SSO Connect On-Prem 17.1.1

This release focuses on security hardening of SAML processing and library currency to maintain a strong security posture with no configuration changes required for administrators.

What’s New

• Strengthened SAML validation pipeline with stricter response and assertion verification.

• Updated SAML library stack aligned with current Keycloak SAML release line.

Improvements

• Refined attribute extraction and validation to ensure correct audience/recipient/time enforcement across all SSO flows.

• General dependency hygiene to reduce vulnerability surface and align with supported versions.

Security & Bug Fixes

• Keycloak SAML components updated to 26.6.2 to address upstream advisories and maintain current support.

• KSC-522 — SAML authentication bypass class vulnerability mitigated by enforcing signed SAML Response requirements and comprehensive assertion checks. The exploit path was validated, remediated, and regression-tested.

Compatibility & Upgrade Notes

• No admin-side configuration updates are required.

• We recommend validating SSO sign-in with your IdP (Okta, Entra ID, ADFS, Ping, Keycloak) in a non-production environment prior to production rollout.