1.18.0 (Mar 12, 2025)

1.18.0 (Mar 12, 2025)

• #750 Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
• #718 Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
• #720 Fix ambiguous regex warnings
• #715 Fix typo in SPNameQualifier error text

1.12.4 (Mar 12, 2025)

1.12.4 (Mar 12, 2025)

• #750 Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.

1.17.0 (Sep 10, 2024)

1.17.0 (Sep 10, 2024)

• Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
• #687 Add CI coverage for Ruby 3.3 and Windows.
• #673 Add Settings#sp_cert_multi paramter to facilitate SP certificate and key rotation.
• #673 Support multiple simultaneous SP decryption keys via Settings#sp_cert_multi parameter.
• #673 Deprecate Settings#certificate_new parameter.
• #673 :check_sp_cert_expiration will use the first non-expired certificate/key when signing/decrypting. It will raise an error only if there are no valid certificates/keys.
• #673 :check_sp_cert_expiration now validates the certificate not_before condition; previously it was only validating not_after.
• #673 :check_sp_cert_expiration now causes the generated SP metadata to exclude any inactive/expired certificates.

1.12.3 (Sep 10, 2024)

• Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector

1.16.0 (Oct 09, 2023)

• #671 Add support on LogoutRequest with Encrypted NameID

1.15.0 (Jan 04, 2023)

• #650 Replace strip! by strip on compute_digest method
• #638 Fix dateTime format for the validUntil attribute of the generated metadata
• #576 Support idp cert multi with string keys
• #567 Improve Code quality
• Add info about new repo, new maintainer, new security contact
• Fix tests, Adjust dependencies, Add Ruby 3.2 and new JRuby versions tests to the CI. Add coveralls support

1.14.0 (Feb 01, 2022)

• #627 Support escape downcasing for validating SLO Signatures of ADFS/Azure
• #633 Support ability to change ID prefix
• Make the uuid editable on the SAML Messages generated by the toolkit
• #622 Add security setting to more strictly enforce audience validation

1.13.0 (Sept 06, 2021)

• #611 Replace MAX_BYTE_SIZE constant with setting: message_max_bytesize
• #605 :allowed_clock_drift is now bidrectional
• #614 Support :name_id_format option for IdpMetadataParser
• #611 IdpMetadataParser should always set idp_cert_multi, even when there is only one cert
• #610 New IDP sso/slo binding params which deprecate :embed_sign
• #602 Refactor the OneLogin::RubySaml::Metadata class
• #586 Support milliseconds in cacheDuration parsing
• #585 Do not append " | " to StatusCode unnecessarily
• #607 Clean up
• Add warning about the use of IdpMetadataParser class and SSRF
• CI: Migrate from Travis to Github Actions

1.12.2 (Apr 08, 2021)

• 575 Fix SloLogoutresponse bug on LogoutRequest

1.12.1 (Apr 05, 2022)

• #577 Fix XPath typo incompatible with Rexml 3.2.5
• Refactor GCM support