Available in stable development 1.14

Upgrade notes for SimpleSAMLphp 1.14

The mcrypt extension is no longer required by SimpleSAMLphp, so if no signatures or encryption are being used, it can be skipped. It is still a requirement for xmlseclibs though, so for those verifying or creating signed documents, or using encryption, it is still needed.

PHP session cookies are now set to HTTP-only by default. This relates to the session.phpsession.httponly configuration option.

The default value for the 'trusted.url.domains' option in the config file has been changed from null to an empty array, making SimpleSAMLphp secure to open redirection attacks by default. Setting it explicitly to null will re-allow insecure redirections.

The jQuery version in use has been bumped to the latest 1.8.X version.

Service Providers using the eduPersonTargetedID attribute, will get a DOMNodeList object instead of the NameID value. In order to process the NameID, a SAML2_XML_saml_NameID object can be used:

$attributes = $as->getAttributes(); $eptid = $attributes['eduPersonTargetedID'][0]->item(0); $nameID = new SAML2_XML_saml_NameID($eptid);

Trying to generate a NameID or a UserID (the internal base for further identification of a user) based on attributes with multiple values will now unconditionally fail. This is intentional behaviour to avoid identifiers change over time in case the order of the values in the original attribute change.

The following deprecated files, directories and endpoints have been removed:

The following deprecated methods and constants have been removed:

The following methods have changed their signature. Refer to the code for the updated signatures:

The following methods and classes have been deprecated. Refer to the code for alternatives:

The following modules will no longer be shipped with the next version of SimpleSAMLphp: