Revision history for Authen-NZRealMe 1.23 2021-04-19 11:35:58+12:00 Pacific/Auckland - Add fix for back channel connections via HTTPS proxy 1.22 2021-02-24 16:03:38+13:00 Pacific/Auckland - require JSON::XS - updates to documentation 1.21 2021-02-22 10:15:36+13:00 Pacific/Auckland - Support both the current and upcoming new RealMe platform. - The replatformed RealMe has changed behaviour so that the: . Login Service always returns NameIDFormat as 'persistent'. . Assertion returns NameIDFormat as 'transient' for "Assert Only" and 'persistent' for "Assert and Login". - NameIDFormat is now read from the service provider metadata files For backwards compatibility, if NameIDFormat is not in the metadata, then Assertion assumes transient and Login assumes persistent. - the nzrealme make-meta now adds a NameIDFormat element to metadata files This command is enhanced to set the isDefault attribute to one AssertionConsumerService element. - The rePlatformed RealMe now returns the Assertion resolution response in JSON format, base64 encoded. For existing RealMe integrations, the original XML format may be returned still, with an option to use JSON. Both response formats will be supported for backwards compatiblility. - Supports new xenc_oaep_mgf1p and xenc_aes256cbc encryptions. - Assertions using the "Assert and Login" mode will receive the FLT as part of the Assertion resolution response, no back-channel required. For backward-compatibility, the FLT is only resolved via the iCMS back channel if the NameIDFormat is transient and the resolve_flt parameter is true. In the new platform, iCMS is not used. - iCMS functionality is deprecated, it will be removed in the next release. It will be decommissioned by RealMe after 18th March 2021. - Parameter acs_index set to 'default' will use the ACS with isDefault="true" 1.20 2020-02-25 13:07:33+13:00 Pacific/Auckland - implement HTTP-POST binding through new resolve_posted_assertion() method in ServiceProvider.pm - as RealMe's HTTP-POST assertions are all encrypted, support has been added for XML encryption; and the new 'CryptX' dependency is added for the required AES128-CBC cipher - revised SP metadata generation and editing to support multiple ACS entries with support for HTTP-POST vs HTTP-Artifact bindings - allow initial request to specify the index of the ACS to which the response should be sent - removed support for "force_auth" parameter to new_request - fix missing namespace when generating SP metadata file - add some asserts to sanity check user input 1.19 2019-02-20 19:11:05+13:00 Pacific/Auckland - further improvements around the use of find_verified_element() - fix handling of skip_signature_check option 1.18 2019-02-19 12:22:20+13:00 Pacific/Auckland - use find_verified_element() when preparing the ResolutionResponse - fix namespace URI in tests data (URI for wst: has spurious trailing '/') - improve test coverage with less mocking 1.17 2019-02-18 15:14:53+13:00 Pacific/Auckland - Add support for RSA-SHA256 signatures (both signing and verification) in advance of new signatures to be provided by RealMe - Refactor XMLSig module to be more modular and use a single implementation of signing and of verification for both single-reference and multi- reference signatures. - When generating an XML signature the name of the ID attribute used for Reference URIs is now usually left unspecified. The relevant target elements are now located using just the supplied attribute value. - The XMLSig verify() method now accepts an XPath selector argument to specify which signature block to verify (was hard-coded). - After verifying a signature, the caller should now use the new find_verified_element() method to ensure subsequent XPath queries only target verified sections of the original signed document. - Reduce code duplication by adding CommonURIs as the single place where namespace and token URIs are defined. 1.16 2016-05-01 11:51:32 Pacific/Auckland - expunge the given/when keywords to avoid 'experimental' warnings - revise make-certs command to not use self-signed certs in ITE - add workaround for X509Certificate data with no newlines 1.15 2014-06-15 14:37:14 Pacific/Auckland - fix dependency for MIME::Base64 v3.11 for (en|de)code_base64url functions - add missing dependency for Date::Parse 1.14 2014-06-13 10:56:23 Pacific/Auckland - remove one more 5.14ism from XMLSig.pm (and test on 5.10 this time) 1.13 2014-06-12 21:40:23 Pacific/Auckland - remove a 5.14ism from XMLSig.pm 1.12 2014-06-12 10:53:59 Pacific/Auckland - POD updates - metadata update to designate github issues for bugtracker 1.11 2014-06-12 08:56:46 Pacific/Auckland - first release to CPAN with assertion service and iCMS support - implement cryptographically random ID tokens - add verification of IdP SSL cert on back-channel + option to skip 1.10 2014-04-10 16:34:08 Pacific/Auckland - don't attempt to resolve the opaque token to an FLT on error responses 1.09 2014-03-05 15:42:28 Pacific/Auckland - initial (pre)release with iCMS support - added by Haydn Newport 1.08 2013-11-29 16:43:06 Pacific/Auckland - initial (pre)release with support for assertion service (no iCMS yet) 1.07 2013-08-06 09:47:11 Pacific/Auckland - switch dependency from Digest::SHA1 to Digest::SHA 1.06 2013-07-25 14:42:11 Pacific/Auckland - update metadata builder for changed spec (digital signature removed, various other parameters added and removed) - add note to confirm module works with RealMe 1.05 2012-04-27 12:32:49 Pacific/Auckland - add skip_signature_check option to support IdP cert change 1.04 2011-08-17 20:55:04 Pacific/Auckland - fix broken handling of ForceAuthn parameter in AuthnRequest - add tests for metadata and request classes 1.03 2011-07-06 13:47:10 Pacific/Auckland - support arbitrary suffix on cert subject (eg: /C=NZ) - add --allow-create flag on request - add 'version' command - make subject_suffix optional when generating certs - make single logout URL option when generating metadata 1.02 2011-06-20 11:41:22 Pacific/Auckland - add shortcut service_provider method to main module - implement make-certs command - implement make-bundle command - lots of documentation improvements - add Dist::Zilla configs for managing CPAN releases 1.00 2011-02-14 12:00:00 Pacific/Auckland - in-house 'release'