Bug Fixes

N/A

Security Updates

• KSC-433: XSS in SAML auth

Other Improvements

• KSC-392: Support Java 17 LTS on Windows Server

• KSC-426: RSA PKCS1, version 1.5 Deprecated

Bug Fixes

N/A

Security Updates

• KSC-423: Crypto-js CVE-2023-46233 security vulnerability

Other Improvements

• KSC-419: Add 'vault/preview' as a valid destination

• KSC-421: Support ECC keys in key= parameter

• KSC-422: Update the SSO Success/Error screen with color and spinner changes

Bug Fixes

• KSC-411: Additional SAML destination URL added for Android support. This value is used when an On-Prem SSO user changes their PBKDF2 iteration levels.

• KSC-395: The template "API error: XXX" needs to be translated and replaced with an appropriate error message. This occurs when SSO Connect cannot contact the Keeper backend API.

• KSC-387: Two-Factor Authentication with a TOTP method states "code send via text message" which is an invalid string.

Security Updates

• KSC-415: Improve security of SAML XML parsing, as flagged by CodeQL

Other Improvements

• KSC-412: Expand the list of Identity Providers in the UI

SSO Connect (On-Prem) Version 16.0.6 contains several security updates that are recommended for all customers.

Affected JIRA Tickets:

• KSC-408: Removal of Apache Commons libraries (Note: commons library was not in use, but the library has been removed from the package).

• KSC-397: Security fix from NCC Group pen test

• KSC-404: Alignment of encryption libraries between On-Prem and Cloud SSO platforms

SSO Connect (On-Prem) Version 16.0.4 contains a security update that is recommended for all customers. This release upgrades SSO Connect Log4j to version 2.17.1.

SSO Connect (On-Prem) Version 16.0.3 contains a security update that is recommended for all customers.

SSO Connect (On-Prem) Version 16.0.2 contains a security update that is recommended for all customers.

Please contact Keeper Enterprise support if you require assistance with the upgrade.

SSO Connect (On-Prem) Version 16.0.1 contains a security update that is recommended for all customers.

SSO Connect (On-Prem) Version 16.0.0 is a general update that is recommended for all customers. In particular, this updates all libraries and dependencies within the software to the latest stable versions.

Bug Fixes

• KSC-367: HSM initial startup can lead to unintentional Service Start

• KSC-368: Logout from SSO configuration web page does not logout from SSO IdP

Bug Fixes

• Unable to upload a new SSL certificate

• Security updates

Improvements

• Support for Australia (AU) region

Upgrade Process

Please follow the upgrade guide for updating the Keeper SSO Connect software: https://docs.keeper.io/sso-connect-guide/upgrading-sso-connect

Most issues can be resolved quickly by following the step by step guide.

Bug Fixes

• KSC-359: Duo 2FA fails on SSO Connect Admin Console

• KSC-360: Web socket push connections fail

• KSC-361: Unable to upgrade Windows via the msi installer

Please follow the upgrade guide for updating the Keeper SSO Connect software: https://docs.keeper.io/sso-connect-guide/upgrading-sso-connect

Improvements

• Login V3 General Availability (GA) More information available here: https://docs.keeper.io/enterprise-guide/login-api-v3

• Protection against sync issues between user devices and SSO Connect server, due to a user being deleted or the SSO Connect server losing websocket connectivity.

Bug Fixes

• KSC-350: Sync issues occurring on the SSO Server

• KSC-349: An error message should be generated when unable to add JIT user to SSO Connect node

• KSC-335: Updated 3rd party libraries by either removal or update to latest versions.

• KSC-358: Updated Jetty version (CVE-2020-27218)

• KSC-352: Ensure all Data and Folders are deleted upon SSO Connect uninstallation

Upgrading

Please follow the upgrade guide for updating the Keeper SSO Connect software: https://docs.keeper.io/sso-connect-guide/upgrading-sso-connect

Enhancements & Benefits

• SSO Connect provides a flow where the login token is returned with the HTTP 301 redirect response.

Bug Fixes

• Fixed: "New password" field is not appearing when the client sends new password action to SSO Connect.

• Fixed: The JIT flag is cleared after entering into Configuration and Saving.

• Fixed: NPE received in Configurator when certificate file can't be read during SKS initialization.

Features & Benefits

• Support for TLS 1.3

• Support for Amazon AWS CloudHSM v2

• New "SAML Debug" screen which displays all recent SAML request/response history for troubleshooting purposes.

• Improved messaging when using a 2FA method such as Google Authenticator

• Improved debug logging

• Additional information regarding HSM is displayed on UI of Admin Panel

• Better handling of service startup when network connection has not been established on the instance

• Improved handling of AD FS logout to remove error messages in logfile

• Messaging to notify users when incompatible Java versions are found

We have released an update for Keeper SSO Connect, with new security and performance improvements. Please download and update your Keeper SSO Connect to version 14.1.3 by following these steps:

Features & Benefits

• Just-in-time provisioning ("invite_new_users" property) is now in shared.properties rather than instance.properties. The old setting may remain in instance.properties; it will be ignored.

• User is now notified in the SSO Connect interface if the SSL certificate is expired or expiring soon. Modified the backend API properties handler to send two new properties: ssl_expires_soon and idp_cert_expires_soon. If true, the UI will turn the appropriate date red on the screen to inform the admin that they need to update the certificate.

• Modified the “Entity ID” display to filter out :443 if the port is 443. The HTML element is “sp_entity_value”.

Bug Fixes & Security Updates

• Fixed: UI issue related to ECC signed certificates

• Fixed: Error if "key_type" parameter missing from config file

• Fixed: Replaced old Keeper logos with new logo files

• Fixed: When the user is on the Configuration page and presses "Save", it is possible to get an Alert box in the browser that simply says, "undefined".

Features & Benefits

• SSO Connect now has a new configuration parameter: key_type. The value can be “rsa” or “ec” (case-insensitive). This is a shared property so it is stored in the data/shared.properties file.

  It is also synchronized with KeeperApp and shared with other instances.

  We also removed the “key password” dialog box on the Configuration page when the SSL certificate file is in .pfx format. The library we are using assumes that if the file has both a “key store password” and a “key password”, they are the same. So we shouldn’t allow the user to enter a different “key password”.

• Package Keeper SSO Connect as .msi installer

• The SAML IDP Metadata standard says that the metadata must contain one SingleSignOn binding, either POST or REDIRECT. Keeper SSO Connect is requiring Redirect. Changed the validator to accept either POST or REDIRECT.

• Support for password-protected .pfx certificate files

Enhancements & Benefits

• Support for Gemalto Luna HSM modules for enhanced key protection

• Improved README and online documentation

• Improved reliability and stability

Bug Fixes

• ​Admin Console login issues with IE and Edge browsers are resolved

• Switched from Google protobuf to protobuf.js library

Coming Soon

• ​Version 14.0.0: Support for Gemalto HSM key storage, support for latest Keeper Backend API encryption updates.