Changelog

Version 2.20, 2017-09-27

  Features:

   * New Token-Type OCRA and DisplayTAN to support 
     transaction signing for online banking (#767)
   * Federation Handler allows to forward authentication
     requests and other REST API requests to a child
     privacyIDEA system (#711)
   * Improved Subscription Handling 
   * Allow to login with multiple loginnames (#713)
   * Authentication Cache policy (#729)

  Enhancements:

   * !!!NOTE!!! following policies now also honor the resolvers,
    which they did not previously:
    (AUTH, challenge_response), (AUTH, otppin), 
    (AUTHZ, auth_max_success), (AUTHZ, auth_max_fail),
    (AUTHZ, last_auth), (WEBUI, login_mode),
    (ENROLL,losttoken_pw_contents), (ENROLL,losttoken_validity),
    (ENROLL, losttoken_pw_len) (#736)
   * User can regenerate the QR Code during enrollment
     of smartphone app (#766)
   * Administrator can define remote privacyIDEA servers
     centrally (#711)
   * Events can now be ordered. This is important for the
     federation handling (#711)
   * Specify the hash algorithm that is used to save 
     SQL users passwords (#745)
   * Add welcome dialog for administrator (#716)
   * Allow creating oracle DB (#752)
   * Event Handler can use timestamps and time offsets in
     conditions (#741)
   * Use challenge/response token to unlock the screen of 
     the web UI (#702)
   * Support multiple challenge/response token at the same
     time (#722)
   * GPG keys are generated during package installation and
     show the GPG key in the import dialog (#742)
   * Failcounter clearing timeout in UI (#719)
   * Allow to send challenge data (like banking transaction) in
     email text and SMS text.

  Fixes:

   * Set default loglevel from DEBUG to INFO (#765)
   * Fixed PIN logging, which could lead to exceptions
   * Fixed unicode handling in log messages
   * Make LDAP Resolver work with utf8 (#738)
   * User can only choose hash algo according to policy (#723)
   * Add time period 30/60s to rollout URI (#744)
   * Fix deprecation warning for flask_migrate (#734)
   * Allow multiple tries for challenge/response (#708)
   * Fix problem with certificate serial number (#737)


Version 2.19.1, 2017-07-02

  Enhancements:

  * Add "pi-manage policy load" and "pi-manage policy export". (#721)
  * Allow customization via pi.cfg file.
  * Add {username} and {realm} as tags for the tokenhandler. (#735)

 Fixes:

  * Fix pi-manage file permission for backup
  * Fix search for resolver in audit log
  * Allow to read old legacy time from validity period
  * Fix wrong enddate with lost_token
  * Fix typos
  * Improve documentation for yubikey
  * Improve documentation for cache decorator
  * Improve documentation for webui policy


Version 2.19, 2017-05-25

  Features:
  * Add generic User Cache to speed up authentication (#670, #683)
  * Support multiple challenge-response tokens with the same PIN (#654)
  * Restrict U2F registration based on assertion certificte (#648)
  * Restrict authentication with U2F devices based on assertion 
    certificate (#648)
  * Add privacyidea-token-janitor script, that can clean orpaned or 
    expired tokens (#692)
  * Add API for mutual key generation during enrollment for easy 
    Smartphone App development by introducing a generic 
    2-step-rollout process (#627)
  * Add /validate/radiuscheck which works with rlm_rest and only uses 
    HTTP return codes. (#703)

  Enhancements:

  * Allow to unset token validity period and other tokeninfo
    fields (#691)
  * Add a quick-resolver test for LDAP resolvers (#688)
  * Add additional tokeninfo tags {client_ip}, {ua_browser}, 
    {ua_string} in token handler (#687)
  * Allow to set decription of U2F tokens during enrollment (#685)
  * Reduce the number of LDAP requests to increase authentication
    performance (#664, #655, #650)
  * Realm administrator is only allowed to see actions on this allowed
    user realms (#663)
  * Add audit rotation to pi-manage (#657)
  * Speed up Audit Log calls by adding a second index (#656)
  * Allow to either lock und logout the UI after timeout (#653)
  * Allow string format {user}, {realm}, {serial}, {surname} in 
    tokenlabel policy (#646)
  * Move to a consistent time format for validity period and all other 
    user specific times also containing the timezone (#644)
  * Add TLS certificate check to LDAP machine resolver (#638)
  * Make TLS certificate the default option in LDAP resolvers (#639)
  * Allow to use privacyIDEA ownCloud App without subscription
    file with up to 50 users.

  Fixes:
  * Fix the datepicker for the token validity period (#644 / #693)
  * Fix LDAP resolver to respect all boolean configuration 
    options (#658)
  * Fix serial number in challenge response validation response (#649)

  Commits added in version 2.19 by:
  (In the order of appearance)
  * Cornelius Kölbel
  * Quynh Nguyen
  * Friedrich Weber
  * Quoc Doan
  * blinkiz
  * Bernd Nicklas

Version 2.18, 2017-03-09

  Features:
  * Allow to disable the WebUI (#605)
  * The WebUI will lock the screen after a timeout instead of  
    logging out the user. This allows to easily continue
    configuration work. (#621)
  * Improve the creation and handling of local CAs (#630, #632, #633)
    Allow certificate template for certificates with different runtime
    and x509v3 extensions.

  Enhancements
  Enhancements in Policies:
  * Allow regular expressions in usernames in policies. (#581)
  * Improve Policy creation with pi-manage from JSON formatted file.
  * WebUI: Add action grouping in policies.
  * WebUI: Add action filter in policy view.
  * Allow token specific PIN policies: The SPASS token can now
    have dedicated PIN policies.
  * Add PIN policies for administrators during enrollment and
    during assignment.
  * Add WebUI policy: only search on enter being pressed (#617)

  Enhancements in Event Handlers:
  * Add token_validity_period condition to event handlers. (#618)
  * Add additional options in token handler when creating 
    SMS, Email or mOTP tokens.
  * Allow tokenhandler to set tokeninfo field.
  * Allow tokenhandler to set syncwindow.
  * Add event handler condition for count_auth_success and
    cound_auth_fail
  * Add event handler condition for last_auth.
  * Improve Audit Log for Event Handler. Each triggered action 
    will now also create an audit entry. (#609)
  * Allow the use of {current_time} in tokenevent handler. (#628)

  Enhancements in LDAP Resolver:
  * Upgrade dependency to ldap3 version >=2.1.1 to improve LDAP 
    performance in regards to redundancy and security
  * LDAP Resolver: Use get_info in bind requests to avoid querying 
    of subschema. (#585)
  * LDAP Resolver: Support StartTLS over Port 389.
  * Simplify LDAP Resolver: Remove username from Attribute Mapping.
  * Simplefy LDAP Resolver: Remove reverse filter.

  Misc Enhancements:
  * Automatically add user's mobile number if tokentype is SMS.
  * Add example configuration for GTX messaging SMS gateway.
  * Add a script "privacyidea-get-unused-tokens" to find
    unused tokens
  * WebUI: Add a busy indicator spinner.
  * Improve the pi-manage script in regards to backup and restore.
    Let you choose whether to backup encryption key or not.
    Better handling for individual pathes. (#626, #623)

  Fixes:
  * LDAP Resolver: Verify SSL Certificate (Security)
  * LDAP Resolver: Allow special characters in NTLM password
  * LDAP Resolver: Allow searching for users with German umlaut
  * Remove the "unsafe" notation in the QR-Code link, so that 
    a smartphone may import the key during HOTP/TOTP token enrollment
    by clicking the link. (#620)
  * Use defusexml to avoid XML bombs on token import (Security)
  * Replace eval with ast.literal_evel (Security)
  * Add missing attributes for U2F tokens in 
    validate/triggerchallenge API
  * Let /validate/triggerchallenge write to audit log.
  * Fix mangle policy for users and realms
  * Avoid logging of password in check_user_pass in debug level 
    (level=10)
  * Set encrypted PIN on enrollment for certificate tokens (#625)
  * Remove unused policy action "motp_webprovision"
  * Allow emailtext policy in triggerchallenge API (#642)
 

Version 2.17, 2016-12-29

  Features
  * Token Handler. Using the token handler the administrator
    can defined actions in response to events, to modify tokens
    like deleting, modifying, initilizing... tokens (#532)
  * Script Event Handler or Shell Event Handler allows to
    trigger an external shell script, if some event occurs. (#536)
  * Add additional endpoint to trigger a challenge response
    like the sending of an SMS, if the token PIN is not
    available (#531)
  * Policy Handling to also check for secondary resolvers of
    a user. This way a user can authenticate with his primary 
    resolver but policy will also work for secondary resolvers (#543)

  Enhancements
  * The event handler conditions also determine a serial number
    even if there is no serial number in the request:
    If the user from the request only has one token assigned. (#571)
  * Allow event definitions to be disabled (#537)
  * Allow event to be addressed by a destinct name (#522)
  * Improving LDAP performace by addressing different functionality 
    of ldap3 version 1.x and 2.x. (#549)
  * Improve SQL Audit by adding the SQL Audit table to the schema.
    Table is not created during HTTP request. (#557)
  * Limit audit log entry age. Users may only view audit
    log entries up to a certain age. (#541)
  * Add checkbox to only display used actions in a policy (#573)
  * In event handler: Use serial number of a user's token if the 
    user has only one token (#571)
  * Download a filtered audit log (#539)

  Fixes
  * Add missing token serial number to audit log if token is
    deletes (#546)
  * Fix event handler saving (#551)
  * HttpSMSProvider accepts status codes 201 and 202 in addition
    to 200 (#562)
  * Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
  * Add documentation for SMS provider (#566)
  * Remove 301 redirects from WebUI (#576)


Version 2.16, 2016-11-10

  Featurs
  * Add HSM support via AES keys (#534)
  * Improved Event Handler for flexible notification (#511)
  * Signed subscription files for adding and checking
    for extra functionality during authentication request (#502)

  Enhancements
  * Allow additional filter attributes in the Audit Log (#519)
  * Show or hide realms in the login dialog via policy (#517)
  * Improve UI if admin is not allowed for certain actions (#516, #512)
  * Disable OTP PIN during enrollment via policy (#439)
  * Allow automatic sending of registration code via email (#514)

  Fixes
  * Allow compatibility with ldap3 >= 2.0.7 (#533 #535)
  * Fix problem with Notification when no tokenowner is available (#528)
  * Fix confusion of client HTTP parameters (#529)
  * Fix enabled flag with certain database types (#527)
  * Catch error in case of faulty overrideClient definition (#526)
  * Truncate Audit lines, that are too long for the DB table (#525)


Version 2.15, 2016-10-06

  Features
  * Client Overview. Display the type of the requesting
    authenticating clients (#489)
  * Support for NitroKey OTP mode (admin client)

  Enhancements
  * Performance enhancements using Caching singletons for
    Config, Realm, Resolver and Policies
  * Allow configuration of the registration email text (#494)
  * Return SAML attributes only in case of successful
    authentication (#500)
  * Policy "reset_all_user_tokens" allow to reset all
    failcounters on successful authentication (#471)
  * Client rewrite mapping also checks for
    X-Forwarded-For (#395, #495)

  Fixes
  * Fixing RemoteUser fails to display WebUI (#499)
  * String comparison in HOSTS resolver (#484)


Version 2.14, 2016-08-17

  Features
  * Import PGP encrypted seed files
  * Allow UserNotification for user actions
  * Allow UserNotification on validate/check events,
    to notify the user on a failed authentication or
    a locked token.

  Enhancements
  * Add thread ID in REST API Response
  * Performance improvement: Cache LDAP Requests #473
  * Performance improvement: Optimize resolver iteration #474
  * Add "Check OTP only" in WebUI
  * Improve "get serial by OTP" in WebUI
  * Add script to get serial by OTP

  Fixes
  * Restrict GET /user for corresponding admins #460


Version 2.13, 2016-06-30

  Features
  * Allow central definition of SMS gateways 
    to be used with tokens. #392
  * User SMS for User Notificaton Event Handler. #435
  * Add PIN change setting for each token. #429
  * Force PIN change in web UI. #432

  Enhancements
  * Performence enhancements
    * speed up loading of audit log in web UI.
    * avoid double loadin of tokens and audit entries in web UI. #436
  * Additional log level (enhanced Debug) to even log passwords in 
    debug mode.
  * Add new logo. #430
  * Add quick actions in the token list: reset failcounter, 
    toggle active. #426
  * REST API returns OTP length on successful authentication. #407
  * Add intelligent OverrideAuthorizationClient system setting,
    that allows defined proxies to reset the client IP. #395

  Fixes
  * Display token count in web UI. #437
  * Use correct default_tokentype in token enrollment. #427
  * Fix HOTP resync problems. #412
  


Version 2.12, 2016-05-24

  Features
  * Event Handler Framework #360
  * local CA connector can enroll certificates
    for users. Users can download PKCS12 file. #383
  * Add and edit users in LDAP resolvers #372
  * Hardware Security Module support via PKCS11
  * Time dependent policies #358

  Enhancements
  * Policy for web UI enrollment wizard #402
  * Realm dropdown box at login screen #400
  * Apply user policy settings #390
  * Improve QR Code for TOTP token enrollment #384
  * Add documentation for enrollment wizard #381
  * Improve pi-manage backup to use pymysql #375
  * Use X-Forwarded-For HTTP header as client IP #356
  * Add meta-package privacyidea-mysql #376

  Fixes
  * Adduser honors resolver setting in policy #403
  * Add documentation for SPASS token #399
  * Hide enrollment link (WebUI) is user can not enroll #398
  * Fix getSerial for TOTP tokens #393
  * Fix system config checkboxes #378
  * Allow a realm to be remove from a token #363
  * Improve the date handling in emails #352
  * Sending test emails #350
  * Authentication with active token not possible if
    the user has a disabled token #339

 
Version 2.11, 2016-03-29

  Features
  * RADIUS Servers: Allow central definition of RADIUS servers
  * RADIUS passthru policy: Authentication requests for users
    with no tokens can be forwarded to a specified RADIUS server

  Enhancements
  * Allow objectGUID in LDAP-Resolver of Active Directory
  * Use paged searches in LDAP. LDAP resolver will find all
    users in the LDAP directory.
  * Allow privacyIDEA instance name to be configured for
    the AUDIT log
  * Allow special characters in LDAP loginnames and passwords
  * Add arbitrary attributes to SAML Authentication response
  * Enhance the handling of YUBICO mode yubikeys with the
    YUBICO API. The prefix is handled correctly.
  * Allow in get_tokens to be filtered for tokeninfo.
  * Add paged search in LDAP resolver. This allows responses
    with more than 1000 objects.

  Fixes
  * Fix SMTP authentication
  * Fix Enrollment Wizard for non-default realm users
  * Registration process: If an email can not be delivered,
    the token is deleted, since it can not be used.


Version 2.10, 2016-02-11

  Features
  * User Registration: A user may register himself and thus create
    his new user account.
  * Password Reset: Using a recovery token a user may issue a 
    password reset without bothering the administrator or the 
    help desk.
  * Enrollment Wizard for easy user token enrollment
  * SMTP Servers: Define several system wide SMTP settings and use
    these for 
    * Email token,
    * SMTP SMS Provider, 
    * registration process,
    * or password reset.

  Enhancements
  * Ease the Smartphone App (Google Authenticator) rollout.
    Hide otplen, hash, timestep in the UI if a policy is defined.
  * Add import of Aladdin/SafeNet XML file.
  * Add import of password encrypted PSKC files.
  * Add import of key encrypted PSKC files.

  Fixes
  * Support LDAP passwords with special non-ascii characters.
  * Support LDAP BIND with special non-ascii characters.
  * Fix problem with encrypted encryption key.
  * Fix upgrading DB Schema for postgresql+psycopg2.
  * Fix UI displaying of saved SMS Provider.
  * Do not start challenge response with a locked/disabled token.

Version 2.9, 2015-12-21

  Features
  * New token type: Security questions or questionnaire token.
  * New token type: Paper token. OTP values printed on a piece of paper.
  * Yubico Validation API: The yubikey tokens can authenticate via
    /ttype/yubikey which follows the Yubico Validation Protocol.

  Enhancements
  * Add Web UI view to display the active challenges.
  * The issuer for the Google Authenticator app can be configured.
  * The LDAP machine resolver uses an LDAP server pool.
  * The LDAP user resolver returns a list of mobile numbers.

  Fixes
  * The test email for the email token now has a sent date.
  * Fix problem when using encrypted encryption key.
  * Fix upper case problem when logging in to web UI
    with REMOTE_USER.
  * Fix allow set an empty PIN in the web UI.
  * Fix import of token file in Web UI.

Version 2.8, 2015-11-26

  Features
  * Improve U2F support with trusted facets
  * Add Challenge Response and U2F support to SAML
  * Add Web UI theming
  * Add possibility to use REMOTE_USER for authentication at Web UI
  * Fuzzy Authentication: restrict time since last authentication

  Enhancements
  * Allow mangle policy when fetching ssh keys
  * Add realm support to ownCloud plugin
  * Support Drupal passwords in SQL resolver
  * Add validity period to token enrollment
  * Set default enrollment token type in Web UI
  * Add scope to LDAP resolver

  Fixes
  * Fix failcounter reset for challenge response tokens
  * Fix confusing DB errors (column exist) during installation
  * Fix email token TLS checkbox saving
  * Fix TOTP testing in Web UI
  * Fix SMS config loading in Web UI


Version 2.7, 2015-10-03

  Features
  * Add support for U2F tokens
  * Add signature to the API JSON response. Thus
    the client can verify the response.

  Enhancements
  * When importing tokens, a realm can be chosen, so that all imported
    tokens are immediately inserted into this realm.
  * The user is able to change his password in the WebUI.
  * The user can assign a token in the WebUI.
  * Avoid the requiring of a PIN for some tokentypes like SSH
  * Migrate to pymysql, the pure python mysql implementation
  * The Audit Log tells if a previous OTP value was used again.

  Fixes
  * Enable login to WebUI with a loginname containing an @ sign.
  * Fix the writing of logfile privacyidea.log

Version 2.6, 2015-09-09

  Features
  * Add OCRA base TiQR token to authenticate by scanning
    a QR code.
  * Add Challenge Response authentication to Web UI
  * Add 4-Eyes token, to enable two man policy. Two tokens
    of two users are needed to authenticate.
  * "Revoke Token" lets you perform special action on token types.
    Tokens can be revoke, meaning they are blocked an can not
    be unblocked anymore.

  Enhancements
  * Add HA information in the documentation.
  * Add OpenVPN documentation.
  * Add challenge response policy, to define if e.g. HOTP or TOTP are 
    allowed to be used in challenge response mode.
  * Add hotkeys for easier use of Web Ui.
  * Remove wrong system wide PassOnNoUser and PassOnNoToken.
  * Set default language to "en" in Web UI.

  Fixes
  * Fix LDAP bug #179, which allows authentication with
    wrong password under certain conditions
  * Small fixes in coverage tests
  * Fix username in web UI during enrollment
  * Fix link to privacyIDEA logo in Web UI
  * Fixed bug, that user was not able to resync his own tokens.


Version 2.5, 2015-07-23
  Features
  * Add statistics
  * Add German translation
  * Add PinHandler in case of random PIN used
  * Add automatic documentation of system setup
  * Add ownCloud plugin
  
  Enhancements
  * Preset Email and SMS of a user when enrolling token
  * Enable LDAP anonymous bind
  * Add Hashalgorithms and digits to QR Code
  * Add support for CentOS 6 and 7
  
  Fixes
  * Fix registration token
  * Fix mOTP reuse problem

Version 2.4, 2015-06-24

  * Add User Management
  * Add Admin Realms to policies, to allow better policies in bigger setups
  * Add API key, that can be used for accessing /validate/check
  * Load PSKC Token seed files.
  * Add more sophisticated logging. Severe errors via Email
  * WebUI: Registrtion token can be enrolled in WebUI
  * WebUI: The token seed can be displayed in WebUI after generation
  * WebUI: Only the token types that are allowed to be enrolled are displayed
  * WebUI: Login_Mode Policy: Disable access to WebUI for certain users
  * WebUI: Add reload button in Audit view
  * SQLResolver: The Where statement is used in all cases
  * SSH-Token Application: Only fetch keys of the requested user
  * Apache client can work with several hosts on one machine
  * Documentation: Tokentypes and Supported Hardware Tokens
  * Improve RADIUS module
  * WebUI: Fix download of audit log
  * Fix missing access right of user to GET /caconnector


Version 2.3, 2015-05-22

  * Add connector to remote Certificate Authority
  * Add Tokentype "certificate" to manage certificates for users
    Certificates or Certificate Requests can be uploaded.
    Certificate Requests (Keypair) can be generated in the browser.
  * Add Tokentype "registration" for easier enrollment scenarios.
  * Add TokenType "Email" to send OTP via Email.
  * Add "First Steps" to online documentation
  * Add handling of validity period of token
  * Enable download of Audit log as CSV
  * Add Resolver Priority, to handle a duplicate user in a realm
  * Add TYPO3 Plugin to enable OTP with TYPO3
  * Add SCIM Resolver to fetch users from SCIM services
  * Fix Failcounter issue
  * Fix NTLM password check
  * Fix timestep during enrollment

Version 2.2, 2015-04-09

  * pi-manage.py: create resolvers and realms
  * pi-manage.py: manage policies
  * Add LostToken UI
  * Add Offline Application
  * Add PAM authentication module with offline support
  * Add getSerialByOTP. You can determine the Token by providing an OTP value.
  * Add auth_count_max and auth_success_max for each token.
  * Add PIN encryption policy
  * Add API for SAML
  * Add bash script for ssh key fetching
  * Make WebUI logout time configurable via webui policy.
  * Add NTLM authentication to the LDAP resolver.


Version 2.1, 2015-03-10

  * Add Machine-Application framework to support LUKS and SSH
    to manage SSH keys and provide Yubikeys to boot LUKS
    encrypted machines. #100, #10
  * Add Machine Resolvers for hosts and LDAP/AD #96
  * Migrate more policies like SMS policies. #95
  * Restructure WebUI code to ease development #97
  * Fix logout problem of user #92
  * Fix user list for AD (referrals) #99
  * Fix max_token_per_user policy #101


Version 2.0, 2015-02-21

  * Migrate privacyIDEA to Flask Web framework
  * The WebUI was migrated to bootstrap and angularJS
  * The database model was restructered to allow an easier handling and
    programming
  * Use the pi-manage.py tool to migrate old data
  * provide ubuntu packages for privacyidea base package and
    privacyidea-apache2 and privacyidea-nginx
  * provide pi-manage.py tool to manage the installation and create new admins.
  * policies are restructered. Internally the policies now use decorators to
    have a minimum code impact. No all policies are migrated, yet.
  * OCRA token and Email token is not migrated, yet.


Version 1.5.1, 2015-01-12

  * Fix splitting the @-sign to allow users like user@email.com@realm1


Version 1.5, 2014-12-25

  * Fix the postinstall script for not broken repoze.who
  * adapt the dependency for python webob
  * add fix for users in policies.
  * Working on #61
  * Closing #63, allow upper and lower case DN in LDAP resolver
  * Fix the empty result audit search problem
  * Fix the port problem with SQL resolver


Version 1.4, 2014-10-06

  * Add "wrong password" message on login screen
  * Add simplesamlphp module and deb package
  * Add helper dialog to easily setup first realm
  * Add QR enrollment of mOTP token (Token2)
  * Add admin/checkserial policy
  * Add help on logon screen
  * Fixed the session timeout bug in the management UI


Version 1.3.2, 2014-09-22

 * Add uwsgi and nginx configuration
 * Add nginx package
 * Add meta packages to easily install radius dependencies. (#33)
 * Add package for appliance
 * Add appliance style: privacyidea-setup-tui
 * Add privacyidea-otrs and remove the authmodules from the
   core package
 * Add first implementation of Token2 token type
 * Change depend in builddepend
 * Add missing SSL certificate
 * Add missing python-dialog dependency
 * Remove pylons download link, that caused timeout problems.

Version 1.3, 2014-08-18

 * add support for Daplug dongle in keyboard mode
 * Allow login with admin@realm, even with RealmBox.  (#26)
 * inactive tokens will not work with the machine-app
 * Added MachineUser database model
 * PEP8 beautify
 * Add about dialog
 * added recommends for mysql and salt

Version 1.2, 2014-07-15

 * added application for machines like LUKS and SSH
 * send SMS via sipgate
 * add RADIUS support
 * SQL audit janitor
 * improved SMS provider UI
 * added possibility to do basic authentication instead of session auth.

Version 1.1, 2014-06-25

 * Added documentation and in-UI-context-help.:q
 * Fixed the token config to be filled with sensible data, so 
   that you do not need to configure ALL token types.
 * Added script to clean up old audit logs.