Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
2.5.x release notes
What's new
Compatibility with Bitbucket 6, bugfixing.
Upgrade consideration
- Version 2.5.0 is largely identical to 2.4.8. It is considered a minor release because we had to raise the minimum supported version of Bitbucket.
Data Center
No special considerations apply for this update, general Datacenter installations guidelines apply.
Changelog
2.5.12
Released on 31 January 2023 for Fisheye/Crucible.
Fixed an issue where users were not being redirected to their initially requested page after logging in.
2.5.11
Released on 12 January 2023 for Bitbucket (Server and Data Center), Bamboo and Fisheye/Crucible.
Fix a medium level security vulnerability potentially allowing replay attacks, see https://wiki.resolution.de/doc/saml-sso/latest/jira/security-advisories/2023-01-12-response-can-be-replayed-with-modified-id-when-only-the-assertion-is-signed.
2.5.9
Released on 29 July 2021 for Bitbucket (Server and Data Center), Bamboo and Fisheye/Crucible.
Fixes a critical security vulnerability.
Please update to this version or one of the other fix versions (5.0.5, 4.0.12, 3.6.6) as soon as possible. Existing customers should have received or will soon receive a mailing with some details. They will be published in a few days.
2.5.8
Released on 9 November 2020 for Fisheye/Crucible
- Reenabled POST binding in official Marketplace build. It's no longer required to install a custom build to use POST binding.
2.5.7
Released on 7 May 2020 for Fisheye/Crucible
- Fixed possible vulnerability when redirecting to malicious URLs without protocol part.
2.5.6
Released on 19 September 2019 for Bamboo and Fisheye/Crucible
- Fixed login error related to signing when using Redirect binding.
- Fixed redirection to requested page after login.
- LogoutRequest on IdP initiated Single Logout is now added to authentication tracker.
Changes specific to Bamboo
- None
Changes specific to Fisheye/Crucible
- None
2.5.5
Released on 9 September 2019 for Bamboo and Fisheye/Crucible
- Fixed possible Host Header Injection vulnerability in SSO redirection.
- Fixed bug where the session cookie was not properly cleared on logout.
- Fixed bug where URLs were truncated during SSO when they contained special characters.
Changes specific to Bamboo
- Fix bug where not existing groups were not created during user creation.
Changes specific to Fisheye/Crucible
- None
2.5.4
Released on 24 July 2019 for Bamboo
Changes specific to Bamboo
- Inactive users are not activated during the update if "Reactivate inactive users" is not checked.
- Fixed frontend rendering bug on newer Bamboo versions.
2.5.3
Released on 13 June 2019 for Bitbucket (Server and Data Center)
Changes specific to Bitbucket
- Fixed redirection for repositories when name contains "login".
2.5.2
Released on 23 May 2019 for Bitbucket (Server and Data Center), Bamboo and Fisheye/Crucible
- Some smaller bugfixes when using combined attributes.
2.5.1
Released on 7 April 2019 for Bitbucket (Server and Data Center), Bamboo and Fisheye/Crucible
- Single Logout is now considered as stable and no longer experimental.
- Added option to define the AuthenticationContext in the SAML request.
- Set caching headers to fix problems in environments with reverse proxies.
- Improved logging and validation.
2.5.0
Released on 18 February 2018 for Bitbucket (Server and Data Center)
Changes specific to Bitbucket
- Compatibility with Bitbucket 6 was added, minimum version increased