This section contains overview of important changes for released versions of Spring SAML.
Version 1.0.1.FINAL is fully backwards compatible with 1.0.0.FINAL and contains the following changes:
Added support for Spring Security 4.0
Added integration guide with Okta
MaxAuthenticationAge time supports longer expiration times than 21 days
Deployment without JKS keystore is now supported
Service provider can now define multiple assertion consumer endpoints with same binding
Minor fixes and documentation improvements
Final release is not directly compatible with the previous RC versions, please make sure to migrate your code based on guidlines and changes below:
Metadata signing now supports custom keyInfoGenerator and signingAlgorithm, signing can be enable per-entity
SAMLContextProvider has new customization possibilities for PKIXTrustEvaluator, PKIXInformationResolver and MetadataResolver
CertPathPKIXTrustEvaluator supports customization of security provider and explicit validation of certification path
MetadataCredentialResolver can be configured to load data from XML metadata and/or ExtendedMetadata
PKIXInformationResolver has an extension point for population of CRLs
Improvements to logging and error handling, profile implementations now throw exceptions which are logged inside filter objects and fail with ServletExceptions, sample application newly shows handling of these errors
Used OpenSAML version was updated to 2.6.1
SAMLDefaultLogger now logs additional information such as NameID
Enabled propagation of defaults (e.g. ProxySettings) set in the HttpClient object for ArtifactResolution
JKSKeyManager now supports keystores without password
SAMLContextProviderLB now supports empty contextPath and includes pathInfo data for requests
Entity ID and EntityDescriptor ID can now be set separately in MetadataGenerator
ECP now takes precedence over discovery in SAMLEntryPoint
Signing of local metadata is now done before displaying, this enables manual modifications to metadata in local files
ArtifactResolutionProfileImpl now support customization of used SocketFactory through extensions
ID in generated metadata is now automatically created when null, ID is based on entityID cleaned in order to conform to xsd:ID (and xsd:NCName) type, EntityID is cleaned by replacing all illegal characters by underscores
Support for hostname verification in artifact resolution
Completed documentation
Possibility to exclude the SAML Credential from the Authentication object
Disabled deferred node expansion for ParserPool which improves performance in parsing of small XML documents
HttpSessionStorage is now cleared after successful reception of a message in order to save memory
Possibility to include attributes from only the authenticated Assertion, or from all
New socket factory for trust verification during loading of metadata from HTTPS
Possibility to disable support for IDP-initialized SSO
Usage of metadata alias is now optional
New look and feel of the sample application
Cleanup of duplicate values in MetadataGenerator and ExtendedMetadata
SAMLCredential now contains facility methods for handling of String SAML attributes
Below is an overview of major code and structure changes since Spring SAML 1.0 RC2 with possible effect on backwards compatibility.
Module names
module saml2-core was renamed to core, jar and maven artifact names stay the same
module saml2-sample was renamed to sample, jar and maven artifact names stay the same
module src was renamed to docs, jar and mave artifact names stay the same
Descriptor securityContext.xml
file saml2-sample/src/main/resources/security/securityContext.xml was moved to sample/src/main/webapp/WEB-INF/securityContext.xml
administration part of the UI is now secured with username/password
updated initialization of ParserPool to disable defer node expansion
HttpClient in ArtifactResolution was made thread safe
added new failure handler (failureRedirectHandler)
MetadataGenerator bean now demonstrates usage of ExtendedMetadata
FilesystemMetadataProvider was replaced with ResourceBackedMetadataProvider
file sample/src/main/resources/security/idp.xml was moved to sample/src/main/resources/metadata/idp.xml
ArtifactResolutionProfileBase
throws SAMLException instead of CredentialExpiredException on check of artifact response issue instant
HttpSessionStorage
storage is now cleared on successful message reception
MetadataDisplayFilter
new mandatory property KeyManager (autowired)
MetadataGenerator
generated metadata is no longer signed by default (enable in ExtendedMetadata.signMetadata) and has disabled IDP discovery (enable in ExtendedMetadata.includeDiscovery)
the following fields were moved from MetadataGenerator to ExtendedMetadata:
entityAlias -> alias
signMetadata -> signMetadata
signingKey -> signingKey
encryptionKey -> encryptionKey
tlsKey -> tlsKey
includeDiscovery -> idpDiscoveryEnabled
customDiscoveryURL -> idpDiscoveryURL
customDiscoveryResponseURL -> idpDiscoveryResponseURL
removed methods signSAMLObject (moved to SAMLUtil) and getKeyInfoGeneratorName (moved to ExtendedMetadata)
by default the first binding is now HTTP-POST instead of HTTP-Artifact, endpoint for Web SSO no longer includes PAOS binding, set property bindingsSSO with values "artifact", "post", "paos" for backwards compatibility
by default endpoints for Web SSO holder of key are no longer included, set property bindingsHoKSSO with values "artifact" and "post" for backwards compatibility
by default MetadataGeneratorFilter no longer sets property entityAlias to value defaultAlias, set the value manually for backwards compatibility
SAMLAuthenticationProvider
property forcePrincipalAsString is now set to true by default
SAMLCredential
method getAttributeByName was renamed to getAttribute
SAMLDiscovery
fails with ServletException instead of SAMLRuntimeException
SAMLLogoutProcessingFilter
throws ServletException on errors during acceptance of LogoutRequest instead of SAMLRuntimeException
SAMLUtil
removed unused getDefaultBinding method
SingleLogoutProfileImpl
sendLogoutResponse signature changed
changed error handling, throws SAMLStatusException which is handled by Filter, logged and sends a SAML Response
WebSSOProfileImpl
throws SAMLException instead of SAMLRuntimeException on missing data in context
WebSSOProfileConsumerImpl
new property includeAllAttributes, set to true for original behavior
throws SAMLException instead of CredentialExpiredException on check of resposne issue instant and assertion issue instant