2. What's new

This section contains overview of important changes for released versions of Spring SAML.

2.1 New features, improvements and fixes in 1.0.1.FINAL

Version 1.0.1.FINAL is fully backwards compatible with 1.0.0.FINAL and contains the following changes:

  • Added support for Spring Security 4.0

  • Added integration guide with Okta

  • MaxAuthenticationAge time supports longer expiration times than 21 days

  • Deployment without JKS keystore is now supported

  • Service provider can now define multiple assertion consumer endpoints with same binding

  • Minor fixes and documentation improvements

2.2 New features, improvements and fixes in 1.0.0.FINAL

Final release is not directly compatible with the previous RC versions, please make sure to migrate your code based on guidelines and changes below:

  • Metadata signing now supports custom keyInfoGenerator and signingAlgorithm, signing can be enable per-entity

  • SAMLContextProvider has new customization possibilities for PKIXTrustEvaluator, PKIXInformationResolver and MetadataResolver

  • CertPathPKIXTrustEvaluator supports customization of security provider and explicit validation of certification path

  • MetadataCredentialResolver can be configured to load data from XML metadata and/or ExtendedMetadata

  • PKIXInformationResolver has an extension point for population of CRLs

  • Improvements to logging and error handling, profile implementations now throw exceptions which are logged inside filter objects and fail with ServletExceptions, sample application newly shows handling of these errors

  • Used OpenSAML version was updated to 2.6.1

  • SAMLDefaultLogger now logs additional information such as NameID

  • Enabled propagation of defaults (e.g. ProxySettings) set in the HttpClient object for ArtifactResolution

  • JKSKeyManager now supports keystores without password

  • SAMLContextProviderLB now supports empty contextPath and includes pathInfo data for requests

  • Entity ID and EntityDescriptor ID can now be set separately in MetadataGenerator

  • ECP now takes precedence over discovery in SAMLEntryPoint

  • Signing of local metadata is now done before displaying, this enables manual modifications to metadata in local files

  • ArtifactResolutionProfileImpl now support customization of used SocketFactory through extensions

  • ID in generated metadata is now automatically created when null, ID is based on entityID cleaned in order to conform to xsd:ID (and xsd:NCName) type, EntityID is cleaned by replacing all illegal characters by underscores

  • Support for hostname verification in artifact resolution

  • Completed documentation

  • Possibility to exclude the SAML Credential from the Authentication object

  • Disabled deferred node expansion for ParserPool which improves performance in parsing of small XML documents

  • HttpSessionStorage is now cleared after successful reception of a message in order to save memory

  • Possibility to include attributes from only the authenticated Assertion, or from all

  • New socket factory for trust verification during loading of metadata from HTTPS

  • Possibility to disable support for IDP-initialized SSO

  • Usage of metadata alias is now optional

  • New look and feel of the sample application

  • Cleanup of duplicate values in MetadataGenerator and ExtendedMetadata

  • SAMLCredential now contains facility methods for handling of String SAML attributes

2.3 Important code changes in 1.0.0.FINAL

Below is an overview of major code and structure changes since Spring SAML 1.0 RC2 with possible effect on backwards compatibility.

Module names

  • module saml2-core was renamed to core, jar and maven artifact names stay the same

  • module saml2-sample was renamed to sample, jar and maven artifact names stay the same

  • module src was renamed to docs, jar and maven artifact names stay the same

Descriptor securityContext.xml

  • file saml2-sample/src/main/resources/security/securityContext.xml was moved to sample/src/main/webapp/WEB-INF/securityContext.xml

  • administration part of the UI is now secured with username/password

  • updated initialization of ParserPool to disable defer node expansion

  • HttpClient in ArtifactResolution was made thread safe

  • added new failure handler (failureRedirectHandler)

  • MetadataGenerator bean now demonstrates usage of ExtendedMetadata

  • FilesystemMetadataProvider was replaced with ResourceBackedMetadataProvider

  • file sample/src/main/resources/security/idp.xml was moved to sample/src/main/resources/metadata/idp.xml


  • throws SAMLException instead of CredentialExpiredException on check of artifact response issue instant


  • storage is now cleared on successful message reception


  • new mandatory property KeyManager (autowired)


  • generated metadata is no longer signed by default (enable in ExtendedMetadata.signMetadata) and has disabled IDP discovery (enable in ExtendedMetadata.includeDiscovery)

  • the following fields were moved from MetadataGenerator to ExtendedMetadata:

    • entityAlias -> alias

    • signMetadata -> signMetadata

    • signingKey -> signingKey

    • encryptionKey -> encryptionKey

    • tlsKey -> tlsKey

    • includeDiscovery -> idpDiscoveryEnabled

    • customDiscoveryURL -> idpDiscoveryURL

    • customDiscoveryResponseURL -> idpDiscoveryResponseURL

  • removed methods signSAMLObject (moved to SAMLUtil) and getKeyInfoGeneratorName (moved to ExtendedMetadata)

  • by default the first binding is now HTTP-POST instead of HTTP-Artifact, endpoint for Web SSO no longer includes PAOS binding, set property bindingsSSO with values "artifact", "post", "paos" for backwards compatibility

  • by default endpoints for Web SSO holder of key are no longer included, set property bindingsHoKSSO with values "artifact" and "post" for backwards compatibility

  • by default MetadataGeneratorFilter no longer sets property entityAlias to value defaultAlias, set the value manually for backwards compatibility


  • property forcePrincipalAsString is now set to true by default


  • method getAttributeByName was renamed to getAttribute


  • fails with ServletException instead of SAMLRuntimeException


  • throws ServletException on errors during acceptance of LogoutRequest instead of SAMLRuntimeException


  • removed unused getDefaultBinding method


  • sendLogoutResponse signature changed

  • changed error handling, throws SAMLStatusException which is handled by Filter, logged and sends a SAML Response


  • throws SAMLException instead of SAMLRuntimeException on missing data in context


  • new property includeAllAttributes, set to true for original behavior

  • throws SAMLException instead of CredentialExpiredException on check of response issue instant and assertion issue instant