1# zxid/Changes 2# $Id: Changes,v 1.39 2010-01-08 02:10:09 sampo Exp $ 3# Change log, minor credits, release history, and To do list (TODO) 4 5Usual suspects: zxid.user@lists.unh.edu 6 7mini_httpd: server does not support RFC 5746, see CVE-2009-3555 8 9To Do: User+Passwd --> Authorization Required 10 11To do: 12 - Wishlist of built-in attributes 13 1. HTTP method (GET, POST, HEAD, etc.) 14 2. Full URL including the hostname part (currently only local URL is passed) 15 3. Indication of which virtual server 16 4. If SOAP, the name of the first direct child element of the SOAP Body 17 5. Any SOAP Action header, from SOAP message or from HTTP header. 18 - (Local) logout should either return to referer, or to configurable page 19 - Depend logging in validate, az response, emit logging in decorate, azreq 20 - Static linking, dynamic linking libzxid 21 - IdP initiated SLO 22 - IdP should include URL for correcting information 23 - Add persona support to IdP 24 - Add attribute editor support to IdP 25 26 - Support Danish profiles: http://digitaliser.dk/resource/516724 27 - Support http://saml2int.org/ (interoperability profile and club) 28 29 - Rule names by URN or URL to be logged to ab 30 - mod_auth_saml_ws module 31 - Using Apache frontend todo TAS3 for java apps 32 - PDS with DITA (OASIS) 33 - Partial XML parsing: stop after header 34 - Header removal / unwrapping vs. header extraction, but still passing through 35 - Pentaho investigation, use dwh as the backing store of the PDS 36 - The FEDUSERNAME attribute should include both succinct EntityID 37 and the persistent pseudonym. Also, make mail interface for this 38 to work (run a script that fishes the stuff out). 39 40To do from EIC 2012: 41 - Scopes in AuthnRequests 42 - SAML2INT.org profiles, including branding icons 43 = http://openidtest.uninett.no/connect-provider 44 - http://tinyurl.com/umav1 45 - osis.idcommons.net 46 - Chat April 25: http://tinyurl.com/umachat 47 48Regarding mod_perl stability: I would assume most of that has to do 49with underlying memory allocator. All allocation activity in zxid code 50goes through zx_alloc() (in zxlib.c:55). I should fix zx_alloc() to use it. 51Anyway, all this is in place to ensure that you could replace malloc() 52with an alternative allocator, such as Apache pool allocator. 53 54In playing with allocators, important caveat: OpenSSL has similar 55vectorable allocator. You should use same allocator for OpenSSL and 56ZXID (and perl). libcurl documentation is not entirely clear regarding 57its allocator usage, but I assume it uses malloc() so that would be 58yet another worry. 59 60https://idp.testshib.org/idp/shibboleth 61 62Google Apps Integration 63http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html 64Here are example docs for SimpleSAMLPHP, or Shibboleth: 65* http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps 66* https://shibboleth.usc.edu/docs/google-apps/ 67 68 - SP attr token: special attribute at IdP. The token is issued by the SP to 69 pass in reliable way attributes to SP. Signed to tie to pseudonym. 70 - Use SAML2 a7n as "sticky policy" envelope, standardizing some attribute names to convey metadata such as acceptable use or purpose, obligations, right-of-access-correction-and-deletion-URL, and the authorative source. 71 - zxcot should have idpdimd listing mode 72 - zxpasswd should have user federation listing mode 73 - zxid_pw_authn() should not report scary error when checking .ykspent in not spent case 74 - zxid_select_tgt() (?) 75 - X509 attr certs (some code is in place, but does not work correctly) 76 - Use post screen as confirmation screen, option for federation confirmation question 77 - Config option for redirection after SLO 78 - WSP_LOCALPDP_OBL_REQ processing 79 - WSC_LOCALPDP_OBL_ACCEPT processing 80 - IdP: Display Relay State in hopes of giving user more context 81 - IdP: Interpret the attribute request authn ctx query string approach and show 82 to the user what attributes were requested by the SP. 83 - IdP: If SP does not specify attribute list, display "SP did not request any 84 specific attributes. Only authentication and default attributes will be sent." 85 - AuthnReq QS option for SP to request that consent is explicitly seeked 86 - AuthnReq QS option for SP to request that attribute list is not shown up front 87 - Consider removing zx_scan_pi_or_comment() from most tags, only leaving for top level. 88 - Show whether SP wants a persistent or transient, or some other type of Id for the user. 89 - Clarify signature validation error codes, e.g. <SignedInfo> canon fail vs. bad cert 90 - Instantiation of declared prefix that only appears in innards of the XML (e.g. xs) 91 - Merge Jeroen's mega patch 92 - Idea: authorization through interaction service, get it logged to audit trail as evidence 93 - Idea: discovery and consent questions up-front in the beginning of the business process 94 - Improve 2 factor authn: the pin should be a hashed password 95 - Paper scratch list based OTP 96 - Coordinates based authn (challenge response) 97 - Changing QR code based OTP 98 - AuthnCtx comparison or matching 99 - Proxy IdP AuthnCtx, RequesterID mapping 100 - Config option to turn off audience restriction 101 - U-Prove (https://connect.microsoft.com/site1188 /t/U-Prove_CTP_R2_Whitepaper.pdf) support 102 - Idemix support http://www.zurich.ibm.com/security/idemix/ 103 - AuthnSvc (AS) should check caller credential, in addition to the login credential, see comment on AS_ENA in zxidconf.h 104 - Add support for multiple $ separated button_url's, see zxidmeta.c:zxid_org_desc() 105 - IdP CDC registration support: in IdP login screen, display 1x1.gif from the CDC domain 106 - Per SP User Data Key (udk) support (generated by IdP on per SP basis, distinct from 107 pseudonym, and used by SP to encrypt and decrypt the SP local data about user. SP pledges 108 by policy to not store the udk anywhere locally. Thus SP will be able to handle 109 udk only when it has received it during session from the IdP (or discovery?) (solve 110 problem of it being kept in audit trail, such as in logged signed message) 111 - Slow mode: pause for 2 seconds on every web service call and offer user 112 opportunity to interact 113 - Delegation to job coaches 114 - Distressed authentication, persona selection at authentication by using prefix (pin) 115 - Support BrowserID https://developer.mozilla.org/en-US/docs/persona 116 - BUG: Passing qs args in RelayState 117 - BANGBANG_PAT to enable bang bang expansion of outputs, even in mini_httpd_zxid 118 - Expected namespaces feature for effective suppression of warnings about payload namespaces 119 - mod_auth_saml: Apache 2.4 does not recognize authentication as having happened 120 - l0 causes pr_ix == 0 error at zxidpsso.c:196, at least on Marcin's machine 121 - Upgrade zxid_psobj_enc() and zxid_psobj_dec() to AES256GCM 122 123No authentication done but request not allowed without authentication for Authentication not configured? 124 125zxid-1.42:: 27.2.2016 126 - Ran through full test suite 127 - Made signature and hash algorithms more configurable 128 129zxid-1.41:: 18.12.2015 130 - applied patch from soconnor, perceptyx, including detection of 131 signature algorithm from certificate. --Sampo 132 133zxid-1.40:: 8.6.2015 134 - Fixed bug relating to unset HTTP Action header (manifested as segv inside libcurl) 135 136zxid-1.39:: 1.6.2015 137 - Upgrade cipher suites to aes-256-gcm and RSA-OAEP 138 - Added PIN+Yubikey two factor authentication 139 - Added mobile pairing authentication 140 141zxid-1.38:: 11.4.2015 142 - Added UNIX_GRP_AZ_MAP 143 - Added special case handling of protocol urls based on BURL 144 145zxid-1.30:: 19.2.2015 146 - UMA and OAUTH work 147 - Fixed Action header detection in the non-XML body case 148 - NOT RELEASED YET 149 150zxid-1.22:: 9.10.2014 151 - Added to Local PDP multivalued role attribute matching 152 153zxid-1.21:: 27.5.2014 154 - Changed "http://www.w3.org/2005/03/addressing/role/anonymous" to "http://www.w3.org/2005/08/addressing/anonymous" to be better WSA spec compliant. Seems Liberty SOAP binding has an error in this. 155 - Omitted ReplyTo SOAP header whose value is anonymous 156 - Added OPTIONAL_LOGIN_PAT feature 157 - Added redirafter feature for local IdP logins (e.g. zxidatsel.pl) 158 - Added partial mime multipart support 159 - Added to zxid_httpd Range support (for download resume) 160 - Improved nth progessing in zxid_find_epr() 161 - Added feature to stop parsing after end of first top level tag has been seen. 162 163zxid-1.20:: 11.12.2013 164 - Fixed segv on bad decrypt and improved error messages 165 - Fixed ordering of Header and Body in zxid_call() with inputs already containing elements 166 - Added WSC_ACTION_HDR option to control the SOAP header <a:Action> 167 - Added SOAP_ACTION_HDR option to control the HTTP header SOAPAction 168 169zxid-1.19:: 8.12.2013 170 - Fixed setting ses and ptm cookies in mod_auth_saml redirect and internal content cases 171 - Added OPT_INCLUDE and INCLUDE features to config file parsing 172 - Added and documented REM, ECHO, INFO, WARN, and DIE config options 173 - Support config file [SECTION] headers (introduced by opening square braket) as comments 174 - Added support for PRAGMA config option 175 - Cleaned up so valgrind does not complain 176 - Fixed XML parser boundary condition with read 1 past end (found by valgrind) 177 - Changed URL to BURL (Base URL) 178 - Fixed setting Action header in the case that SOAP Body does not begin with tag 179 - Added EPR ranking in discovery 180 181zxid-1.18:: 20.11.2013 182 - More bug fixing in mini_httpd_zxid 183 - Generalized redir_to_content and moved it to zxid_simple() 184 - Moved defaultqs feature feature to zxid_simple() 185 - Added %d expansion for VURL 186 - Port mini_httpd to mingw 187 - Refactored mini_httpd to zxid_httpd 188 189zxid-1.17:: 16.11.2013 190 - More bug fixing in mini_httpd_zxid 191 192zxid-1.16:: 11.11.2013 193 - Remodelled the Makefile 194 - Tested TARGET=xmingw64 builds 195 - Fixed some SOAP header ordering bugs 196 - Fixed handling of NULL returns in Net::SAML module 197 - Fixed serious bugs in mini_httpd_zxid 198 199zxid-1.15:: 26.10.2013 200 - Added wsp_pat option 201 - Added mini_httpd_zxid (derived from original by Jeff Poskanzer, see acme.com) 202 - Improved error reporting of the credential (assertion) expired situation 203 204zxid-1.13:: 14.3.2013 205 - Added language/skin dependent templates 206 207zxid-1.12:: 21.11.2012 208 - Added sketchy kqueue support based on FreeBSD man page, but did not test 209 - Fixed compile errors and warnings on MacOS per Michael Dondrup at uni.no 210 - Added better obligations support 211 212zxid-1.11:: 30.9.2012 213 - Added audit bus infrastructure (not yet universally propagated) 214 - Added simplistic yubikey 2 factor authentication (pin+yubikey) 215 - Fixed templ query string arg, enabling tabbed UI to work 216 - Audit bus receipt confirmation signature bus-confirm: B64FORSIGNEDRECEIPT 217 - Added PTM support 218 219zxid-1.10:: 21.4.2012 220 - Added support for OAUTH2 / OpenID-Connect1 Minimal / Basic Profile (both RP and IdP) (the support is still very preliminary) 221 - Adapted SAML2 metadata to support OAUTH2, using Binding="urn:zxid:OAUTH:2.0:bindings:HTTP-Redirect" (OAUTH2-REDIR) 222 - Corrected the OrganizationURL to be absolute 223 - VPATH and VURL processing tweaks 224 - Improved error reporting in zxididp and zxidhlo 225 - Eliminate coordinates from the end of the branding login buttons 226 - Added use of ZXIDConf <init-param> (you define it in web.xml) to servlets 227 - Refactored virtual hosting code in zxidwspleaf.java and zxidwspdemo.java 228 - Added -r option to zxdecode for decoding encrypted messages from the audit trail 229 - Fixed buffer overrun by one in processing zxid_simple() POST 230 - Obsoleted PATH=/var/zxid/idp convention. From now on, just use /var/zxid/ or VPATH for IdP 231 232zxid-1.06:: 10.12.2011 233 - Merged improvements (CDC, sol8x86, free functions, mem leak fixes) by grubba@@grubba.org from git://github.com/grubba/zxid.git 234 - Added VURL for virtual hosting 235 - Added support for OrganizationURL as button_url for branding buttons (per symlabs-saml-displayname-2008.pdf submitted to OASIS SSTC) 236 - Deleted ORG_URL config option. Use BUTTON_URL instead. 237 238zxid-1.05:: 7.12.2011 239 - Added DEBUG and DEBUG_LOG options to manipulate debug level from config file 240 241zxid-1.04:: 5.12.2011 242 - Added VPATH for virtual hosting support, documented ZXID_CONF environment variable 243 244zxid-1.03:: 12.8.2011 245 - Fixed timestamp generation in pep call 246 247zxid-1.02:: 22.7.2011 248 - Fixed a file name folding bug that could lead to failure to discover a service 249 - Added curl_easy_reset() to zxid_http_post_raw(), reportedly fixing a segv 250 251zxid-1.01:: 21.6.2011 252 - Added to zxidhlo a possibility of giving CONF using -D at compile time 253 - Fixed long int argument to %d warnings (happened with x86_64 architecture build) 254 - Fixed null pointer check in zxid_extract_body() 255 - improved error reporting to show cwd in vopen_fd_from_path() 256 - Fixed mod_auth_saml to add to the cookies, not to replace them (replacement caused apps behind it to misbehave) 257 258zxid-1.0:: 31.5.2011 259 - Promoted to 1.0 status 260 261zxid-0.83:: 11.3.2011 262 - Fixed ordering of EPRs returned by zxid_get_epr() to always to be same as with zxid_find_epr(). 263 - Made private key reading more robust by tolerating omission of RSA or DSA designation 264 265zxid-0.82:: 10.3.2011 266 - Added Proxy IdP support 267 - Fixed supplying Destination attribute in AuthnReq, restoring Shib compatibility 268 - Fixed artifact binding on SP 269 - Fixed XML crash due to malformed close tag 270 - Tinkered with order of SOAP headers to silence some warnings 271 272zxid-0.81:: 8.3.2011 273 - Eliminate empty valued and duplicate attributes from XACML requests 274 - Fixed return value of zxid_az() family to be null upon deny. 275 276zxid-0.80:: 2.3.2011 277 - Fixed out of memory in zxidwsc.c caused by malformed fault input. 278 279zxid-0.79:: 1.3.2011 280 - Enhanced zxidhlo to show attributes 281 - Added ability comment out AAMAP directives 282 - Fixed timegm bug 283 284zxid-0.78:: 23.2.2011 285 - Fixed processing (by ignoring it) of whitespace in metadata (and elsewhere) 286 - Improved fault handing in zxid_call() 287 - Fixed segv caused by other side returning illegal XML in zxid_call() 288 289zxid-0.77:: 16.2.2011 290 - upgraded for php-5.3 support (patch from Jeroen Asselman) 291 - Improved -at handling in zxpasswd 292 - curl_easy_reset() patch from Jeroen Asselman (fixes crash on Win32) 293 - Applied zxid_saml2_map_nid_fmt() patch by Cal Heldenbrand 294 - Robustified error processing in cases where encryption certificate is missing 295 - Fixed NAMEID_ENC=0 missing a NameID element (TAS3 bug #493, found by Stijn) 296 - Fixed IdP crash due to null pointer in zx_alloc() (TAS3 bug #494, found by Stijn) 297 298zxid-0.76:: 26.1.2011 299 - Added error checks 300 - Fixed ordering of RelatesTo header 301 - Fixed leakage of unknown namespaces to decoder 302 - Made memory allocators really use function pointers 303 304zxid-0.75:: 24.1.2011 305 - MINGW fixes 306 - User supplied MessageID duplicate fix 307 - Fixed XML encoding of empty namespace prefixes 308 - Fixed Brian's ordering problem (risaris-bad.xml) 309 310zxid-0.74:: 22.1.2011 311 - Changed 0 to fileno(stdin) in calls to read_all_fd() for better Windows portability 312 - Included Axis2ZXIDModule.zip 313 - Added Trust PDP call to discovery 314 - Added Credentials and Privacy Negotiation capability to discovery 315 316zxid-0.73:: 19.12.2010 317 - Added ssoa7n and tgta7n attributes (TAS3 feature req #484) 318 - Added optional sessionwide idpsesid attribute (TAS3 feature req #419) 319 - Added IDWSF SOAP headers to discovery and as responses 320 - Fixed a problem with copy_file(). This could cause lost audit trail when copy instead of deletion was chosen on platform that does not use links. 321 - Fixed element ordering in zxcot generated EPRs 322 - Added IdP side AAMAP capability to transform attributes, including a7n wrap 323 - Each credential as its own a7n 324 - Added <ns:foo/> close tag tail optimization to encoder, controlled by c->enc_tail_opt flag 325 - Added preliminary DSA support 326 - Crude and preliminary X509 attribute cert support 327 - Fixed excessive content-length in CGI output 328 - Fixed XML valued attributes (TAS3 bug #385) 329 - If generic XML content is seen as attribute value, it should be reserialized as safe_base64 so it can be returned to app layer as attribute (e.g. via LDIF). 330 - Added MessageID and RelatesTo headers to discovery queries. 331 - Test coverage 63% 332 333zxid-0.72:: 5.12.2010 334 - Major rewrite: Eliminated SO encoders entirely, enhancing WO encoder to do their job 335 - Sort unknown attributes wrt known attributes in enc 336 337zxid-0.71:: 22.11.2010 338 - Moved back to global elems hash, but with separate namespace hash 339 - Created elem descriptors that hang from elem hash buckets 340 - Optimized the decoders to be elem descriptor and function pointer driven 341 - Changed NEW contructors to macros 342 343zxid-0.70:: 13.11.2010 344 - zxdecode: assertion decode and decryption support 345 - zxdecode: sha1 validation without sig validation using -s -s 346 - Fix canonicalization of attribute names with namespace prefixes 347 - Fix detection of namespace of an XML attribute, see t/shib-a7n2.xml 348 - Some optimizations based on gcov and gprof 349 - Moved to per namespace elem hashes and namespace hash 350 - Fairly complete re-engineering/re-factoring of the generated enc/dec code 351 - Fix SO encoder 352 - Added more test cases 353 354zxid-0.69:: 20.10.2010 355 - Added DeployingZxidServlets.txt, ZxidSSOFilter.java, and ZxidServlet.java by Stijn Lievens 356 - Added missing file zxidjava/zxidtok.java 357 358zxid-0.68:: 18.10.2010 359 - zxpasswd hash problems fixed 360 - Pairwise session indexes (encrypt master index and SP entid with IdP sym key) 361 - Primitive support for passing identity token in XACML request 362 363zxid-0.67:: 13.10.2010 364 - Fixed buffer bugs introduced by removal of ZXID_MAX_USER limit 365 366zxid-0.66:: 12.10.2010 367 - zxpasswd: be tolerant of newline in input 368 - Add to IdP metadata the NameIDMapping end point 369 - Removed ZXID_MAX_USER limit from .at files. Removed many other limits, too. 370 - Added zxid_epr_set_token() and other accessor functions 371 - Fixed Solaris support (unwarranted -o option to ar) 372 373zxid-0.65:: 10.10.2010 374 - zxididp: added ID Mapper (to be used by Delegation Service) 375 - zxididp: added some aspects of People Service (to be used by Delegation Service) 376 - zxididp: added SSOS 377 - Added zxid_map_identity_token() 378 - Added zxid_set_delegated_discovery_epr() 379 - Added psobj encryption for privacy preservation of people referenced by ObjectIDs 380 - Added zxid_attach_sol1_usage_directive() 381 - Added WSC_LOCALPDP_OBL_PLEDGE config option 382 - Added WSP_LOCALPDP_OBL_REQ config option 383 - Added WSP_LOCALPDP_OBL_EMIT config option 384 - Added WSC_LOCALPDP_OBL_ACCEPT config option 385 - Shortened the before and after slops from 1 day to about 2 hours 386 - Improved zxid_get_fault_status() by adding a first level status code 387 - Added -at option to zxpasswd 388 - Fixed zxpasswd -l directory listing 389 - zxid_simple():: Added handler for resolving invitation 390 - Templatized idp selection 391 - Templatized POST screen 392 - WIN32CL (MSVC CL compiler) port can now create zxidjni.dll, callable from Java on Windows 393 - Fixed truncated log bug (premature nul termination) in zxlog. 394 - Added CANON_INOPT=1 option to ignore InclusiveNamespaces/@PrefixList as needed to work around Shib 2.1.5 IdP bug 395 - Added patch by Eric Rybinski for XML ENC padding problem reported by Sampo as OpenSSL bug 1067 back in 2005. 396 - Changed treatment of InclusiveNamespaces PrefixList to be more tolerant of undefined prefixes 397 - Fixed mktime(3) timezone bug, found by Cal 398zxid-0.64:: 16.9.2010 399 - Improved WIN32CL (MSVC CL compiler) port 400 - Added extern "C" markers to headers to force C calling convention even in C++, promoting binary compatibility of libraries 401 - zxcall: added sso only mode 402 - zxcall: added discovery only mode and iteration option 403 - zxcall: added EPR cache and session listing mode -s SID -l 404 - Added Unix crypt hash to zxpasswd and zxid_pw_authn() 405 - Added zxid_get_fault_status() method 406 - Renamed struct zx_e_Fault_s to zxid_fault (for cleaner Java Class generation) 407 - Added mockpdp.pl 408 - Improved (fixed?) compatibility with SiteMinder version is R12 SP1 CR3 based on CRNL canonicalization analysis by Steve Kinzler 409zxid-0.63:: 29.7.2010 410 - Added mandatory attribute contactType to Contact element in metadata 411 - Supply AuthnInstant 412 - Removed sed(1) dependency 413 - Improved win32cl target 414 - Added SubjectConfirmation 415 - Added possibility of using nested EncryptedKey (Shib 2010) instead of RetrievalMethod 416 - Added Recipient hint in sibling EncryptedKey case. This is sufficient to get Shib 2010 working. 417 - Added SubjectConfirmationData fields to support bearer subject confirmation method 418 - Added RelayState field decoding to POST profile 419 - Added double quote detection inside RelayState value 420 - Store authentication instant in session and use it in zxid_mk_an_stmt() 421 - Reworked/created az_base() family of functions to incorporate ideas from patch by Stijn Lievens 422 - Make nested EncryptedKey a config option 423 - Added support for fedusername and urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (aka eduPersonPrincipalName) 424 - Tweaked the az requests to separate ses az from resource az (TAS3 bug #381) 425zxid-0.62:: 1.7.2010 426 - Fix IdP authentication template (runaway HTML comment) 427zxid-0.61:: 25.6.2010 428 - Fixed a crash in case NOSIG_FATAL and indeed no sig 429zxid-0.60:: 23.6.2010 430 - TAS3 package version number synchronization 431zxid-0.59:: 22.6.2010 432 - Added zxcot -m to generate our own metadata (previously only available using WKL method) 433 - Fixed segv on signature validation when wsc_meta is missing, but NOSIG_FATAL=0 434 - Improved zxidcot.pl with metadata and registration listings 435 - Tightened cgi parsing to check lengths of options (avoids false detection) 436 - Add Az calls to zxid_wsp_validate() and zxid_wsp_decorate() 437zxid-0.58:: 25.5.2010 438 - Make add-envelope processing more tolerant of different namespaces 439 - Added SOAP fault and tas3:Status 440 - Improved XML parse error formatting 441 - Fixed seg fault in zxid_wsc_prepare() in case the EPR lacks Metadata 442 - Do proper signature validation in zxid_wsp_validate() and zxid_wsc_validate_resp_env() 443 - Do proper timestamp check in zxid_wsp_validate() and zxid_wsc_validate_resp_env() 444 - Added RelatesTo correlation check in zxid_wsc_validate_resp_env() 445 - Added concept of current fault and current tas3 status 446 - Added accessor functions for faults and tas3 status 447 - Added local PDP call to all 4 web service call control points 448 - Added remote PDP call to all 4 web service call control points 449zxid-0.57:: 18.5.2010 450 - Introduced .jar and .war as std binary distribution items 451 - Check for empty PDP_URL and disable Az in that case 452 - Added to session localpath, tgtpath, sespath so that application layer can uses ZXID storage for its own purposes. 453 - Fixed SSO failure case 454 - Added to session sigres and ssores. 455 - Added SP local attribute authority, see zxid_ses_to_pool() 456 - Added local EPR feature to SP local attribute authority, i.e. upon SSO local EPRs get copied to the new session's EPR cache (see zxid_copy_user_eprs_to_ses()) 457zxid-0.56:: 14.5.2010 458 - Re-tested Windows compile 459zxid-0.55:: 26.4.2010 460 - Fixes in zxididp code 461zxid-0.54:: 22.4.2010 462 - Add ability to absorb multiple EntityDescriptor elements from EntitiesDescriptor, as often happens in Shibboleth federations 463 - Fixed an infinite loop in zxcot -n -a 464 - Removed from zxid.h unused functions zxid_idp_soap_dispatch(), zxid_idp_soap_parse(), zxid_sha1_file(). Reported by Eric Rybski 465zxid-0.53:: 23.3.2010 466 - Fixed case where last item (null return) of cached multi discovery would trigger yet another discovery 467 - Added logging of the issued discovery messages 468 - Feature improvements to zxidappdemo.java 469 - Added ENA_PG and coverage targets to the Makefile (current coverage 47%) 470 - Process session in validate 471 - Added more Shibboleth metadata extensions. I claim Shibboleth metadata parses w/o warnings. 472 - Added SAML idp-discovery extention to metadata 473 - Changed templating system for IdP an page (other pages may be changed later to use the same) 474 - Added zxidnewuser.pl and other IdP mangement web GUI scripts 475 - Added zxid_wsc_prepare_call() and zxid_wsc_valid_resp() APIs, see zxidwscprepdemo.java for usage 476zxid-0.52:: 15.2.2010 477 - Log session create and destroy 478 - Relax error checking in SLO: missing NameID ok if sesix supplied 479 - Better session populate in zxid_wsp_validate() 480 - Fixed virtual host (URL autodetect) code in zxidwspdemo.java 481zxid-0.51:: 15.2.2010 482 - LOAD_COT_CACHE=file feature. The cache is concatenation of the metadata of CoT 483 - Change zxid_az() to return string containing XACML obligations 484 - Eliminate UI clutter: show_tech config flag with default off 485 - Thread safety: cf->ipport, key loading, cf->curl, cf->cot 486 - Thread safety: decoding contexts 487zxid-0.50:: 9.2.2010 488 - Fixed missing prefix in case of unknown tag/namespace 489 - Fixed ordering of unknown tags 490 - Added beginnings of a test suite, see zxtest.pl 491 - Added WSP tool: zxidwspcgi 492zxid-0.49:: 1.2.2010 493 - Added AuthnSvc client and zxcall tool, which allows shellscript wsc 494 - The zxcall tool also allows shell script az 495 - Removed arbitrary 64KB limits from metadata, SOAP, and EPR processing. Now dynamically reallocated as needed. 496 - Added zxid_ses_to_{ldif|json|qs}() family of functions 497 - Added zxid_add_attr_to_ses() and zxid_add_qs_to_ses() 498zxid-0.48:: 18.1.2010 499 - Fixed reversed WO rendering of parsed unknown elements 500 - Definititve path sanity fix for zxcot -bs 501 - Fixed ses check in case of no ses in zxid_cache_epr() 502 - Fixed iterations other than n==1 in zxid_get_epr() 503 - Added in zxiddi ability to compare ProviderID to EPR Address 504zxid-0.47:: 14.1.2010 505 - Refactored zxcot to support -bs 506 - Fixed recursive bootstrap infinite recursion and defined policy re recursive bootstrap level 507zxid-0.46:: 13.1.2010 508 - Moved project under git at zxidrepo, still learning. 509 - Fixed nameid memory allocation problem 510 - Added missing Java files to manifest 511zxid-0.45:: 7.1.2010 512 - Fixed error handling when unable to decrypt an assertion 513 - Fixed mod_auth_saml redirect_to_content when no relay state 514 - Do proper signing in zxid_wsf_call() and zxid_wsp_decorate() 515zxid-0.44:: 16.12.2009 516 - Fixed transient always on bug 517 - Fixed memory free bug in case where defederation is not supported 518zxid-0.43:: 29.11.2009 519 - Fix PHP support for zxid_wsp_validate() and zxid_wsp_decorate() 520 - Renamed hexdec to zx_hexdec to avoid risking conflicts 521zxid-0.42:: 22.11.2009 522 - Added service file name computator: zxcot -n -b <epr.xml 523 - Expose assertion path 524 - zxid_call() reengineering 525 - Added support for urn:mace:shibboleth:metadata:1.0 526 - Added support for TAS3 Credentials and Simple Obligations Language (SOL) 527 - Added zxid_wsp_validate() and zxid_wsp_decorate() 528 - zxidhrxmlwsc and zxidhrxmlwsp tested to work 529zxid-0.41:: 20.11.2009 530 - Yubikey support in zxiduser.c and zxpasswd 531 - config dump screen (o=d) 532 - OpenSSL_add_all_algorithms() fix from Stefan @ Koblenz 533 - di_Query support 534 - ID-WSF 2.0 AuthnSvc support 535 - Bootstrap support, improved 536 - SAML2 IdP support with attributes and bootstraps 537 - zxid-idp.pd documentation 538 - Added 403 Denied error response to SSO servlet (zxidsrvlet.java) 539 - Various bug fixes to zxididp and zxidjava 540 - First winbin release in long time (zxid-0.41-win32-bin.zip) 541zxid-0.40:: 14.11.2009 542 - Shib2 interop testing 543 - XACML cd1 support (sending policies in request) 544 - Populate both OID and FriendlyName variants of attributes from assertion 545 - Extensively tested java servlet configuration with zxidjni.az() 546 - Greatly improved zxid-java.pd documentation 547 - Fixed and tested mod_php configuration with zxid_az() 548 - Fixed and tested mod_perl configuration with Net::SAML::az() 549 - Retested mod_auth_saml 550zxid-0.39:: 5.11.2009 551 - Added zxidsrvlet and zxidappdemo 552zxid-0.38:: 16.10.2009 553 - Added better integrated zxidsrvlet 554zxid-0.36:: 14.10.2009 555 - Added building war files (from Brian Reynolds <leitrim_94@yahoo.com>) 556 - Removed duplicate cn from Auto-Cert generated self signed certs and CSRs 557 - Fixed gcc 4.2 specific compile problem re cast as lvalue (thanks Brian) 558zxid-0.35:: 11.10.2009 559 - fixed Solaris compile problems 560zxid-0.34:: 17.9.2009 561 - Added TAS3 package targets for Java and PHP 562zxid-0.33:: 9.9.2009 563 - Removed Apache check from default make 564 - Continued refactoring README.zxid to separate documents 565 - Changed configuration file reading so that config file is (re)read 566 whenever PATH is supplied, but not if PATH is supplied in file itself. 567 - Added dummy PDP 568 - Added zxcot tool 569 - Fixed zxdecode tool and added html parsing support 570 - Added xml-pretty.pl tool 571 - Added Auto-Cert feature to generate self signed certificates on the fly 572 - Added optional HMAC chaning code to the log format (but not implementation) 573 - Added attribute broker and PEP features 574 - Fixed relay state handling in mod_auth_saml so you land on right protected content page 575 - Added support for zxid_simple() returing JSON or Query String in addition to traditional LDIF 576 - Added preliminary and incomplete CARML support (see Identity Governance Framework - IGF) 577 - Fixed innumerous bugs in mod_auth_saml 578 - Added setting REMOTE_USER to mod_auth_saml 579zxid-0.32:: 25.3.2009 580 - Fixed Java compile 581zxid-0.31:: 15.11.2008 582 - Fixed validation of signatures in redirect binding 583 - Added logging of relied upon information in redirect binding 584 - Fixed memory leak in SLO and MNI 585 - Refactored dispatch functions so CGI and others use same code 586 - Fixed redirect binding signature validation 587zxid-0.30:: 28.9.2008 588 - Fixed some type warnings 589 - Fixed core dump in mod_auth_saml without query string 590 - Fixed redirect hack to cope with the query string 591zxid-0.29:: 24.9.2008 592 - Fixed bug in redirect hack 593 - Added ANON_OK 594 - Added REQUIRED_AUTHNCTX 595 - Added IDP_SEL_PAGE 596 - Debugged and tested the mod_auth_saml Real World Example 597zxid-0.28:: 18.9.2008 598 - Fixed some Apache documentation issues 599 - Added redirect hack to allow mapping imposed URLs to ZXID native URLs) 600zxid-0.27:: 17.9.2008 601 - Added BSDmakefile hack, suggested by Slaven Rezic (slaven at rezic.de) 602 - Added NON_STANDARD_ENTITYID option 603 - Added precheck to quickly check main compliation and linking problems 604zxid-0.26:: 9.5.2008 605 - Fixed Auto-CoT bug due to form field name conflict 606 - Added missing .java files to Manifest 607zxid-0.25:: 17.4.2008 608 - Added support for SAML POST-SimpleSign binding 609 - Added preliminary draft support for Orange Personal APIs 610 - Added default-cot - ship metadata for some IdPs 611 - Updated documentation about joining OpenLiberty.org 612zxid-0.24:: 22.2.2008 613 - Added mod_auth_saml 614 - Many fixes from testing against commercial products 615zxid-0.23:: 12.10.2007 616 - Support MNI to change NameID 617 - Support EncryptedID on outbound traffic (MNI, SLO) 618zxid-0.22:: 10.10.2007 619 - Added log levels 1 and 2 620 - Added @Destination handling 621 - Ensured preservation of whitespace in XML parsing and exc-xml-canon 622 - Fixed alphabetization of attributes in exc-xml-canon 623 - Added signing ArtifactResolve, LogoutRequest, and ManageNameIDRequest over SOAP 624 - Improved handling of empty ns prefix for XML attributes 625 - Print source IP to logs 626zxid-0.21:: 8.10.2007 627 - Fixed missing Content-type header, reported by Damien Laniel <dlaniel@@entrouvert_com> 628 - Segregated prototypes that use va_list to zxidnoswig.h to avoid problem on Redhat 629 - Created cygwin target 630 - Changed the USE_LOCK handling to allow dummy on cygwin 631 - Fixed MGMT auto flag 632 - Fixed handling of InclusiveNamespaces/@PrefixList 633zxid-0.20:: 1.10.2007 634 - EncryptedAssertion, EncryptedAttribute, and EncryptedID support 635 - Fixed signing of redirect URLs 636 - Fixed indigestion over processing instructions and comments 637 - Fixed encoding of attribute namespaces 638 - Added xs and xsi namespaces 639 - Fixed lookup of attribute tokens without namespace (mismatching id symptom) 640zxid-0.19:: 11.8.2007 641 - fixed php support 642 - bug and documentation fixes 643zxid-0.18:: 17.7.2007 644 - Added HR-XML WSC and WSP support 645 - Much stabilization of ID-WSF code 646zxid-0.17:: 6.3.2007 647 - bug fixes 648zxid-0.16:: 4.3.2007 649 - Added ID-DAP support 650 - Added ID-MM7 support 651 - Added Contact Book support 652 - Added Geo Location support 653 - Added People Service support 654 - Added ID Mapping support 655 - Added Authentication Service support 656 - Added DST and Subscriptions support 657 - Added XACML2 support 658 - Added WS-Trust 1.3 support 659zxid-0.15:: 22.2.2007 660 - JAVAC_FLAGS tweak to avoid insufficient heap from Sean Doyle 661 - Fixed zxid_fed_mgmt_cf() unimplemented warning 662 - Documented fix for __init_array_start linking problem 663 - Annotated sources with call graph information, added call-anal.pl 664zxid-0.14:: 21.2.2007 665 - zxidhlo.java and Tomcat example perfected 666zxid-0.13:: 20.2.2007 667 - Java interface cleanup 668 - Mac compile fixes 669 - minor bug fixes 670zxid-0.12:: 10.2.2007 671 - WSF bootstrap handling 672 - rework of session system 673 - bug fixes 674zxid-0.11:: 1.2.2007 675 - MinGW DLL fixes 676zxid-0.10:: 31.1.2007 677 - MinGW DLL production works 678zxid-0.9:: 26.1.2007 679 - fixed compilation 680 - preliminary Windows support using MinGW 681zxid-0.8:: 1.12.2006 682 - Improved signature checking 683 - New logging infrastructure, document logging 684 - Support config files, document the format 685zxid-0.7:: 25.9.2006 686 - WO encoding with namespace support 687 - First cut of XMLDSIG validation (very early signing, too) 688 - Fixes to PHP, mod_php, Perl, and mod_perl support 689zxid-0.6:: 18.9.2006 690 - PHP support, including mod_php 691zxid-0.5:: 15.9.2006 692 - Encoders and decoders for ID-WSF and ID-FF (various versions) 693zxid-0.4:: 4.9.2006 694 - mod_perl/Net::SAML SP 695zxid-0.3:: Late Ago 2005 696 - First fully functional release 697zxid-0.2:: Ago 2005 698 - SAML 2.0 encoders and decoders, metadata import works 699zxid-0.1:: Ago 2005 700 - Project founded. 701 702# EOF 703