New features and improvements
Return error details to Service providers
We added a new IncludeSamlStatusErrorMessage
setting to the Runtime's web.config file. When its value is True, SAML error responses from Identify to Service providers can have the StatusMessage
element set with detailed error messages.
Please note that the default value of the IncludeSamlStatusErrorMessage
setting is False for backward compatibility and security reasons.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="id9b6c9d072ec2405aab59e4ed16b8a5f3" Version="2.0" IssueInstant="2022-08-23T08:08:01.0612842Z" Destination="https://example.sp.safewhere.com/login.ashx" InResponseTo="idbd22d05b640d4b16982cbbbc2a47a133" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.safewhere.local/runtime/</Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> <StatusMessage>This is an example message - Failed to validate credentials of the user in a timely fashion.</StatusMessage> </Status> </Response> |
Add extra information on RSA-OAEP encryption method
When the http://www.w3.org/2009/xmlenc11#rsa-oaep
key transport algorithm is used, we added the DigestMethod
and xenc11:MGF
elements to the EncryptionMethod
element so that Service providers can know exactly what decryption algorithms to use. The newly added elements are necessary because most Java applications use SHA1 by default.
1 2 3 4 5 6 7 8 9 10 11 12 |
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256" /> </e:EncryptionMethod> <KeyInfo> |
Bug fixes
- Fixed: #90745 [IC] Audit host information of a tenant is lost when re-upgrading it right after the first upgrade failure.
- Fixed: #90265 [MetadataMonitor] Duplicate certificates can be imported via metadata monitor on redundant setup.