Improve Time management. Use DateTime/DateTimeZone classes.
Escape error messages in debug mode
Add an extra filter to the url to be used on redirection
#242 Document that SHA-1 must not be used
#250 Fixed issue with IdPMetadataParser only keeping 1 certificate when multiple certificates of a single type were provided.
#263 Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest.
- Be able to register future SP x509cert on the settings and publish it on SP metadata
- Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption)
- Support the ability to parse IdP XML metadata (remote url or file) and be able to inject the data obtained on the settings.
- Be able to get at the auth object the last processed ID
- Improve NameID Format support
- Reset errorReason attribute of the auth object after each Process method
- Validate serial number as string to work around libxml2 limitation
- Make the Issuer on the Response Optional
- Security update for signature validation on LogoutRequest/LogoutResponse (read more)
- #192 Added ability to configure DigestAlgorithm in settings
- #183 Fix strpos bug when decrypting assertions
- #186 Improve info on entityId validation Exception
- #188 Fixed issue with undefined constant of UNEXPECTED_SIGNED_ELEMENT
- Read ACS binding on AuthNRequest builder from settings
- Be able to relax Destination validation on SAMLResponses and let this
attribute to be empty with the 'relaxDestinationValidation' setting
- Implement a more specific exception class for handling some validation errors
- Minor changes on time validation/exceptions
- Add hooks to retrieve last-sent and last-received requests and responses
- Improve/Fix tests
- Add DigestAlgorithm support on addSign
- #177 Add error message for bad OneLogin_Saml2_Settings argument
This version includes a security patch that contains extra validations that will prevent signature wrapping attacks and other security improvements.
- Several security improvements:
- Conditions element required and unique.
- AuthnStatement element required and unique.
- SPNameQualifier must match the SP EntityID
- Reject saml:Attribute element with same “Name” attribute
- Reject empty nameID
- Require Issuer element. (Must match IdP EntityID).
- Destination value can't be blank (if present must match ACS URL).
- Check that the EncryptedAssertion element only contains 1 Assertion element.
- Improve Signature validation process
- AttributeConsumingService support
- Support lowercase Urlencoding (ADFS compatibility).
- #154 getSelfHost no longer returns a port number
- #156 Use correct host on response destination fallback check
- #158 NEW Control usage of X-Forwarded-* headers
- Fix issue with buildRequestSignature. Added RelayState to the SignQuery only if is not null.
- Add Signature Wrapping prevention Test
- Improve _decryptAssertion in order to take care of Assertions with problems with namespaces
- Improve documentation: