new IdpHinting micro-service, to detect if an idp-hinting
feature has been requested and set the target entityID. Enabling this
micro-service will result in skipping the discovery service and using the
specified entityID as the IdP to be used. The IdP entityID is expected to be
specified as a query-param value on the authentication request.
micro-services: new AttributePolicy micro-service, which is able to force
attribute policies for requester by limiting results to a predefined set of
allowed attributes.
micro-services: the PrimaryIdentifier micro-service has a new option
replace_subject_id to specify whether to replace the subject_id with the
constructed primary identifier.
micro-services: PrimaryIdentifier is set only if there is a value.
micro-services: AddSyntheticAttributes has various small fixes.
micro-services: ScopeExtractorProcessor can handle string values.
dependencies: the pystache package has been replaced by chevron, as
pystache seems to be abandoned and will not work with python v3.10 and
setuptools v58 or newer. This package is a dependency of the
satosa.micro_services.attribute_generation.AddSyntheticAttributes
micro-service.
tests: MongoDB flags have been updated to cater for deprecated flags.
docs: updated with information about the newly added micro-services.
docs: various typo fixes.
docs: various example configuration fixes.

Version 7.0.3

2021-01-20T23:52:31Z

7.0.3 (2021-01-21)

dependencies: Set minimum pysaml2 version to v6.5.1 to fix internal XML
parser issues around the xs and xsd namespace prefixes declarations