SAML Single Sign On Release Notes Current: 2.4.x release notes 2.4.x release notes What's newBlock password authentication in Bitbucket, disable automatic user activation, better logging.Upgrade considerationWe introduced the new JSON configuration version 6. Automated scripts using the undocumented PUT /config REST API might have to be modified:Non SSO URLs have been migrated to regular expressions.Data CenterNo special considerations apply for this update, general Datacenter installations guidelines apply.Changelog2.4.8Released on 12 February 2019 for Bitbucket, Bamboo and Fisheye/CrucibleFixed a cross-site scripting vulnerability on the logged out page: 2019-02-12 XSS Vulnerability on Logged Out Page.Fixed caching issue with redirectsMinor bug fixes.2.4.7Released on 19 December 2018 for Bitbucket, Bamboo and Fisheye/CrucibleFixed decrypting encrypted assertions in special cases.Fixed importing metadata on Windows installations.Fixed creating authentication trackers on IdP initiated sign on.2.4.6Released on 3 December 2018 for Bitbucket, Bamboo and Fisheye/CrucibleUpdated opensaml3 library to version 3.4.0.Fixed "skip untransformed groups".2.4.5Released on 8 November 2018 for Jira (Data Center), Confluence (Data Center), Bitbucket (Sever and Data Center), Bamboo and Fisheye/CrucibleImproved UI/UX in System & Support section. It's now easier to create and export authentication trackers.Fixed reading of userid attribute during authentication by email address.Fixed a bug where the user creation could be enabled even though the user update was disabled.2.4.4Released on 26 October 2018 for Fisheye/CrucibleFixed accessing deep links by sending the correct Relay State to the IdP.Fixed resetting captcha after successful Single Sign On.Fixed local login on Dashboard so that it does not redirect to IdP anymore.Added the Base URL to the Force SSO URLs for new installations.2.4.3Released on 4 October 2018 for Jira, Confluence, Bitbucket and BambooAdded support for "Deny Password Authenticator", see here.Handle long relay states differently to avoid misleading errors in log.Fixed redirection to invalid URLs to avoid misleading errors in log.Changes specific to JIRAFixed bug during user creation if no users with Jira administrators permission are available in system.Changes specific to ConfluenceNoneChanges specific to BitbucketNoneChanges specific to BambooNone2.4.2Released on 28 September 2018 for Fisheye/CrucibleFixed logout redirection for non-SAML users.The POST binding is removed because of incompatibilities with most Fisheye/Crucible versions. The REDIRECT binding is now set as default binding. If your Identity Provider does not support REDIRECT binding please contact our support.2.4.1Released on 21 September 2018 for Fisheye/CrucibleFixed ClassCastException for SAML responses with embedded signatures.2.4.0Released on 12 September 2018 for Jira, Confluence, Bitbucket, Bamboo and Fisheye/CrucibleAdded REST endpoint to reset the Entity ID. It's now possible to disable the automatic activation of inactive users during login.Force SSO URLs are now respecting the Non-SSO URLs.Fixed the selection of the authentication attribute in the wizard.Changed log levels in several cases to make the default logging less verbose.Fixed duplicate error messages on error page.Changes specific to JIRANoneChanges specific to ConfluenceNoneChanges specific to BitbucketOptionally block password authentication. If this feature is enabled user can no longer login at the default Bitbucket login page unless they are system administrators or members of the group "allow-password-login". Git operations need to be done via SSH.Changes specific to BambooNoneChanges specific to Fisheye/CrucibleFixed error page.