Connect2id server 11.5

This release of the Connect2id server adds a new store configuration for deployments in AWS with DynamoDB. The built-in CORS Filter gets an extra setting for disabling it when a reverse HTTP proxy is managing the necessary CORS headers. We also ship a number of updates to underlying code, including one security update to the SAML grant handler.

New DynamoDB + Redis store configuration

In 2017 the Connect2id server began supporting DynamoDB as database, enabling customers with deployments in the AWS cloud to make use of its native high-performance and low-maintenance NoSQL technology. Until now customers had a choice between two store configurations with DynamoDB - one for clusters in replication mode where sessions and other short-lived and cached data is kept on the JVM heap, another for the so called stateless mode, where all data, including sessions and caches, are put into DynamoDB tables.

This release introduces support for a new store configuration which makes use of Redis (ElastiCache in AWS) to store sessions and other short-lived objects.

/WEB-INF/infinispan-stateless-redis-dynamodb.xml

This configuration is similar to the existing infinispan-stateless-redis-*.xml for MySQL, PostgreSQL and SQL Server, save for the difference that objects from the primary database are not cached in Redis. If you want to achieve higher performance and lower latency by caching items in DynamoDB consider using the AWS DAX to provide such caching transparently.

The release notes have further information and also discuss the implications for DynamoDB replication.

Optional deactivation of the CORS Filter

The built-in CORS Filter receives a new cors.enable setting. By default it's turned on to process the necessary HTTP headers for JavaScript applications (SPA) to make cross-origin requests to the Connect2id server.

Deployments that rely on a reverse HTTP proxy to handle CORS can use the new setting for easy disabling of the built-in filter.

SAML grant handler security update

This release also fixes a security bug in the underlying OAuth 2.0 SDK that could allow SAML assertion grants to include external XML entities. If your deployments have plugins for the SAML 2.0 bearer assertion grant handler SPI they should be updated. This OAuth 2.0 grant was designed early on to enable the exchange of SAML assertions for OAuth access tokens, i.e. let applications where users have logged in with SAML to obtain an access token.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.5: Connect2id-server.zip

SHA-256: 4037c8327ee19e90db9d5a15b29a22342a66f568fa0625411e1d37e8863d8cf8

Connect2id server 11.5 WAR package: c2id.war

SHA-256: 5417f3f4a2d2354a80d32aabbbea157fd46d5c8853d7f2d9ede9010299458d53

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.5: Connect2id-server-mt.zip

SHA-256: 75c875761cfec4d9dd0aa19e62b89e048160d04ec617832f9b2bce31e135ff9e

Connect2id server 11.5 WAR package: c2id-multi-tenant.war

SHA-256: 8e7c3b42d05f6e0274b908e411016f460a3fa41f71a8ed78ee0c4e129698d30f

Questions?

Contact Connect2id support.


Release notes

11.5 (2021-04-14)

Configuration

  • /WEB-INF/infinispan-stateless-redis-dynamodb.xml -- New Infinispan configuration file for storing short-lived and cached data in Redis, and long-lived data in DynamoDB. Long-lived data in DynamoDB can be transparently cached by turning the optional Amazon DynamoDB Accelerator (DAX) for the DynamoDB tables.

    This Infinispan configuration is suitable for single-region deployments in AWS as well as multi-region deployments where only replication of long-lived data in DynamoDB via the "global-tables" feature is required.

    This Infinispan configuration is an alternative to the existing available "infinispan-stateless-dynamodb.xml" configuration where the long-lived as well as the short-lived and cached data is stored in DynamoDB. Both types of data in that configuration can be replicated via the "global-tables" feature.

  • /WEB-INF/cors.properties

    • cors.enable -- New configuration property for disabling the CORS Filter. If false the CORS Filter is disabled and will pass all HTTP request and response headers unmodified. The CORS Filter can be disabled if the Connect2id server is provisioned with a reverse proxy handling CORS. The default value is true enabling the CORS Filter to process cross-domain requests according to its configuration.

Resolved issues

  • Disables access to external entities in XML parsing in the OAuth 2.0 SDK SAML2AssertionValidator, closing a potential vulnerability when processing OAuth 2.0 grants of type SAML 2.0 bearer assertion (urn:ietf:params:oauth:grant-type:saml2-bearer). The exchange of SAML 2.0 bearer assertions for OAuth access tokens is not enabled by the Connect2id out of the box and requires a plugin. Deployments that have implemented such a plugin for the SelfIssuedSAML2GrantHandler or ThirdPartySAML2GrantHandler should upgrade (issue oidc-sdk/356).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.3.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.8.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.1

  • Updates to com.nimbusds:oidc-session-store:14.4.2

  • Updates to com.nimbusds:oauth2-authz-store:16.7.2

  • Updates to com.nimbusds:common:2.45.1

  • Updates to com.nimbusds:tenant-manager:5.0.1

  • Updates to com.nimbusds:tenant-registry:5.3.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.4

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.6

  • Updates to net.minidev:json-smart:2.4.2

  • Updates to com.thetransactioncompany:cors-filter:2.10

  • Updates to com.nimbusds:software-statement-verifier:2.2.1