Connect2id server 13.2.1
This is a maintenance release of the Connect2id server.
Should I upgrade?
An upgrade to 13.2.1 is recommended if:
You have a deployment with a plugin for handling SAML 2.0 assertion grants. This special OAuth 2.0 grant type is used to let client applications exchange a SAML 2.0 assertion for an OAuth 2.0 access token (potentially including a refresh token as well). Prior versions of the Connect2id server contain a dependency in the XML parsing stack reported vulnerable to CVE-2022-40152. A malicious SAML assertion which triggers the vulnerability will cause an internal stack overflow exception and the token endpoint returning an HTTP 500 Internal Server Error instead of a proper HTTP 400 Bad Request response with an
You have a deployment enabled for OpenID Connect Federation 1.0. This release fixes two bugs that affect the clean up of expired federation clients.
In all other cases upgrading is not necessary.
There is more information in the release notes below.
Native SSO for Android and iOS apps
A mobile app which signs-in a user with OpenID Connect to obtain an ID token will be able to share the user identity with apps belonging to the same vendor:
A mobile app by a vendor is installed and the user logs in with OpenID Connect.
If the user chooses to install other apps belonging to the same vendor she will be automatically signed into them, a concept called "native SSO".
We are currently also discussing possibilities for mobile apps to seamlessly sign-in the user with trusted web applications and sites. This scenario can occur when the app opens a link to a web site of the vendor. The aim is to save the user from having to perform an additional web-based SSO with the Connect2id server and improve the overall UX when moving between mobile app and web site.
If you have comments, suggestions or wish to try out this feature before it is finalised write to Connect2id support.
LDAP backend support will be removed in 2023
We would also like to inform you that LDAP backend support will be removed in 2023, with version 13.x likely remaining the last one to have it. If you use an LDAP directory server to persist Connect2id server data consider migrating to a different database. This change does not affect the Connect2id server connector for sourcing OpenID claims from LDAP directories, which will remain available and supported.
2023 will also see official support for Java 17, to enable Connect2id servers to be deployed with the newer Java 17 runtime (while keeping the software Java 11 compatible).
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.2.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 13.2.1 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 13.2.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 13.2.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Updates the Woodstox Core dependency used in the SAML 2.0 assertion grant SPI, to address a potential stack overflow vulnerability in the XML DTD parse code (CVE-2022-40152). Note that the CVE has been incorrectly filed to an XStream dependency (a different project). Connect2id server deployments that don't use a SAML 2.0 assertion grant plugin for exchanging SAML 2.0 tokens for OAuth 2.0 tokens are not affected (issue server/820).
Streaming registered OpenID Connect Federation 1.0 clients from the federation client index must observe the tenant ID (issue server/640).
Fixes NPE that prevented clean up of expired OpenID Connect Federation 1.0 automatic clients (issue server/657).
Updates to com.fasterxml.woodstox:woodstox-core:5.4.0
Updates Dropwizard Metrics to 4.2.15