Pysaml2 Versions Save

7.1.0 (2021-11-16)

The following breaking changes are not reflected in the version by mistake:

• the method saml2.mdstore.Metadata::certs used to return a list of certificate data - List[str]. This method has now changed to return a list of tuples - List[Tuple[str, str]] - where the first item in the tuple holds the key name, and the second the certificate data.

Changes:

• Fix signature verification for the redirect binding for AuthnRequest and LogoutRequest.
• Include encryption KeyName in encrypted assertions.
• Add "reason" field in invalid signature errors due to invalid document format.
• New SP configuration option requested_authn_context to set the preferred RequestedAuthnContext class reference.
• Add support for metadata refresh by adding a metadata_reload method into saml2.Entity. This method is to be externally invoked, and to receive the same metadata configuration as what was passed under the metadata key to saml2.Config. The method loads a new metadata configuration and swaps it in (replacing the references across several objects that hold a metadata reference).
• Fix SessionIndex resolution during logout.
• Fix AuthnResponse::get_subject to be able to decrypt a NameID with the given keys.
• Refactor AuthnResponse::authn_info to consider DeclRef equivalent to ClassRef.
• Ensure creation of multiple ePTIDs is handled correctly.
• Improve signature checks by ensuring the Object element is absent, enforcing allowed transform aglorithms, enforcing allowed canonicalization methods and requiring the enveloped-signature transform to be present.
• mdstore: Make unknown metadata extensions available through the internal metadata.
• mdstore: Fix the exception handler of the InMemoryMetaData object.
• mdstore: Fix the serialization of the MetadataStore object.
• examples: Fix code to catter changes in interfaces.
• examples: Update certificates to avoid SSL KEY TO SMALL errors.
• docs: Significant improvement on the configuration options documentation.
• docs: Fix typos.

7.0.1 (2021-05-20)

• Preserve order of response bindings on IdP-initiated logout
• Fix use of expected binding on SP logout

7.0.0 (2021-05-18)

• BREAKING Replace encryption method rsa-1_5 with rsa-oaep-mgf1p
• Add documentation next to the code

6.5.2 (2021-05-18)

• Add shibmd_scopes metadata extractor
• Allow the Issuer element on a Response to be missing
• Respect the preferred_binding configuration for the single_logout_service
• Fix logout signature flags for redirect, post and soap requests
• Respect the logout_requests_signed configuration option
• Fix crash when applying policy on RequestedAttribute without a friendlyName
• Correctly validate IssueInstant
• Correctly handle AudienceRestriction elements with no value
• Raise InvalidAssertion exception when assertion requirements are not met
• Raise SAMLError on failure to parse a metadata file
• Raise StatusInvalidAuthnResponseStatement when the AuthnStatement is not valid
• Handle all forms of ACS endpoint specifications
• tests: Always use base64.encodebytes; base64.encodestring has been dropped
• build: Set minimum version needed for xmlschema
• docs: Update Travis CI badge from travis-ci.org to travis-ci.com
• examples: Fix example code

6.5.1 (2021-01-21)

• Fix the parser to take into account both the xs and xsd namespace prefixes

6.5.0 (2021-01-20) - Security release

• Fix processing of invalid SAML XML documents - CVE-2021-21238

• Fix unspecified xmlsec1 key-type preference - CVE-2021-21239

• Add more tests regarding XSW attacks

• Add XML Schemas for SAML2 and common extensions

• Fix the XML parser to not break on ePTID AttributeValues

• Fix the initialization value of the return_addrs property of the StatusResponse object

• Fix SWAMID entity-category policy regarding eduPersonTargetedID

• data: use importlib to load package data (backwards compatibility through the importlib_resources package)

• docs: improve the documentation for the signing_algorithm and digest_algorithm options

• examples: fix the logging configuration of the example-IdP

• tests: allow tests to pass on 32bit systems by properly choosing dates in test XML documents

• tests: improvements on the generation of response and assertion objects

• tests: expand tests on python-3.9 and python-3.10-dev

6.4.1 (2020-12-08)

• Indicate minimum required python version during installation

6.4.0 (2020-12-08)

• Add preferred signing and digest algorithms configuration options: Use the new configuration options signing_algorithm and digest_algorithm.
• Fix signed SAML AuthnRequest and Response when HTTP-Redirect binding is used: Previously, the query params Signature and SigAlg were not included.
• Ignore duplicate RequestedAttribute entries when filtering attributes
• tests: Avoid reuse of old test data files

6.3.1 (2020-11-11)

• Fix extraction of RegistrationInfo when no information is available
• Fix http_info struct to include status-code

6.3.0 (2020-10-30)

• Allow to specify policy configurations based on the registration authority.

• Add new configuration option logout_responses_signed to sign logout responses.

• When available and appropriate return the ResponseLocation along with the Location attribute.

• Always use base64.encodebytes; base64.encodestring has been dropped.

• Examples: fix IdP example that was outputing debug statements on stdout that became part of its metadata.

• CI/CD: Use Ubuntu bionic as the host to run the CI/CD process.

• CI/CD: Pre-releases are now available on test.pypi.org. Each commit/merge on the master branch autotically creates a new pre-release. To install a prelease, run:

  $ pip install -U -i https://test.pypi.org/simple --extra-index-url https://pypi.org/simple pysaml2