- TLS: Use Go’s native implementation of ‘x509.SystemCertPool’ on Windows
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Dependencies: Resolved CVE-2024-45338
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- ldapProvider: Correctly surface ‘getHashedCredentialsSE’ error
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Secret provider: Make CA not required for cert auth in HashiVault
- Dependencies: Resolved CVE-2024-45337
- Fix Missing Folder for Artifactory Cleanup Workflow
Internal improvements and maintenance updates.
- Connectors: Allow multiple OIDC callback URLs to be defined
Internal improvements and maintenance updates.
- Dependencies: Resolved CVE-2024-53259
- Service Extensions: Implement HTTP interface of Orchestrator API.
- OIDC Connector: Dynamically generate oauth logout callback URLs
- SAML Provider: Fix issue where authentication requests required an ACS URL
- OIDC Provider: Add support for ‘ES256’ key algorithm for client authentication
- HTTP: Add global endpoint timeout.
- HTTP: Add configurable HTTP server timeouts with sane defaults.
- Respect env variables and CLI flags when reloading logger
- Proxy Apps: Improve logging when required attributes are missing and not loadable
- OIDC Connector: Dynamically generate oauth callback URLs
- OIDC Provider: Improve logging during JWT bearer client authentication
Internal improvements and maintenance updates.
- Enable use of JWT for client authentication with client_credentials grant
- Container: Resolved CVE-2024-9143
- SAML APP: Support multiple ConsumerServiceURLs per SAML app
Internal improvements and maintenance updates.
- SAML Connectors: Use POST binding if available during SAML login
- Secret providers: Support Hashicorp Vault cert auth on Windows
- Config Reload: Make logger reloadable
- TLS: Add support for ECDH algorithms on Windows
- Add CRL revocation support to tls config
- SAML Provider: Support compressed AuthnReq via POST binding
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- SAML & OIDC Providers: Enable service extensions to be used in conjunction with attribute providers
Internal improvements and maintenance updates.
- Add OCSP revocation check
- Logger: Add error logger to HTTP server
- OIDC Provider: Require openid scope to access userinfo endpoint
- Support Hashicorp Vault cert auth on Linux
Internal improvements and maintenance updates.
- Health service: Make health service reloadable
- Update PR template to hide instructions
- Connectors: Generic SAML health check add cookies jar
- QKSLVR-1987: Upload additional artifacts JFrog
- OIDC Provider: Allow “sub” and “client_id” claims to be overwritten via service extension
- Add Single Logout JSON Schema
Internal improvements and maintenance updates.
- Add deb build target in Makefile
- OIDC Provider: Dynamically build userinfo response
- OIDC Provider: Add association from token cache to userinfo cache
- OIDC Provider: Store userinfo data only once
- Connectors: Infer correct protocol binding from SAML metadata
- Expose ‘jose.ContentType’ in service extensions
- Connectors: Add support for login hint via subject in PingFed SAML
Internal improvements and maintenance updates.
- Update github PR template
- Connectors: Implement login_hint in query for Azure SAML
- SE: Add ‘postLogoutSEV2’ service extension
- Ensure mTLS can not be bypassed by spoofing the Host header.
- Connectors: Restore SAML login in PingFed
- Connectors: Add login hint to OIDC connectors
- Proxy apps: Allow secrets loading in policy locations
- SE: Introduce v2 service extension signature for ‘evalIdleTimeoutSE’
- Support retrieving AWS secrets via ARN
Internal improvements and maintenance updates.
- TLS: Add support for SNI via ‘http.hosts’
- SE: Introduce v2 session evalMaxLifetime
- Service Extensions: Fix route registration issue
- Add newline delimiter option in CCP as workaround for multi-line secrets.
- Format the Hypr HTML to make it more readable
- DSO-1348: Add Uploading Artifacts for Services Team
- SAML App inherits signing cert from SAMLProvider
- HTTP: Rework HTTP initialization logic to support SNI
Internal improvements and maintenance updates.
- SAMLProvider fix panic when claims mapping attribute does not use connector notation
- Fix OIDCProvider panic when claims mapping attribute does not use connector notation
- Bundle Validation: Improve error handling when loading public key
- TLS: Rename ‘clientCAs’ to ‘clientCAFiles’ in TLS config
- Continuity: Improve reload behavior
- Continuity: Check for duplicated status codes
- Continuity: Add health check to ADFS
- Connectors: Make cert and keys paths optional for ADFS
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Support LoadAttributesSE for OIDC Apps
- Enable service extensions for oidc provider authorization
- Support multiple secrets for OIDC client authentication
- Add load attributes service extension to SAML apps
- Ensure OIDC clients are unique by client ID
- Expose make commands in make help
- SAML Apps: Support app level ‘disableSignedAssertion’ and ‘disableSignedResponse’
- Add authorization rules to OIDC apps
Internal improvements and maintenance updates.
- SAML Apps: Support app-specific signing certs
- Support client defined grant types for OIDC apps
- Continuity: Remove body matching response logging
- Update mitchellh/mapstructure to go-viper/mapstructure/v2
- Apps: Validate ‘name’ uniqueness
- Support ROPC flow for OIDC apps via backchannel authenticate SE
- Continuity: Increase state parameter length in generic OIDC health check
- Continuity: Add TLS to custom health check
Internal improvements and maintenance updates.
- Support IsAuthorizedSE in SAML apps
- Add permissions for id-token for Jfrog Artifactory GitHub Workflow
- Continuity: Add custom health check response body matching
- Use the correct HTTP client for SAML health check
- Continuity: Add headers to custom health check endpoint
- Add QR authentication mode for Hypr connector
- Add GitHub workflow for uploading artifacts to JFrog Artifactory
- Update Artifactory GitHub Workflow to reference branch
- Continuity: Add ability to define custom health check
- Continuity: Change the default health check interval
- Continuity: Add un/healthy threshold
- Enforce authorization rules in SAML Apps
- Continuity: Support health checks in PingFederate connector
- Reimplement Cyberark Conjur Secret Provider
Internal improvements and maintenance updates.
- Add state to continuity enabled connectors
- Remove legacy LDAP ‘attrproviders’ implementation
- Continuity: Update IdP healthcheck metric prefix to include namespace
- SAML APP: Query for nameID attributeMapping attribute if not on session
- Update log level to error when referenced secret is not found
- Continuity: Add IDP health check to Auth0
- Continuity: Add IdP health metrics
- Expose ldap.Control
- Implement SAML health check in Okta
- Implement SAML health check in Azure
- Add AWS Secrets manager secret provider support
Internal improvements and maintenance updates.
- Continuity: Add generic SAML health check
- Telemetry: Update local Docker Compose telemetry environment for development
- Support reload for single logout config
- Continuity: Leverage generic OIDC health check in Okta and Azure
- Continuity: Add meter and tracer to health check service
- Continuity: Parse health check values as duration
- Protect session store with mutex and add session service to config reloader
- Implement session config reload
Internal improvements and maintenance updates.
- Service Extensions: Expose symbols for JWT encryption
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- MSI: Fix file contention issue
Internal improvements and maintenance updates.
- Continuity: Add health check to OIDC connector
Internal improvements and maintenance updates.
- OIDC & SAML Apps: Remove legacy resilience implementation
- Proxy apps: Remove legacy resilience implementation
Internal improvements and maintenance updates.
- Redirect SAML SSO error responses correctly
- Continuity: Add health check to AD
- Continuity: Add health check to LDAP
- SAMLProvider support LogoutRequest via POST binding
Internal improvements and maintenance updates.
- Connectors: Gracefully handle failure to retrieve OIDC well-known metadata
- Verify Signed SAML Logout requests via Redirect binding
Internal improvements and maintenance updates.
- SAML Apps: Store logout request in cache
- Fix SAMLProvider cacheState storage when using multiple IDPs
- Add support for namespace in HashiVault
- Resilience connector: Add support for logout
- Unregister SAMLProvider SLO endpoint during stop
- Connectors: Better handle logout errors
- Resilience connector: Implement Query
Internal improvements and maintenance updates.
- Append query parameters to authn request during IDP Initiated SAML
- Validate bundle file in MSI installer
- SAMLProvider: Add SingleLogoutService to metadata when sloEndpoint is defined
- SAMLProvider: Implement SP initiated SLO
- MSI: Fix service restart when change and add default remote configs.
- Service Extensions: Expose symbols to enable JWT generation
Internal improvements and maintenance updates.
- Connectors: Set transport properties on health check HTTP client
- SAML Connectors: Fix panic observed when generating unsigned logout requests
- Resilience Connector: Add meter and tracer
- Resilience Connector: Add attributes mapping
- Resilience Connector: Add ‘enabled’ property and remove dependency on feature flag
- Add instructions on setting up the dev environment for the MSI Installer
- Resilience connector: Implement failover strategy
- Improve specificity of pull request instructions
- Resilience Connector: Add base config and validation
- Resilience Connector: Implement base lifecycle
- SAML Apps: Call BuildRelayState extension post-authentication
- Resilient Connector: Scaffold connector implementation
Internal improvements and maintenance updates.
- SAML Apps: Expose NameID configuration
- Include allowedProtectedPackages option for Service Extensions
- Introduce cache to SAMLProvider
- SAML Apps: Expose BuildRelayState service extension for IDP-initiated login flow
- MSI - Separate HTTP address field into IP and Port.
- SAML Apps: Allow IDP-initiated ‘relayStateURL’ field to be optionally defined
- MSI - Add documentation hyperlink to complex properties.
Internal improvements and maintenance updates.
- MSI - Auto set MAVERICS_RELOAD_CONFIG=true
- Fix log key to have correct attrProvider name
- MSI - Fix double configuration source error.
- MSI - Migrate system environment variables.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- SAML & OIDC Apps: Organize authprovider pkg and improve logging
- Manually validate timestamp assertions in SAML
Internal improvements and maintenance updates.
- Implement generic SAML in 1Kosmos and add cache
- Improve MSI UX flow for Bundle Key File selection.
- MSI - Find certificate should have empty selection.
- SAML Apps: Validate SP audience is unique before creation
- Proxy Apps: Add support for HTTP request methods in policy
- OIDC Apps: Add ‘Authorization’ to list of ‘Access-Control-Allow-Headers’ to fix CORS issue
- Resolved CVE-2024-22189
- Make Ping Fed use generic SAML package and introduce cache
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Fix remote config box gets cleared after selecting bundle public key file.
- SAML Connectors: Only sign SAML AuthnRequest if signing certs are provided
- OIDC ClaimsMapping -> LogicNodes
- Implements new MSI UI flow
- Minor changes to improve azure and connector behaviors
- Rename LogicNode IDP to Value
- Enhance SAML metadata parsing to support formatted certificates
- Support api.App in IsAuthenticatedSE, AuthenticateSE and v2/BuildClaimsSE for saml apps
- Support api.App in IsAuthenticatedSE, AuthenticatedSE, BuildAccessTokenClaimsSE, BuildIDTokenClaimsSE for oidc apps
- Add support RP-initiated logout in OIDC provider
- NG-LDAP Provider: Correctly handle a bind after the SASL security layer is active (Conformance)
- NG-LDAP Provider: Various improvements to logging and user config.
- Allow loading certs from Windows store in CyberArk CCP
- Support api.App in loginSE and isLoggedInSE for proxy apps
- Support api.App in createHeaderSE for proxy apps
- Support api.App in loadAttrsSE for proxy apps
- NG-LDAP Provider: Update Stability to Beta
Internal improvements and maintenance updates.
- NG-LDAP Provider: Fix context within SEs
- Service Extensions: Add missing Cache WithTTL option to SE symbols
Internal improvements and maintenance updates.
- NG-LDAP Provider: Improve logging
- NG-LDAP Provider: Handle Unbind
- NG-LDAP Provider: Add SASL/GSS-SPNEGO/NTLM handling into the connection handler
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Update error returned when end_session_endpoint isn’t configured
Internal improvements and maintenance updates.
- Okta OIDC connector resilience
Internal improvements and maintenance updates.
- Implement CyberArkCCP
Internal improvements and maintenance updates.
- NG-LDAP Provider: Map user config to runtime parameters
Internal improvements and maintenance updates.
- Ensure appropriate errors are returned instead of http.ServeMux panic
- NG-LDAP Provider: Attach secure connection handler to server
- NG-LDAP Provider: Add NTLM Handler (Part 2)
- Azure connector resilience
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add NTLM Handler (Part 1)
- NG-LDAP Provider: Handle Extended StartTLS
Internal improvements and maintenance updates.
- Security: Resolved CWE-409
- NG-LDAP Provider: Handle Search
- NG-LDAP Provider: Handle Simple Bind
- Expose service extension utility to enable WebLogic integration
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add Simple Bind skeleton
- Pass query params from logoutURL to postLogoutRedirectURL
- NG-LDAP Provider: Add first packet processing layer
- NG-LDAP Provider: Fix panic on Orchestrator shutdown
- NG-LDAP Provider: Add initial connection skeleton
- Add capability to choose idp for authn with LogicNode
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add initial server connection logic
- Add LogicNode as path to enhancing IDP logic
- NG-LDAP Provider: Add SASL Security Layer (Security Sensitive)
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add initial OIDs and message structure
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add runtime params
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add end-user config
- Add Service Extension symbols to enable AVP use case
Internal improvements and maintenance updates.
- NG-LDAP Provider: Add initial Service Extension signatures and parsing logic
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Parse Auth request properly to generate proper state param
- Move nested policy so that it can be reused across constructs
Internal improvements and maintenance updates.
- NG-LDAP Provider: Implement minimal lifecycle
Internal improvements and maintenance updates.
- Add LDAP provider to root of the config
- Create an initial structure for the next generation of the LDAP Provider
Internal improvements and maintenance updates.
Internal improvements and maintenance updates.
- Add configuration options to MSI installer and fix upgrade behavior
- Support loading service extension assets as a file system
- Add offline_access to scopes_supported in OIDC well-known endpoint
- Implement Context interface for service extensions
- Support retrieving App name from some v2 Service Extensions
- Expose orchestrator cache to service extensions
- Add client_id to claims in access token
- Support login options in service extensions
- Resolved CVE-2023-49295
- Fixes refresh token length configuration
- Closes HTTP response body in connectors
- Omit the attempt to substitute env var if the line starts with ’#’
- Close response body when making token request
- Resolved CVE-2023-48795