v0.8.3

0.8.3 (Feb 27, 2018)

• Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
• Fix DigestMethod lookup bug #144

1.6.1 (January 15, 2018)

• #428 Fix a bug on IdPMetadataParser when parsing certificates
• #426 Ensure Rails responds to logger

1.6.0 (November 27, 2017)

• #418 Improve SAML message signature validation using original encoded parameters instead decoded in order to avoid conflicts (URL-encoding is not canonical, reported issues with ADFS)
• #420 Expose NameID Format on SloLogoutrequest
• #423 Allow format_cert to work with chained certificates
• #422 Use to_s for requested attribute value

1.5.0 (August 31, 2017)

• #400 When validating Signature use stored IdP certficate if Signature contains no info about Certificate
• #402 Fix validate_response_state method that rejected SAMLResponses when using idp_cert_multi and idp_cert and idp_cert_fingerprint were not provided.
• #411 Allow space in Base64 string
• #407 Improve IdpMetadataParser raising an ArgumentError when parser method receive a metadata string with no IDPSSODescriptor element.
• #374 Support more than one level of StatusCode
• #405 Support ADFS encrypted key (Accept KeyInfo nodes with no ds namespace)

1.4.3 (May 18, 2017)

• Added SubjectConfirmation Recipient validation
• #393 Implement IdpMetadataParser#parse_to_hash
• Adapt IdP XML metadata parser to take care of multiple IdP certificates and be able to inject the data obtained on the settings.
• Improve binding detection on idp metadata parser
• #373 Allow metadata to be retrieved from source containing data for multiple entities
• Be able to register future SP x509cert on the settings and publish it on SP metadata
• Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption.
• Improve regex to detect base64 encoded messages
• Fix binding configuration example in README.md
• Add Fix SLO request. Correct NameQualifier/SPNameQualifier values.
• Validate serial number as string to work around libxml2 limitation
• Propagate isRequired on md:RequestedAttribute when generating SP metadata

1.4.2 (January 11, 2017)

• Improve tests format
• Fix nokogiri requirements based on ruby version
• Only publish KeyDescriptor[use="encryption"] at SP metadata if security[:want_assertions_encrypted] is true
• Be able to skip destination validation
• Improved inResponse validation on SAMLResponses and LogoutResponses
• [#354] Allow scheme and domain to match ignoring case
• [#363] Add support for multiple requested attributes

1.4.1 (October 19, 2016)

• #357 Add EncryptedAttribute support. Improve decrypt method
• Allow multiple authn_context_decl_ref in settings
• Allow options[:settings] to be an hash for Settings overrides in IdpMetadataParser#parse
• Recover issuers method

1.4.0 (October 13, 2016)

• Several security improvements:
  • Conditions element required and unique.
  • AuthnStatement element required and unique.
  • SPNameQualifier must math the SP EntityID
  • Reject saml:Attribute element with same “Name” attribute
  • Reject empty nameID
  • Require Issuer element. (Must match IdP EntityID).
  • Destination value can't be blank (if present must match ACS URL).
  • Check that the EncryptedAssertion element only contains 1 Assertion element.
• #335 Explicitly parse as XML and fix setting of Nokogiri options.
• #345 Support multiple settings.auth_context
• #342 Correct the usage of Mutex
• #352 Support multiple AttributeStatement tags
• More tests to prevent XML Signature Wrapping

1.3.1 (July 10, 2016)

• Fix response_test.rb of gem 1.3.0
• Add reference to Security Guidelines
• Update License
• #334 Keep API backward-compatibility on IdpMetadataParser fingerprint method.

1.3.0 (June 24, 2016)

• Security Fix Add extra validations to prevent Signature wrapping attacks CVE-2016-5697
  (reported by Robert Clancy from swrve.com)
• Fix XMLSecurity SHA256 and SHA512 uris
• #326 Fix Destination validation