2.4.x release notes

What's new

Block password authentication in Bitbucket, disable automatic user activation, better logging.

Upgrade consideration

We introduced the new JSON configuration version 6. Automated scripts using the undocumented PUT /config REST API might have to be modified:
- Non SSO URLs have been migrated to regular expressions.

Data Center

No special considerations apply for this update, general (6.14.x) Datacenter installations guidelines apply.

Changelog

2.4.8

Released on 12 February 2019 for Bitbucket, Bamboo and Fisheye/Crucible

Fixed a cross-site scripting vulnerability on the logged out page: 2019-02-12 XSS Vulnerability on Logged Out Page.
Fixed caching issue with redirects
Minor bug fixes.

2.4.7

Released on 19 December 2018 for Bitbucket, Bamboo and Fisheye/Crucible

Fixed decrypting encrypted assertions in special cases.
Fixed importing metadata on Windows installations.
Fixed creating authentication trackers on IdP initiated sign on.

2.4.6

Released on 3 December 2018 for Bitbucket, Bamboo and Fisheye/Crucible

Updated opensaml3 library to version 3.4.0.
Fixed "skip untransformed groups".

2.4.5

Released on 8 November 2018 for Jira (Data Center), Confluence (Data Center), Bitbucket (Sever and Data Center), Bamboo and Fisheye/Crucible

Improved UI/UX in System & Support section. It's now easier to create and export authentication trackers.
Fixed reading of userid attribute during authentication by email address.
Fixed a bug where the user creation could be enabled even though the user update was disabled.

2.4.4

Released on 26 October 2018 for Fisheye/Crucible

Fixed accessing deep links by sending the correct Relay State to the IdP.
Fixed resetting captcha after successful Single Sign On.
Fixed local login on Dashboard so that it does not redirect to IdP anymore.
Added the Base URL to the Force SSO URLs for new installations.

2.4.3

Released on 4 October 2018 for Jira, Confluence, Bitbucket and Bamboo

Added support for "Deny Password Authenticator", see here.
Handle long relay states differently to avoid misleading errors in log.
Fixed redirection to invalid URLs to avoid misleading errors in log.

Changes specific to JIRA

Fixed bug during user creation if no users with Jira administrators permission are available in system.

Changes specific to Confluence

None

Changes specific to Bitbucket

None

Changes specific to Bamboo

None

2.4.2

Released on 28 September 2018 for Fisheye/Crucible

Fixed logout redirection for non-SAML users.
The POST binding is removed because of incompatibilities with most Fisheye/Crucible versions. The REDIRECT binding is now set as default binding. If your Identity Provider does not support REDIRECT binding please contact our support.

2.4.1

Released on 21 September 2018 for Fisheye/Crucible

Fixed ClassCastException for SAML responses with embedded signatures.

2.4.0

Released on 12 September 2018 for Jira, Confluence, Bitbucket, Bamboo and Fisheye/Crucible

Added REST endpoint to reset the Entity ID.
It's now possible to disable the automatic activation of inactive users during login.
Force SSO URLs are now respecting the Non-SSO URLs.
Fixed the selection of the authentication attribute in the wizard.
Changed log levels in several cases to make the default logging less verbose.
Fixed duplicate error messages on error page.