v2.5.0-rc2

Release note

• Add node-xmllint to be one of the validator options #238 (@step4)
• Bump version of xml-crypto and fix corresponding broken tests #244 (@lpamlie)
• Upgrade devdependencies

v2.5.0-rc1

Starting from v2.5, you can now choose different schema validators in production environment, we support javac and libxml right now. You can specify the runtime variables when you install samlify in your project, for example:

> SAML_VALIDATOR=libxml yarn add samlify

The official release of v2.5.0 will be shipped with passify/react-samlify which is an example repository integrated with Okta identity provider.

Happy hacking.

v2.4.2

Release note

• Remove module redundancy for camel case implementation
• Fix singleLogoutService format in metadata #230 (@LynnZeng)
• Allow validating SAML responses without network connection #229 (@blackentropy)
• Proper fix of inclusion of certificate in response #223 #231

v2.4.1

Release Note

• Move type definition and typescript to dev dependencies #226 (@rastko-florencehc, @jonathanperret)
• Remove unwanted files to eliminate the release size #227 (@jonathanperret)

v2.4.0

Release note

This release includes all resolved issues from the previous six release candidates. We are also happy to ship the example repository react-samlify which is written with react, typescript is bundled with webpack.

⚠️⚠️⚠️⚠️⚠️⚠️⚠️
We recommend users to upgrade to v2.4.0 because it includes an important security patch, in order to avoid potential signature wrapping attack reported by webtonull.

Resolved Issues

• Make use in KeyDescriptor node to be optional according to the standard. #222
• Customize transformation algorithm list used to sign AuthnRequest #220
• Restrict xsd validation to SAML request #123
• Fix test case for assertion + message signature and upgrade xml-crypto #219
• Fix invalid AuthnRequest and LogoutRequest #218
• Standardize error messages #126
• Validates issuer in logout and login response #111
• Enhance the stability of build #200
• Huge code refactor for the extractor and genericParser function
• Separate implementation and test suite for the extractor
• Detect potential wrapping signature attack
• Modify schema file to get rid of libxml2 limitation #198 (Thanks @rastko-florencehc)
• PR: Specify schema directory instead of changing process directory (#195) (@lselden)
• #202 Tags replacement for logout request (credits to @franklinjjeng)
• #194 Fix verifyTime function (credits to @hyronx)
• #189 Upgrade the dev dependencies to fix the reported vulnerability
• #193 Remove the postinstall hook
• Delegate to Java runtime library to do schema validation (credits to @nikku)

v2.4.0-rc6

Release note

• Restrict xsd validation to SAML request #123
• Fix test case for assertion + message signature and upgrade xml-crypto #219
• Fix invalid AuthnRequest and LogoutRequest #218
• Standardize error messages #126

v2.4.0-rc5

Release note

This is a minor release with fixed test environment and suite.

• Validates issuer in logout and login response #111
• Enhance the stability of build #200

v2.4.0-rc4

Why skip v2.4.0-rc3

It's because there are missing xsd schema files when I publish it to npm, however, npm doesn't allow me to force publish the same version. Therefore, I bump the version to v2.4.0-rc4 and republish it again.

Release note

• Huge code refactor for the extractor and genericParser function
• Separate implementation and test suite for the extractor
• Detect potential wrapping signature attack
• Modify schema file to get rid of libxml2 limitation #198 (Thanks @rastko-florencehc)
• PR: Specify schema directory instead of changing process directory (#195) (@lselden)

Changes

The changes in this release might break your implementation of response extraction. For example, the extract.nameid would become extract.nameID.

const { samlContent, extract } = await sp.parseLoginResponse(idp, 'post', { body: { SAMLResponse } });

// all the extracted properties are now in camel case instead of lowercase

// extract.nameID
// extract.response.id
// extract.response.inResponseTo

Remarks: For the detection of potential wrapping signature attack, we will release an announcement with Hackerone by the next week to disclose the detail story. The announcement will also include the roadmap of v2.4 release.

v2.4.0-rc2

Release note:

#202 Tags replacement for logout request (credits to @franklinjjeng)
#194 Fix verifyTime function (credits to @hyronx)

v2.4.0-rc1

Release Note

This is a pre-release version. We aim to provide the availability to install samlify across different platforms, after v2.3, we introduce a schema validation check for the response as most of saml libraries do. However, it also causes a list of issues reported in this discussion thread (#129). Therefore, starting from v2.4.0, we delegate the schema check to the JAVA runtime. We won't release the release v2.4 until it is being well tested.

yarn add [email protected]

For those who are using samlify in production, you can keep to use [email protected] until we release v2.4.0. We expect we still have several release candidates.

Included in this rc1 version:

• #189 Upgrade the dev dependencies to fix the reported vulnerability
• #193 Remove the postinstall hook
• Delegate to Java runtime library to do schema validation (credits to @nikku)