Version 0.60-TRIAL
Pre-release
Pre-release
·
263 commits
to master
since this release
0.60 -- Mon Sep 19 10:53:23 ADT 2022
[ Significant Changes since 0.59 ]
There are multiple potentially BREAKING CHANGES depending on how you
have written your application. Your application may need updates for
this version.
[BREAKING CHANGES]
- Support multiple signing keys in the metadata. This version attempts
to ensure compatibility but the call to Net::SAML2::IdP->cert will return
an array of certs for each 'use'. It is, however, likely that there will
only be one cert in the array.
- Net::SAML2::Binding::SOAP was improved. The call to
Net::SAML2::Binding::SOAP->handle_request() now returns the XML whereas in
the past it returned the certificate's subject and the xml as an array.
This make it consistent with the Redirect and POST Bindings.
- Net::SAML2::Binding::POST was also improved. Previously the call to
Net::SAML2::Binding::POST->handle_response() returned inconsistent results
depending on whether a cacert was provided. This version returns the XML
of the decoded request.
- The testapp required only changes related to the call to
Net::SAML2::IdP->cert($use) that now returns an ARRAY.
[Changes of note:]
- Support multiple signing keys in the metadata. This version attempts to
ensure compatability but the call to Net::SAML2::IdP->cert will return an
array of certs for each $use. It is, however, likely that there will only
be one cert in the array.
- Redirects now validate the raw URI that is passed to the call. It is
assumed that the URI that your application has sent is unmodified from the
response that the web server received. lighttpd in particular normalizes
the response and will break Redirects from Microsoft Azure
(see lighttpd.conf in xt/testapp for a working configuration)
- Net::SAML2::Binding::SOAP and Net::SAML2::Binding::POST were improved.
- SAML trust anchors were implemented and the verification of the SAML
response was improved. It is possible to validate the response with
subject, issuer or issuer_hash as anchors in addition to the cacert.
Neither cacert nor anchors are required as long as the signature of
the response is valid. The cacert has not been required for the
Redirect or SOAP binding so this treats SOAP the same.
[Required Application Updates]
- There were several changed to the test suite that will likely need to be
made in your application:
- To support metadata.xml containing multiple KeyDescriptors the call to
Net::SAML2::IdP->cert($use) now returns an ARRAY. As this is an helper
function that is meant to allow you to pass the cert to another Net::SAML2
call it was deemed low risk. Your code may be unaffected.
- The call to Net::SAML2::Binding::SOAP->handle_request() needs to be updated
to reflect that it returns only the decoded XML not an array of the
Certificate Subject and XML. Depending how your application uses the
response will determine whether changes are required.
- The call to Net::SAML2::Binding::POST->handle_response() returned
inconsistent results depending on whether a cacert was provided. This
version returns the XML of the decoded request. Previously it returned
either 1 for success or if a cacert was used, either "(verified) and the
certificate Subject" or 0 if the certificate verification failed.
- The lighttpd.conf for the testapp did require a change to prevent it from
"normalizing" a SAML Logout Redirect. There are contradictory RFCs
concerning SAML and the "normalising" URIs. If you use lighttpd in a SAML
application with AZURE as your SAML IdP see
[lighttpd.conf](https://github.com/perl-net-saml2/perl-Net-SAML2/commit/3855393eb454097e1e326a516a573f37ce3456a3#diff-8fd15aaa870fd2b9cda596bf3bb870ce2723ae412e55f0b653124b45d87e1bea)
[Possible Impacts]
- It is worth noting that the testapp (that implements a rudimentary Service
Provider) included in the git repo did not require any changes to the
application for this version.
- While my setup tests against multiple IdPs I do not have a working SOAP
IdP at present.
[ Full Change Log ]
- e95e7c2 Fix bug where two keys with different usage fails
- 33092f1 Add isDefault when isDefault is missing in assertion_consumer_service
- 66a4146 Bump version to .60
- 812ea36 0.59 updates
- f589dd0 v0.59
- c1b25f9 Sync changes with the wiki page and clean up indents
- 2c432f2 Remove unnecessary parameters
- 3855393 Allow URIs that do not include scheme and host in redirect
- e1774b6 Update docs for Net::SAML2::Protocol::LogoutRequest
- fdcfbeb Fix docs for Net::SAML2::Binding::Redirect
- 8d24c89 Update docs for Net::SAML2::Protocol::ArtifactResolve
- 27f6508 Update docs for Net::SAML::SP
- 4a89679 Fix docs for Net::SAML2::Binding::SOAP
- f43727d Verify the SAMLResponse based on the raw query string
- 50f5c8a Fixes #12 - multiple signing keys in metadata
- 4902c89 Make SAML trust anchors work on verification of the SAML request
- af68b68 SOAP binding does not require a cacert anymore
- 1854e35 Implement verify_xml() call which only verifies the XML
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Net::SAML2
Release 0.60
Change Log
- 85e2c1d Update Changes for 0.60
- f29670e Merge pull request #117 from waterkip/GH-116-signing_and_encryption_key
- e95e7c2 Fix bug where two keys with different usage fails
- c57b2b3 Merge pull request #118 from waterkip/GH-isdefault-default
- 33092f1 Add isDefault when isDefault is missing in assertion_consumer_service
- 66a4146 Bump version to .60
- 0c57f7f Merge pull request #113 from timlegge/release_0.59
- 812ea36 0.59 updates
- f589dd0 v0.59
- e8fb008 Merge pull request #112 from timlegge/master
- c1b25f9 Sync changes with the wiki page and clean up indents
- 764eb88 Merge pull request #111 from timlegge/master
- 2c432f2 Remove unnecessary parameters
- 1fc2b5f Merge pull request #110 from timlegge/master
- 3855393 Allow URIs that do not include scheme and host in redirect
- 5185a1a Merge pull request #85 from waterkip/GH-redirect-verify_fixes
- 6f2f3d1 Merge pull request #106 from waterkip/GH-docs-for_release
- e1774b6 Update docs for Net::SAML2::Protocol::LogoutRequest
- fdcfbeb Fix docs for Net::SAML2::Binding::Redirect
- 8d24c89 Update docs for Net::SAML2::Protocol::ArtifactResolve
- 27f6508 Update docs for Net::SAML::SP
- 4a89679 Fix docs for Net::SAML2::Binding::SOAP
- 9226e04 Merge pull request #84 from waterkip/GH-verify-xml-and_trust_anchors
- f43727d Verify the SAMLResponse based on the raw query string
- 5fd7f45 Merge pull request #17 from timlegge/issue12-multiple-keys
- 50f5c8a Fixes #12 - multiple signing keys in metadata
- 4902c89 Make SAML trust anchors work on verification of the SAML request
- af68b68 SOAP binding does not require a cacert anymore
- 1854e35 Implement verify_xml() call which only verifies the XML
- 519b3ac Merge pull request #102 from waterkip/changes-59
SHA256 hash of CPAN release
8b43c7c495b4ca568f5b7dc6b1564d001f2f750db50ce35734e226f813d7c61a *Net-SAML2-0.60-TRIAL.tar.gz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBAwAdFiEEMguXHBCUSzAt6mNu1fh7LgYGpfkFAmModJkACgkQ1fh7LgYG
pflSmA//ZuUAbXM36FH5cpg3p6Y9HAitYUk/ePFrnMnWo2c9O38YLdhK3lvgU//n
K7AsfSVtQH4F/w46Ow6IErEnDUG5kNEwf+qKohti1/bTMvZTbsYSRpSfrLDdFu6O
zR+TgHrRggKAnqs35qjeI2Wj1ZVB/Lq+DRcVOlpVABzLDtvFHu68z7JUBrHd/ST6
vYIKVRj6AtnjpfnRAxRAxV+MwbX3zIUV//3do6CC1H2LmiqALvKt+OQoaIXzJFDF
zSMupCwpe/WkkyvRisW9ZrlXPfFVaR4Xr3CNzoqmVEJFjIR+Hrc7fOKbcHARD6oq
sJHLc5Y/A9mDooWh8Pob6WbNnOdnHwETWgxatTIkGAGweZJI1kefHedytE0dnkrA
sf5AAPA16ZaZZhkTYh6Wl04vT2+r72YdyGi0XjnHMSW72Jgdya3g/Dnd/n91wyRs
8RExfrjQ7yxTyGa0oNcYLCKLeFSa3bVmO63nuYL6w+tY2MppSnMxmsyjsvWVsgQa
/2EIIkyga2ZOjyDTbb6WJSJDxgJQOtL53OW4fZVK4xMxlGu68m2YOPoA7/zqvC5q
evb4b1SlCCdbx+0LoXZDVSrxUe3OlnQibHI99bg+tIQUczZXJjp0vpffN+WcbXHG
TVk0FULR8uHxOKHgz5jExN8g+H9Psg59QeMWBoestLETM4fV2Ts=
=sc1S
-----END PGP SIGNATURE-----