*********************************************** CEF eIDAS-Node Release Version 2.2 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.1 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+-+All+releases • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf • Release date: 19th September 2018 *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. ** Distribution ** + EIDAS-2.2.0.zip : Distribution version 2.2.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.2.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.2.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-2.2.0.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.2.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.2.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.2.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) ** This release contains the following changes to eIDAS-Node + Implement Allow SAML Response without assertion (EID-617, EID-630, EDINT-2489) + Implement usage of simple DSI keys in SAML messages : ENCRYPTION (EID-570, EIDINT-2219) + Remove maven profile: tomcat, webpshere, jBoss7 profile for wildfly (EIDINT-2436 EIDINT-638, EIDINT-2396) + Use of libraries: remove dependencies xml-apis-1.4.01.jar, xercesImpl-2.11.0.jar (EIDINT-1092, EIDINT-2246) + Use of libraries: Move dependencies serializer-2.7.2.jar xalan-2.7.2.jar from application server level to war (EIDINT-1092) + Cleanup of dependencies in EidasNode (EIDINT-638) + Remove org.owasp.esapi dependency in EidasNode (EIDINT-2437) **This release contains the following bug fixes: + Correct of Published extra certificate outside trustchain in metadata can validate metadata(EIDINT-2247) + Correct of Wrong character encoding in Metadata (EID-643, EIDINT-2474) + Consolidate eIDAS cipher suites white list for TLS (EIDINT-2002, EIDINT-2274, EIDINT-2470, EIDINT-2374) + Metadata issuer whitelist URL is case insensitive, should be sensitive (EIDINT-2475) + Support of Sub-CA for Metadata Signer (EID-606 EIDINT-2385) + Current address: inconsistency with the specifications (EIDINT-2210) + Correct of SpecificCommunicationApplicationContextProviderTest (Some unit tests did not reset it) (EIDINT-2234). + Correct of SpecificCommunicationApplicationContextProvider is not thread safe (EIDINT-2235) + Correct of ApplicationContextProvider implementations should be improved (EIDINT-2257) + Websphere accepts urls only with trailing slash (EIDINT-2101) + Replace jasper-el with the newer library tomcat-jasper-el (EIDINT-2456) **This release contains the following security fixes: + Processing authnrequest allows for manipulation of issuer element (EID-631, EIDINT-2236) + Analyse and Correct penetration test findings : ++ Incorrect use of methods (EIDINT-2244) ++ Cross-Site-Scripting (EIDINT-2410) ++ Use of deprecated hash cryptographic (EIDINT-2242) ++ Lack of validation on error logs (EIDINT-2243) ++ Library analysis (EIDINT-2238) ++ File handling is not done correctly (EIDINT-2245) ++ xercesImpl dependency is vulnerable : has been Removed of the project (EIDINT-2246) ** This release contains the following Changes to Demo Tools + Status code in simple protocol missing support for urn:oasis:names:tc:SAML:2.0:status:Requester (EIDINT-2491,EIDINT-2492) ** This release has been tested with the German Middelware version 1.0.4 and 1.0.6. ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/SqMSB ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag ** The eIDAS default supported Cipher suites for Java7 and Java8 https://ec.europa.eu/cefdigital/wiki/x/6MXuAw ####### IMPORTANT NOTICE ################################################################################################################################################################################# The eIDAS-Node logs may contain person identification data. Hence, these logs should be handled and protected appropriately, following the European privacy regulations [Dir95/46/EC] and [Reg2016/679]. [Reg2016/679] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. [Dir95/46/EC] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. ######################################################################################################################################################################################################### ####################### previous releases ####################### CEF eID eIDAS-Node Build 2.1.0 Content This release is based on version 1.1 of the eIDAS Technical Specifications. This release includes stability improvements.. ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. ** Distribution ** + EIDAS-2.1.0.zip : Distribution version 2.1.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.1.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.1.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-2.1.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.1.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.1.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.1.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) ** This release contains the following changes to eIDAS-Node + Change in Gender allowed values : Allow temporarily "Not Specified" (EIDINT-2215) + Add protocol versioning elements to metadata (EDINT-2201) + Support of Sub-CA for Metadata Signer (EIDINT-2191,EIDINT-1378) + Implement usage of simple DSI keys in SAML messages (EIDINT-1860) + Use of SingleSignOnService instead of hardcoded URLs (EIDINT-2145) + Build separation between Demo and Node modules (EIDINT-2085) + Update copyright headers and remove authorship (EIDINT-669) **This release contains the following bug fixes: + Correct of unit tests, Metadata were expired (EIDINT-2183) + Correct applicationContext with default values (EIDINT-2149) + Update cipher suite from configuration whitelist (EIDINT-2189) + Remove xsi:type from LOA's metadata's attribute value (EIDINT-2037) + eIDAS flow with JavaScript off (EIDINT-1993) + Correct reference key name related to TLS cipher suites (EIDINT-2373) + Change the order of validation when processing the SP request (EIDINT-2127) + Replaced the error message "user refused consent at response phase" with "Citizen consent not given." (EIDINT-1872) + Replaced the error message "user refused consent at request phase" with "Consent not given for a mandatory attribute." (EIDINT-1873) + Throw SAML_ENGINE_NO_METADATA instead of SPROVIDER_SELECTOR_INVALID_SAML when metadata can not be read. (EIDINT-2063) + Clean up labels in redirecting jsp pages (EIDINT-1993). **This release contains the following security fixes: + Correction of possible arbitrary data injection in audit trail log (EIDINT-1352) ** Changes to Demo Tools + Correct of Null or absent RelayState is handled incorrectly (EIDINT-2207) ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/QZfuAw ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag CEF eID eIDAS-Node Build 2.0.0 Content This release is based on version 1.1 of the eIDAS Technical Specifications. This release includes major improvements in the architecture by mainly decoupling the Specific modules from the core of the eIDAS-Node. ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. ** Distribution ** + EIDAS-2.0.0.zip : Distribution version 2.0.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.0.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.0.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-2.0.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.0.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.0.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.0.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) + Add support of application server GlassFish Open Source Edition 5.0 (full profile), Glassfish 3 is deprecated. + Add support of application server WildFly with version 11. + Add support of application server Tomcat 8.5. + Add support of application server WebSphere Application Server Liberty Core 9. + Analyse and validate the OWASP dependency check report on EidasNode (EIDINT-1595) ** This release contains the following changes to eIDAS-Node + Migration from OpenSAML 2.6.5 to OpenSAML 3.0 (EIDINT-1531, EIDINT-1545, EIDINT-1996) + New look and feel (EIDINT-1961, EIDINT-1999 ) + Upgrade eIDAS-Node to servlet 3.0 (EIDINT-1634) + Relocate Metadata infrastructure to a new module (EIDINT-1635). + Definition and implementation of the data communication between Specific [Connector|Proxy-Service] and eIDAS-Node (EIDINT-1663, EIDINT-1943) + Improvements to Light Objects interface regarding Subject and RelayState (EIDINT-1777) . + Change the build process to produce wars or jar from Specific Connector and Specific Proxy-Service (EIDINT-1661) + Citizen consent logic moved to Specific Proxy-Service module (EIDINT-1648) + Change properties for enabling display of attributes/values in consent pages. (EIDINT-1848) + Improvements to Light Objects interface regarding Subject and RelayState (EIDINT-1777) . + Updater component activated by Maven profile (EIDINT-1886) ** Changes to Demo Tools + New Service Provider 2.0 Demo Tools communicating using a simple protocol. (EIDINT-1650, EIDINT-1781) + New Identity Provider 2.0 Demo Tools communicating using a simple protocol. (EIDINT-2049, EIDINT-1779, EIDINT-1651, EIDINT-1686, EIDINT-1689, EIDINT-1675) + Removal of Relay State from the Service Provider 2.0 (EIDINT-1785) + Upgrade struts library in Demo Tools (EIDINT-1863) + New Look and feel (EIDINT-1961, EIDINT-1999 ) + Definition of the Simple Protocol between the SP 2.0 and the Specific Connector and between the Specific Proxy Service and the Identity Provider 2.0 . (EIDINT-1704 , EIDINT-1696 , EIDINT-1700) + Split Specific Module (EIDAS-Specific) to Specific Proxy Service module (EIDAS-SpecificProxyService) and Specific Connector module (EIDAS-SpecificConnector) (EIDINT-1820, EIDINT-1652 ,EIDINT-1778,EIDINT-1628, EIDINT-1658, EIDINT-1657,EIDINT-1654 , EIDINT-1655, EIDINT-2005 ) + Change simple protocol's LOA possible values to distinguish further from eIDAS LOA (EIDINT-1846) **This release contains the following bug fixes: + Correct German integration : Exception when parsing German metadata (EIDINT-2030) + Correct support of ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(EIDINT-2080) + Correction of LegalPersonAddress and VATRegistrationNumber attributes (EIDINT-1583) + Correction of NameIDFormat changed to optional (EIDINT-1706) + Add "AddressID" property to PostalAddress (EIDINT-1664) ** Known Limitations (Note: The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/SzuHAw) + Node checks metadata signature explicitly, rather than against a trust chain (EID-82) + SAML HTTP Redirect Binding not implemented correctly (EID-575) + Key representation as ds:KeyValue/RSAKeyValue in ds:KeyInfo not supported in eIDAS Response (EID-570) + Metadata Aggregator Format (ser:MetadataServiceList) not supported (EID-598) + Key rollover not supported (EID-581) + Key agreement method not supported for encryption of session keys (EID-594) + eIDAS Connector and ProxyService should be separate components (EID-599) + Using Gender attribute with 3rd value fails to work (EID-582) eIDAS-Node Build 1.4.0 Content This release is based on version 1.1 of the eIDAS Technical Specifications. This release includes stability improvements. ** Documentation ** CEF eID technical documentation pertaining to this release can be found on: CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. + EIDAS-1.4.0.zip : Distribution version 1.4.0 of the sample eIDAS-Node ++ EIDAS-Sources-1.4.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-1.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-1.4.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-1.4.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-1.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-1.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) + Improvements in documentation. + Analyse and validate the OWASP dependency check report (EIDINT-1665) + Default JBoss server is now 7.1.1, JBoss 6 is deprecated (EIDINT-1626) + Metadata file loader improvements: Load files only with 'xml' extension and if one loaded file contains an error, the others still need to be loaded /checked (EIDINT-1619) + Display the ID of metadata failed on signature check (EDINT-1566) + Protocol Engine - use ProtocolEngine clock (EIDINT-1611) + Make Metadatautil extendable by MS implementers (EDINT-1609) + Remove unnecessary code and properties related to old AT and DE plugins (EIDINT-1608) + Add support of server WebLogic 12.2.1.2.0 , WebLogic 10 is now deprecated (EIDINT-1597, EIDINT-1598) + SPType is added AuthnRequest to IdP (EIDINT-1251) + Re-enforce and validate that Code possibly is not vulnerable to XXE (EIDINT-1248) + Removal of PersonalAttributeList( (EDINT-888) + Denial of service: size limit of IDP returned attributes (EIDINT-701) **This release contains the following bug fixes: + Correct support of signing algorithm "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" for JBOSS 7 (EIDINT-1718) + Correct inconsistencies in the default configuration directory EIDAS-Config (EIDINT-1717) + Correct missing "AddressID" property to PostalAddress(EIDINT-1664) + Thread safety bug in document builder pool (EIDAS-1606) + Correct Wrong paths to encryptionConf.xml and backslashes in config files ( EIDINT-1582; EDINT-1489) + Correction of LegalPersonAddress and VATRegistrationNumber attributes (EIDINT-1500) ####################### previous releases ####################### eIDAS-Node Build 1.3.1 Content This intermediary release is based on version 1.1 of the eIDAS technical specifications. This intermediary release includes stability improvements. **This intermediary release contains the artifacts : + Document : eIDAS-Node Installation, Configuration and Integration Manual v1.3.0.pdf + Document : eIDAS-Node Error Codes v1.0 + EIDAS-1.3.1.zip : Distribution version 1.3.1 of the sample eIDAS-Node ++ EIDAS-Sources-1.3.1.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-1.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-1.3.1.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-1.3.1.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-1.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-1.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including IdP.war, EidasNode.war, SP.war) **This intermediary release contains the following bug fixes: + Correction of 'Remove validation on optionality of sector specific attributes' (EIDINT-1532) eIDAS-Node Build 1.3.0 Content This release is based on version 1.1 of the eIDAS technical specifications. This release includes stability improvements. **This release contains the artifacts : + Document : eIDAS-Node Installation, Configuration and Integration Manual v1.3.0.pdf + Document : eIDAS-Node Error Codes v1.0 + EIDAS-1.3.0.zip : Distribution version 1.3.0 of the sample eIDAS-Node ++ EIDAS-Sources-1.3.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-1.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-1.3.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-1.3.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-1.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-1.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: + Improvement by adding Natural and the Legal person MDS representation (EIDINT-1221) + Improvement in configuration of the eIDAS-Node by externalising configuration files (EIDINT-926) + Improvement in configuration of the DEMO SP by externalising configuration files (EIDINT-1310) + Improvement in configuration of the DEMO IDP by externalising configuration files (EIDINT-1310) + Improvement in SP result page by propagation of the relay state from Connector to SP (EIDINT-648) + Improvement in security by running and analysing a dependency checker. **This release contains the following bug fixes: + Correction of Handshake failure invalid session while retrieving metadata (EIDINT-1312) + Correction of Double validation on time skew (EIDINT-693) + Correction of Hazelcast in eIDAS components: stop "phoning home" (EIDINT-1245) + Correction of The specific logger used in eIDAS-Node (EIDINT-1331) + Correction of Proxy should validate the SAML request regarding optional attributes (EIDINT-1241) + Correction of support of SHA256-rsa-MGF1 signing algorithm (EIDINT-1276) + Correction of is optional, no longer checked, no longer sent in responses by default (can be configured) (EIDINT-1240) + Correction of Security issue- Infinite redirect loop by accessing JSP pages at IdP (EIDINT-1174) + Correction of Publication of all supported attributes ( eIDAS Attributes, Specific Business attributes, Representatives attributes)(EIDINT-1174) + Correction of Sptype is no longer transmitted to the Proxy Service (EIDINT-1311) + Correction of METADATA OrganizationName missing (EIDINT-668) + Correction of METADATA should contain FriendlyName and NameFormat in the Attribute tag (EIDINT-633) + Correction of Consumer skewtime (EIDINT-1430) + Correction of Wrong value for OpType field (EIDINT-1356) + Correction of AssertionUtil - make generateAuthStatement method public (EIDINT-1484) + Correction of Upgrade struts library in demo tools (EIDINT-1480) + Correction of Very weak authorisation mechanism for accessing the updater service (EIDINT-1249) eIDAS-Node Build 1.2 Content This release is based on version 1.0 of the eIDAS technical specifications. This release includes stability improvements. **This release contains the following improvements: + Improvements in security - Penetration tested; + Improvement in code quality: - Corrections based on code quality analysis. + Improvements in build process: - Reorganising Maven POM in a standardised way; + Improvements in eIDAS-Node configuration: - Make eIDAS software compliant with eIDAS specification regarding TLS version by introducing new configuration property tls.enabled.protocols; - Add configuration properties service.askconsent.all.attributes, service.askconsent.attribute.names.only to manage the business attribute/Value in the consent page. + Improvements in metadata: - Metadata was double-signed. Both the Entity descriptor as well as the role descriptor were signed. Only the root element is now signed. + Improvements in Specific module configuration: - Merge of the two files specific.properties and eidas_Specific.xml into eidas_Specific.xml; - Rename SAML Engine configuration files, XXX_Specific.xml is renamed to XXX_Specific-IdP.xml, XXX_SP-Connector.xml is renamed to XXX_SP-Specific.xml. + Improvements in sample SP configuration: - Add configuration properties (sp.metadata.validatesignature, sp.metadata.trusteddescriptors) to manage the validation of the metadata signature. + Improvements in sample IDP configuration: - Add configuration properties (idp.metadata.validatesignature, idp.metadata.trusteddescriptors) to manage the validation of the metadata signature. + Improved utilisation of Hazelcast: - Now only one Hazelcast instance is used by default, but it can be reconfigured to have multiple instances in application context. + **This release contains the following bugs fixed: + Correction of the white list for encryption algorithm was not working properly when configured differently than the standard ()Eidas-Specific to IDP) (internal ref EIDINT-1177) + Correction of error in SP during validation of AudienceRestriction element of the SAML response ( internal ref : EIDINT-1160) + Correction when using a CA having a certificate with special characters, it failed to load the certificate for signing and encrypting (internal ref EIDINT-1146) + Correction of the eIDAS node rejects personIdentifier attributes containing the hyphen character (internal ref EIDINT-1120) + Correction of too many sessions still active (internal ref EIDINT-1113) + Correction of signature of static metadata was not validated ( internal ref : EIDINT-1094) + Correction of Proxy service did not complain when minimum data set was not correctly set (internal ref : EIDINT-1058) + Correction of data digest method is sha1, should be SHA 256 in metadata(internal ref : EIDINT-969) + Correction of Cleanup eIDASSession from the code and replace the logic when needed (internal ref : EIDINT-1051) + Correction of failed encryption doesn't throw exceptions ( internal EIDINT-1049) + Correction of Incorrect issuer URL (ConnectorMetadata instead of ConnectorResponderMetadata) in Connector response to SP (internal ref EIDINT-1048) + Correction of Loss of RelayState parameter in the workflow (internal ref EIDINT-1046) + Correction of transliteration by removing validation from NODE enabling any transliterated value(internal ref EIDINT-1041) + Correction of no more usable production mode setting parameter by remove it (internal ref EIDINT-980,EIDINT-970,EIDINT-949) + Correction of NodeMetadataFetcher, getFromCache returned null (internal ref EIDINT-971) + Correction of WebSphere Default Url for /SP (SP/populateindexpage) was not recognised (internal ref EIDINT-964) + Correction of infinite redirect loop by accessing JSP pages (internal ref EIDINT-948) + Correction of PersonalAttrList by replacing it by Immutable Attr and delete session in specific (EIDINT-945) + Correction of Broken UTF-8 (internal ref EIDINT-923) + Correction of off encoding by adding the CharacterEncodingFilter in web.xml (otherwise the default charset is ISO-8859-1 for HTTP). + Correction of Proxy service validation binding : exception (internal ref EIDINT-860) + Correction of the Validation of the SPType, The validation is now in the Specific part of the connector (internal ref EIDINT-845) + Correction of the audit files location by using java system property "LOG_HOME" (internal ref EIDINT-672) + Correction of Allowing SHA256-rsa-MGF1 as signing algorithm (internal ref EDINT-1276) + Correction of Adding OrganizationName in metadata (internal ref EDINT-1269) + Correction of Removing ID in IDPSSODescriptor as well as SPSSPDescriptor in the metadata (internal ref EIDINT-1268) + Correction of Wrong type of extension : SAML Protocol XML Schema is changed xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" (internal ref EIDINT-1267) + Correction of HTTPMetadataProvider was not released (internal refEIDINT-1256) + Correction of is changed to optional (internal ref EIDINT-1242) + Correction of is changed to optional (internal refEIDINT-1259) eIDAS-Node Build 1.1 Content This eIDAS release includes architectural and stability improvements. Please be aware that the related documentation covering this release is not yet available but will be updated in the coming weeks. This release contains the following improvements: - definition of an abstraction and clear conformity of light Request/Response (in the module EIDAS-Light-Commons). These light objects (SAML agnostic) are designed to be used in the eIDAS-Node (SP to Connector) and also in the country specific modules (Proxy Service to IDP); - definition of an abstraction and a clear conformity for the country specific modules (in the module EIDAS-SpecificCommunicationDefinition). With this abstraction the dependency with the SAML Engine is no longer needed in the country specific modules; - improvements to the SAML Engine for complete independence and to able to be configured separately from the eIDAS-Node (metadata configuration, white list of signature and encryption algorithms); - definition of an attribute registry used by the SAML Engine to provide clear definition, conformity of the attributes supported (configuration based) and enforcing validation; - full coverage of the transliteration at the attribute and attribute registry level; and - hardening to ensure immutability when necessary on the classes used in the SAML Engine (builder pattern). The release also includes the following changes : + complete refactoring of the commons API to define a clear contract, prevent security and concurrency issues; + clear separation between Connector and Proxy Service; + definition of a clear contract of the SAML Engine API; + opening and definition of the SAML Engine ExtensionProcessorInterface, allowing extensibility to other SAML protocols (e.g. eIDAS, STORK etc.); + definition and declaration of a clear contract of the methods used in the Specific module; + dynamic configuration for properties used by the SAML Engine, these properties have been extracted from the eIDAS-Node general configuration and allow a more granular configuration (eidas.xml, eidas-specific.xml); + implementation of the minimum data set validation based on the attribute registry; +implementation of a stable light-weight abstraction layer, exposed as an API and shipped as a library, on top of the OpenSAML library, which would wrap up all the low-level SAML boilerplate code; + implementation of two namespaces http://eidas.europa.eu/attributes/naturalperson and http://eidas.europa.eu/attributes/legalperson; and + remote code execution during object deserialization correction - upgrade the dependency version to commons-collection 3.2.2. N.B. For compatibility, some APIs from 1.0.2 have been kept from previous unofficial releases but declared as deprecated. They could disappear in a future release, replaced by the new already provided implementation. eIDAS Node Build 1.0.2 Content This intermediary release includes architectural and stability improvements (documentation not updated). The tested applications servers are Tomcat, GlassFish and WebLogic. This release provides an end-to-end sample of the happy path of a citizen's identification with a complete refactoring of the SAML Engine. This refactoring covered: - defining an abstraction and clear conformity of light Request/Response (in the module EIDAS-Light-Commons). These light objects (SAML agnostic) are designed to be used in the eIDAS-Node and also in the country specific modules; - defining an abstraction and a clear conformity for the country specific modules (in the module EIDAS-SpecificCommunicationDefinition). With this abstraction the dependency with the SAML Engine is no longer needed in the country specific modules; - defining an attribute registry used by the SAML Engine to provide clear definition and conformity of the attributes supported (configuration based); and - hardening and ensuring immutability when necessary on the classes used in the SAML Engine (builder pattern). eIDAS Node Build 1.0 Content N.B: In a future release, it is intended to provide a major architectural improvement involving the Specific module. The Specific module is inherited from the STORK PEPS Pilot 1 application. It provides a sample implementation of a Member State Specific module to customise the communication between the Identity Provider and the eIDAS-Node Proxy Service. Version 1.0 does not contain any improvements to or enhancements of the Specific module. The architectural improvements of the Specific module will: - Provide abstraction and a correct placeholder for the Member State's specific implementation; - Remove the dependency between the SAML Engine and the Specific module; - Extend the Specific module to cover communications between Service Provider and eIDAS-Node Connector as well as the communications between Identity Provider and the eIDAS-Node Proxy Service. Version 1.0 includes the following: + Improvement of the software look and feel; + Renaming of the STORK references to eIDAS terminology; + Modifications of the eIDAS-Node related to the technical specification: Parametrisation of the signing certificate of the metadata; Verification of the metadata expiration when processing it from the cache; Check the certificate validity on metadata generation, no metadata published if certificate expired; Suppression of EXACT implementation of the LoA (Level of Assurance); Support sector specific attributes; Disable the support for STORK1 message format; Change of message format (namespace from "stork" to "eidas"). + Modification in the sample SP-IDP and AP: Support eIDAS LoA in the SP and IDP; Support eIDAS attributes; Extend eIDAS compliance to include communication between SP and the eIDAS-Node; Extend eIDAS compliance to include communication between IDP and the eIDAS-Node; Improvement of the sample Service Provider to show the decrypted assertion. + Security : Update of third party libraries to the latest version(Bouncycastle-XMLSec-XML Santuario-Xalan-Commons-httpClient); + Migration from Maven 2 to Maven 3; + provide new sample of eIDAS Keystore (double key + metadata signature) provided for each binary. List of conformance documents and requirements: - eIDAS Interoperability Architecture v1.0 - eIDAS Message Format v1.0 - eIDAS SAML Attribute Profile v1.0 - eIDAS - Crypto Requirements for the Interop Framework v1.0 eIDAS Node Build 0.9 Content Version 0.9 + Add a feature selector enforcing eIDAS regulation compliance (when set to true); + Support of eIDAS compliant message format (eIDAS Technical Specifications); + Extension of eIDAS metadata (eIDAS Technical Specifications); + Security improvements: Strengthen browser cache weakness: add no-cache policy in the HTTP response header; Reflected Cross-site scripting mitigation: sanitisation of displayed values; + Removal of Middleware plugin; + Extension of the sample applications (SP, IDP, AP) to provide a sample of use of the eIDAS regulation features.