Version 5.12.0.82 Quality improvements |

New features and improvements

Return error details to Service providers

We added a new IncludeSamlStatusErrorMessage setting to the Runtime's web.config file. When its value is True, SAML error responses from Identify to Service providers can have the StatusMessage element set with detailed error messages.

Please note that the default value of the IncludeSamlStatusErrorMessage setting is False for backward compatibility and security reasons.

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
          ID="id9b6c9d072ec2405aab59e4ed16b8a5f3"
          Version="2.0"
          IssueInstant="2022-08-23T08:08:01.0612842Z"
          Destination="https://example.sp.safewhere.com/login.ashx"
          InResponseTo="idbd22d05b640d4b16982cbbbc2a47a133"
          >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.safewhere.local/runtime/</Issuer>
    <Status>
        <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
        <StatusMessage>This is an example message - Failed to validate credentials of the user in a timely fashion.</StatusMessage>
    </Status>
</Response>

<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol"

ID="id9b6c9d072ec2405aab59e4ed16b8a5f3"

Version="2.0"

IssueInstant="2022-08-23T08:08:01.0612842Z"

Destination="https://example.sp.safewhere.com/login.ashx"

InResponseTo="idbd22d05b640d4b16982cbbbc2a47a133"

<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.safewhere.local/runtime/</Issuer>

<StatusMessage>This is an example message - Failed to validate credentials of the user in a timely fashion.</StatusMessage>

</Status>

</Response>

Add extra information on RSA-OAEP encryption method

When the http://www.w3.org/2009/xmlenc11#rsa-oaep key transport algorithm is used, we added the DigestMethod and xenc11:MGF elements to the EncryptionMethod element so that Service providers can know exactly what decryption algorithms to use. The newly added elements are necessary because most Java applications use SHA1 by default.

<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
                                    Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256" />
                </e:EncryptionMethod>
                <KeyInfo>

<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

Type="http://www.w3.org/2001/04/xmlenc#Element">

<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />

<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

<e:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">

<xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"

Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256" />

</e:EncryptionMethod>

Bug fixes

Fixed: #90745 [IC] Audit host information of a tenant is lost when re-upgrading it right after the first upgrade failure.
Fixed: #90265 [MetadataMonitor] Duplicate certificates can be imported via metadata monitor on redundant setup.

Products