The following main fixes were introduced:
- Usage of simple DSI keys in SAML messages is implemented for encryption.
- Allow SAML response for failed authentication with or with-out SAML assertion, based on request's application identifier.
- Correction of wrong character encoding in metadata.
- Support of Sub-CA for Metadata Signer to allow eIDAS Service to validate metadata.
- Dependencies were refactored.
- Security fix for processing authnrequest no longer allows for manipulation of issuer element.
The release successfully tested and works with Middleware versions 1.04 and 1.06.
Change in Gender allowed values : Allow temporarily "Not Specified"
Add protocol versioning elements to metadata
Support of Sub-CA for Metadata Signer
Implement usage of simple DSI keys in SAML messages
Use of SingleSignOnService instead of hardcoded URLs
Build separation between Demo and Node modules
Update copyright headers and remove authorship
- There are now two deployment approaches; Standard (independent Specific and Generic applications) and Monolithic (single WAR file).
- Architecture improvements are introduced to enable seamless upgrades of the eIDAS-Node in the future. MS Specific module has been split into Specific Proxy Service module and Specific Connector module.
- Simple Protocol has been defined between the demo Service Provider 2.0 tools and the Specific Connector, and between the Specific Proxy Service and the demo Identity Provider 2.0 tools.
- OpenSAML has been upgraded to version 3.0 in the eIDAS-Node core part.
- A new look and feel.
- EID-667 - Improved the logging trail to address gaps with respect to message id and node id for entities with which the eIDAS-Node interacts, e.g., SP and IdP.
- EID-652 - Problem in validation of entityID of SP
- EID-658 - Interference with audit trail
- EID-671 - Exposure to host header poisoning
- Upgraded the dependencies listed below to avoid the vulnerabilities (CVEs) corresponding to their previous versions:
- Spring Framework to v4.3.18 from v4.1.0.
- Xerces to v2.12 from v2.11.
- JQuery to v3.3.1 from v1.11.3
- This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions of 2.2 and v1.4.3.
- This release successfully tested and works with Middleware versions1.0.6 and 1.0.7.
- EID-617 - Error responses contains assertions with a false identity
- EID-630 - Missing Assertion in failed authentication response should be OK
- EID-643 - Wrong character encoding in ConnectorMetadata
- Removal of vulnerability EID-631: Issuer URL in SAML AuthnRequest can be manipulated
- German MW integration: Correction of the exception when parsing German metadata;
- Addition of the protocol versioning elements to metadata;
- Correction of Junit test for which metadata were expired;
- Correction of Gender allowed values : Addition of temporarily "Not Specified" in Gender values validation;
- Support for the WebLogic 12.2 family;
- Propagation of SPType to Proxy Service/IdP;
- Correction to LegalPerson data set attributes;
- Limiting the size of IdP supplied attribute values;
- Improvements and fixes for several bugs; and
- Documentation enhancements and improvements
- Better alignment with the requirements coming from the eIDAS technical specifications (e.g. support for natural and the Legal person MDS representation, removal of the validation of the OneTimeUse and SubjectLocality attributes, etc.)
- Externalisation of configuration files for the eIDAS-Node, demo SP and demo IdP
definition of an abstraction and clear conformity of light Request/Response (in the module EIDAS-Light-Commons). These light objects (SAML agnostic) are designed to be used in the eIDAS-Node (SP to Connector) and also in the country specific modules (Proxy Service to IDP);
definition of an abstraction and a clear conformity for the country specific modules (in the module EIDAS-SpecificCommunicationDefinition). With this abstraction the dependency with the SAML Engine is no longer needed in the country specific modules;
improvements to the SAML Engine for complete independence and to able to be configured separately from the eIDAS-Node (metadata configuration, white list of signature and encryption algorithms);
definition of an attribute registry used by the SAML Engine to provide clear definition, conformity of the attributes supported (configuration based) and enforcing validation;
full coverage of the transliteration at the attribute and attribute registry level;
hardening to ensure immutability when necessary on the classes used in the SAML Engine (builder pattern)
- Improved modularity
- Code refactoring
- New look & feel
- Support to eIDAS message format and extension of eIDAS metadata (eIDAS Technical Specificaitons)
- Security improvements
- Extension of the sample applications (Service provider, Identity provider and Attribute provider) to provide a sample of use of the EIDAS Regulation features
- Additional feature selector enforcing eIDAS Regulation compliance