Release date: 2025-05-08
Release date: 2025-03-26
Release date: 2025-03-10
Release date: 2025-02-27
Error messages used for non-recoverable errors was not HTML-encoded when the locale is Swedish. This has been fixed.
Dependency updates - some dependencies had reported vulnerabilities.
Release date: 2025-02-04
Assertions from the connector did not include the AuthnContext/AuthenticatingAuthority
element. This has been fixed.
If Redis clusters were used (spring.data.redis.cluster.*
), Redis would not initialize correctly. This has been fixed.
Release date: 2025-01-28
Release date: 2025-01-15
Completely new IdP-base where we use Spring Boot instead of Shibboleth.
No changes in supported features.
Release date: 2023-08-08
The assertion that the connector receives from the foreign country may now be delivered in the authServerSignature
(urn:oid:1.2.752.201.3.13
)
attribute. The contents of this attribute is a Base64-encoded string.
Note: In order to receive this attribute a Swedish SP must declare the attribute as “requested” in its metadata record (see below).
<md:RequestedAttribute Name="urn:oid:1.2.752.201.3.13" isRequired="false"/>
Release date: 2022-02-09
Release date: 2021-12-16
Tomcat was updated along with dependencies to jQuery.
Release date: 2020-10-29
Given the AuthnContextClassRef(s) requested by the SP, we now check all countries capabilities and only those that meet the SP requirements are selectable. Those that are not will be greyed out in the UI.
Signing of SP metadata is done according to the eIDAS crypto requirements.
Release date: 2020-10-05
If no AuthnContext was specified in an AuthnRequest, the default AuthnContext:s used was wrong. This configuration fix has been fixed.
Release date: 2020-09-29
We have implemented support for sending eIDAS “ping” authentication requests. This feature has to be configured so that only SP:s that are white-listed are allowed to send such requests. This is controlled by the IDP_PING_WHITELIST
setting. See section “IdP interoperability and test settings” in docs/configuration.md.
Currently, the DK eIDAS Proxy Service cannot process requests that contain the Scoping
element. Therefore a setting, IDP_SP_REQUEST_SKIP_SCOPING_FOR
, has been introduced to implement a work-around. See section “IdP interoperability and test settings” in docs/configuration.md.
UK cannot handle the ProtocolBinding
attribute in an authentication request. The specs says that we should not use that attribute, so this has been removed.
The connector UI has been updated for accessibility.
MDSL is no longer supported. The settings EIDAS_METADATA_SERVICE_LIST_URL
and EIDAS_METADATA_SERVICE_LIST_VALIDATION_CERT
must no longer be used.
Release date: 2020-09-18
We need to have a link to an accessibility report in the UI. This was added. See the IDP_ACCESSIBILITY_URL
setting in docs/configuration.md.
Release date: 2020-06-08
When receiving an Assertion from the UK Proxy Service we don’t receive a SubjectConfirmation
element as part of the Subject
element. This is in so many ways wrong, but since the eIDAS specs don’t explicitly state the the SubjectConfirmation
element MUST be set we are forgiving and accept these assertions. However, UK should be informed that they should fix this anyway.
Release date: 2020-06-08
The UK Proxy Service is very picky when processing AuthnRequest and won’t accept the ProtocolBinding attribute. The eIDAS spec states that this SHOULD NOT be set, so we fixed this.
Release date: 2020-06-01
When the connector signs a SAML message with the RSA-PSS algorithm we got a PKCS#11 related error. The reason was that an underlying library used the wrong RSA mode. This has been fixed in the underlying library, and the 1.6.1 version of the connector now uses this updated version.
Release date: 2020-02-26
Includes:
signMessageDigest
attribute.PrincipalSelection
extension.The eIDAS connector now produces statistics logs. See docs/logging.md for a description of the new environment variables IDP_STATS_SYSLOG_HOST
, IDP_STATS_SYSLOG_PORT
and
IDP_STATS_SYSLOG_FACILITY
.
There was a bug in the start script in where the value of IDP_PROCESS_SYSLOG_HOST
was not read.
Instead the syslog configuration for process logging used the same host as for audit (IDP_SYSLOG_HOST
). This is probably what was intended so the bug never triggered. However, from version 1.6.0 on the host name for process syslog MUST be set to the intended host.
Since the QA domain is a superset of production a person using his or hers browser in production first and then in QA (for example an integrator) will get the browser cookies from production sent to QA instances also. This has led to a number of stale request errors.
The solution is to use different names on the session cookies. Therefore, in QA the variable TOMCAT_SESSION_COOKIE_NAME
should be assigned another value than JSESSIONID.CONNECTOR
, for example JSESSIONID.CONNECTOR.QA
.
The eIDAS connector now includes the <psc:RequestedPrincipalSelection>
extension in its metadata. Therefore, the metadata in Sweden Connect needs to be updated for the connector.
We received some accessibility comments about the connector UI. These have been fixed.
Release date: 2019-11-19
Configured the use of `http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1” (and 384 and 512) as well. This is needed for interop with Estonia.
Release date: 2019-11-06
Added SameSite=None for all connector cookies. We need to avoid newer versions of Chrome and Firefox to assume SameSite=Lax which means that our cookies will not be passed in POST requests from eIDAS nodes.
In order to get this functionality we had to update to Tomcat 8.5.42 (from 8.5.37). This version has been fully tested in the sandbox.
Release date: 2019-01-17
MDSL-files was not read due to a classpath error. Shibboleth 3.4.3 had removed commons-io from the classpath and that lib was used by MDSL-code …
Release date: 2019-01-17
We are now using Shibboleth 3.4.3 and OpenSAML 3.4.2.
All cookies are now marked as HTTP-only and secure.
No 500-stack traces are displayed in the UI.
Fixed JSTL 1.2 vulnerability
Acted on a number of Snyk-reports concerning vulnerabilities on dependencies.
Release date: 2018-10-17
The connector now runs on Shibboleth 3.4.0.
Release date: 2018-10-15
The connector now runs on Tomcat version 8.5.34.
We are now using the official Sweden Connect logotype with blue background.
Release date: 2018-09-25
We are now using the official Sweden Connect logotype.
Release date: 2018-09-21
By setting the IDP_PROCESS_SYSLOG_HOST
variable the connector process log will be sent to syslog. The variables IDP_PROCESS_SYSLOG_PORT
and IDP_PROCESS_SYSLOG_FACILITY
controls port and facility.
See eIDAS Connector Logging for details.
For future use (private sector support) the connector now includes a Scoping
element holding a RequesterID
element that is the requesting SP’s entityID.
Release date: 2018-09-13
New configuration for PKCS#11 support. Compared with 1.3.6 we introduce IDP_PKCS11_PIN
and remove all specific PIN variables per key.
Instead of returning a SAML error response when there are no available countries, we now display a message to the user.
Release date: 2018-09-10
If the aggregated EU metadata contains the eidas:NodeCountry
extension, the eIDAS connector no longer has to be configured for downloading MDSL-files. So, EIDAS_METADATA_SERVICE_LIST_URL
and EIDAS_METADATA_SERVICE_LIST_VALIDATION_CERT
should not be set anymore in these cases.
New configuration for PKCS#11 support.
Release date: 2018-08-31
Fixes for Microsoft Internet Explorer.
Default is eidas-low and eidas-substantial if we don’t get loa from metadata.
Added 404-page and index-page.
Release date: 2018-08-09
The previous version had a bug where only the secondary metadata source was consumed. This has been fixed.
The Connector SP metadata now contains:
eidas:NodeCountry
extension.The eIDAS attribute CurrentAddress was not processed correctly.
The eIDAS connector now supports the Scoping
element in AuthnRequest
messages. Using this a SP may give the required country in the request.
Fixes for the connector UI (removed E-legitimationsnämnden logo, etc).
Release date: 2018-06-15
Support for HSM:s has been added.
Release date: 2018-05-28
Support for using Redis as a storage service has been added.
Check the description of Redis in Configuration for details.
Release date: 2018-05-03
Now making local includes for Javascript and CSS.
Release date: 2018-05-03
The connector now has the Sweden Connect UI.
Updated handling of LoA according to the latest eIDAS (draft) specifications.
We have had problems with cookies not being sent to the IdP. This probably has to do with a cookie domain issue so we set this explicitly.
Note: TOMCAT_HOSTNAME
must be set!
In order to not interfer with other services we have changed name on the JSESSIONID cookie to JSESSIONID.CONNECTOR.
We will not support the eIDAS representative attributes and therefore block those assertions.
Release date: 2018-04-10
When running tests a Service Provider would benefit from getting a bit more information from the Status
element of the SAML Response in case of a failed authentication. If the environment variable IDP_ERRORS_VERBOSE
is set to true
the eIDAS Connector will include more information in the StatusMessage
of the error status.
Release date: 2018-04-09
If a SP-type was missing from SP metadata we sent an AuthnRequest
with an empty SP-type extension. This has been fixed.
The EU-software issues assertions with issue instants that are newer than the issue instant of the response. This has been reported, but we add a work-around for the time being.
Release date: 2018-04-09
This version will log warnings if the SP lacks the SP-type entity category. The next will refuse.
The SP part of the connector will now perform a full SAML validation of responses and assertions.
Shibboleth would sometimes re-use the attribute set from a previous authentication. This is not a good idea for a Proxy-IdP.
Release date: 2018-03-15
By assigning the variables SECONDARY_FEDERATION_METADATA_URL
and SECONDARY_FEDERATION_METADATA_VALIDATION_CERT
to a secondary metadata URL and validation certificate respectively, the connector consumes metadata from two sources.
The connector now supports processing of the SADRequest
extension in authentication requests sent from Signature Service SP:s. It also supports issuance of a SAD.
Release date: 2018-02-23
Instead of using the Tomcat default RemoteIpValve to obtain the user IP address (as described below), we use a customized RemoteIpValve that reads a shared secret from a header (by default, X-Proxy-Authenticate), and if that matches, uses the remote IP address.
The variable TOMCAT_PROXY_SHARED_SECRET
needs to be set when starting the connector. The value assigned to this variable should also be set to the X-Proxy-Authenticate header by the front-end server(s).
A Shibboleth config setting prevented us from using SSO. This has been fixed.
Release date: 2018-01-17
A rebuild of the same functionality as in 1.0.7, but with the correct dependencies shipped (bad metadata fix).
Release date: 2018-01-10
The setting TOMCAT_INTERNAL_PROXIES
was introduced. Its purpose is to configure the Tomcat RemoteIpValve with a list of “internal proxies”. In order for the RemoteIpValve to consider the value
passed in the X-Forwarded-For header, the remote address for the Tomcat request must match the regexp assigned to TOMCAT_INTERNAL_PROXIES
.
The default value for TOMCAT_INTERNAL_PROXIES
is:
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
This corresponds to: 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12
Regular expression vs. IP address blocks: mod_remoteip
allows to use address blocks (e.g. 192.168/16
) to configure RemoteIPInternalProxy and RemoteIPTrustedProxy ; as Tomcat doesn’t have a library similar to apr_ipsubnet_test
, RemoteIpValve uses regular expression to configure internalProxies and trustedProxies in the same fashion as RequestFilterValve does.
Check the description of TOMCAT_INTERNAL_PROXIES
in Configuration for details.
A threading issue caused metadata without a valid <SignatureValue>
to be created. This has been fixed.
Copyright © 2017-2025, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.