2. What's new

This section contains overview of important changes since Spring SAML 1.0 RC2 and highlights changes which might have effect on backwards compatibility.

2.1 New features, improvements and fixes

Below is an overview of major changes since Spring SAML 1.0 RC2.

  • Metadata signing now supports custom keyInfoGenerator and signingAlgorithm, signing can be enable per-entity

  • SAMLContextProvider has new customization possibilities for PKIXTrustEvaluator, PKIXInformationResolver and MetadataResolver

  • CertPathPKIXTrustEvaluator supports customization of security provider and explicit validation of certification path

  • MetadataCredentialResolver can be configured to load data from XML metadata and/or ExtendedMetadata

  • PKIXInformationResolver has an extension point for population of CRLs

  • Improvements to logging and error handling, profile implementations now throw exceptions which are logged inside filter objects and fail with ServletExceptions, sample application newly shows handling of these errors

  • Used OpenSAML version was updated to 2.6.1

  • SAMLDefaultLogger now logs additional information such as NameID

  • Enabled propagation of defaults (e.g. ProxySettings) set in the HttpClient object for ArtifactResolution

  • JKSKeyManager now supports keystores without password

  • SAMLContextProviderLB now supports empty contextPath and includes pathInfo data for requests

  • Entity ID and EntityDescriptor ID can now be set separately in MetadataGenerator

  • ECP now takes precedence over discovery in SAMLEntryPoint

  • Signing of local metadata is now done before displaying, this enables manual modifications to metadata in local files

  • ArtifactResolutionProfileImpl now support customization of used SocketFactory through extensions

  • ID in generated metadata is now automatically created when null, ID is based on entityID cleaned in order to conform to xsd:ID (and xsd:NCName) type, EntityID is cleaned by replacing all illegal characters by underscores

  • Support for hostname verification in artifact resolution

  • Completed documentation

  • Possibility to exclude the SAML Credential from the Authentication object

  • Disabled deferred node expansion for ParserPool which improves performance in parsing of small XML documents

  • HttpSessionStorage is now cleared after successful reception of a message in order to save memory

  • Possibility to include attributes from only the authenticated Assertion, or from all

  • New socket factory for trust verification during loading of metadata from HTTPS

  • Possibility to disable support for IDP-initialized SSO

  • Usage of metadata alias is now optional

  • New look and feel of the sample application

  • Cleanup of duplicate values in MetadataGenerator and ExtendedMetadata

  • SAMLCredential now contains facility methods for handling of String SAML attributes

2.2 Important code changes

Below is an overview of major code and structure changes since Spring SAML 1.0 RC2 with possible effect on backwards compatibility.

Module names

  • module saml2-core was renamed to core, jar and maven artifact names stay the same

  • module saml2-sample was renamed to sample, jar and maven artifact names stay the same

  • module src was renamed to docs, jar and mave artifact names stay the same

Descriptor securityContext.xml

  • file saml2-sample/src/main/resources/security/securityContext.xml was moved to sample/src/main/webapp/WEB-INF/securityContext.xml

  • administration part of the UI is now secured with username/password

  • updated initialization of ParserPool to disable defer node expansion

  • HttpClient in ArtifactResolution was made thread safe

  • added new failure handler (failureRedirectHandler)

  • MetadataGenerator bean now demonstrates usage of ExtendedMetadata

  • FilesystemMetadataProvider was replaced with ResourceBackedMetadataProvider

  • file sample/src/main/resources/security/idp.xml was moved to sample/src/main/resources/metadata/idp.xml

ArtifactResolutionProfileBase

  • throws SAMLException instead of CredentialExpiredException on check of artifact response issue instant

HttpSessionStorage

  • storage is now cleared on successful message reception

MetadataDisplayFilter

  • new mandatory property KeyManager (autowired)

MetadataGenerator

  • generated metadata is no longer signed by default (enable in ExtendedMetadata.signMetadata) and has disabled IDP discovery (enable in ExtendedMetadata.includeDiscovery)

  • the following fields were moved from MetadataGenerator to ExtendedMetadata:

    • entityAlias -> alias

    • signMetadata -> signMetadata

    • signingKey -> signingKey

    • encryptionKey -> encryptionKey

    • tlsKey -> tlsKey

    • includeDiscovery -> idpDiscoveryEnabled

    • customDiscoveryURL -> idpDiscoveryURL

    • customDiscoveryResponseURL -> idpDiscoveryResponseURL

  • removed methods signSAMLObject (moved to SAMLUtil) and getKeyInfoGeneratorName (moved to ExtendedMetadata)

  • by default the first binding is now HTTP-POST instead of HTTP-Artifact, endpoint for Web SSO no longer includes PAOS binding, set property bindingsSSO with values "artifact", "post", "paos" for backwards compatibility

  • by default endpoints for Web SSO holder of key are no longer included, set property bindingsHoKSSO with values "artifact" and "post" for backwards compatibility

  • by default MetadataGeneratorFilter no longer sets property entityAlias to value defaultAlias, set the value manually for backwards compatibility

SAMLAuthenticationProvider

  • property forcePrincipalAsString is now set to true by default

SAMLCredential

  • method getAttributeByName was renamed to getAttribute

SAMLDiscovery

  • fails with ServletException instead of SAMLRuntimeException

SAMLLogoutProcessingFilter

  • throws ServletException on errors during acceptance of LogoutRequest instead of SAMLRuntimeException

SAMLUtil

  • removed unused getDefaultBinding method

SingleLogoutProfileImpl

  • sendLogoutResponse signature changed

  • changed error handling, throws SAMLStatusException which is handled by Filter, logged and sends a SAML Response

WebSSOProfileImpl

  • throws SAMLException instead of SAMLRuntimeException on missing data in context

WebSSOProfileConsumerImpl

  • new property includeAllAttributes, set to true for original behavior

  • throws SAMLException instead of CredentialExpiredException on check of resposne issue instant and assertion issue instant