CHANGELOG

Release 24.1
Bugfix release

CHANGES
* Stepup-Middleware 4.3.1
- Fix migration corrupting the event_stream because of escaping error (https://www.pivotaltracker.com/story/show/179264987)
  introduced in Stepup-Middleware 4.3.0.

INSTALL
* Deploy components:
  - Stepup-Middleware 4.3.1


Release 24
Allow identities to me migrated to a new institution, add gesture support to iOS WebAuthn GSSP.

CHANGES
* Stepup-Deploy
- Add migrate-identities.yml Ansible playbook for migrating identities to a new institution using the new
  middleware:migrate:vetted-tokens middleware console command.

* Stepup-Middleware 4.3.0
- Add middleware:migrate:vetted-tokens console command for migrating an identity and its active tokens to a new
  institution (https://www.pivotaltracker.com/epic/show/4815403)
- Fix: sensitive information being included in event stream (https://www.pivotaltracker.com/story/show/178390934)

* Stepup-RA 4.2.0
- Show migrated tokens in audit log (https://www.pivotaltracker.com/story/show/178241372)

* Webauthn 1.0.9
- Add button for iOS devices requiring a gesture before FIDO can be used (https://github.com/OpenConext/Stepup-Webauthn/pull/56)

INSTALL
* Deploy components:
  - Stepup-Middleware 4.3.0
  - Stepup-RA 4.2.0
  - Stepup-Webauthn 1.0.9

Stepup-Middleware includes a database migration to fix sensitive information being included in event stream. On an
app server run /root/01-middleware-db_migrate.sh to run this migration.


Release 23
- Allow the user to activate a new token with their existing token
- Add Spryng as SMS provider option

* Stepup-Gateway 3.3.0
- Add support for using Spryng (https://www.spryng.nl/) as SMS provider. Set the "sms_service" in the
  stepup-gateway.yml group_vars to either "messagebird" or "spring" to select the SMS service provider to use.
  See template environment for details.

* Stepup-Webauthn 1.0.8
- Add favicon

* Stepup-AzureMFA 1.4.2
- Add favicon

INSTALL:
* Deploy components:
- Stepup-Gateway 3.3.0
- Stepup-Webauthn 1.0.8
- Stepup-AzureMFA 1.4.2


Release 22
- Add support for Self-Service vetting. Allow a user to activate a new token with their existing token without
  vetting by an RA. This can be enabled per institution though middleware configuration.
- Because since Release 20.2 php56 is no longer required, we recommend removing php56 by setting app_remove_php56
  to false in the app.yml group_vars.

* Deploy:
- Ensure php-fpm runtime dir required for unix sockets is not removed when php56 is removed.

* Stepup-Selfservice 3.4.0
- Add Self-Vetting

* Stepup-Middleware 4.2.1
- Add Self-Vetting

* Stepup-Gateway 3.2.4
- Fix: Logins are no longer logged to the authentication log

INSTALL:
You need to run the app role to apply the pfp-fpm socket fix and to apply app_remove_php56 if that was set to false:
  "ansible-playbook site.yml -t app -i <environment>/inventory"

* Deploy components:
- Stepup-Selfservice 3.4.0
- Stepup-Middleware 4.2.1
- Stepup-Gateway 3.2.4


Release 21
- SECURITY: Fix remote code execution in Stepup-Webauthn and Stepup-Azure-MFA
- Deprecate u2f token, it is replaced by the WebAuthn GSSP
- Upgrade final component (middleware) to PHP 7.2 and Symfony 4

* Stepup-Deploy
- Add required variables azuremfa_secret and webauthn_secret in the stepup-azure-mfa.yml and stepup-webauthn.yml
  group vars respectively. Set these to a random value. See the template environment for details.
- Add required variable "second_factors_display_name" in groups_vars all.yml. The displayname is used in the emails
  sent by the middleware. See the template environment for more information. (https://www.pivotaltracker.com/story/show/174985988)
- Fix: Prevent yum update from adding php-fpm www.conf. Requires redeploy of the app role.
- Add a "configonly" Ansible tag to the deploy.yml playbook to update the configuration of a component without
  deploying the code. Supported by Stepup-Webauthn for updating attestation certificates and Stepup-Azure-MFA
  for updating RP configuration.
- Fixes to PHP 56 => PHP 72 migration and support to ensure scripts call the correct PHP interpreter.

* Stepup-Middleware 4.1.4
  - Add display name for token types, used in emails

* Stepup-Selfservice 3.3.0
- Add SAML UserAttributes extension to allow user attributes (email) to be sent to a GSSP during registration
  (https://www.pivotaltracker.com/story/show/175121584)

* Stepup-Gateway 3.2.2
- Upgraded to PHP 7.2 and Symfony 4, drop support for PHP 5.6
- Add SAML UserAttributes extension to allow user attributes (email) to be sent to a GSSP during registration
  (https://www.pivotaltracker.com/story/show/175121584)
- Add X-UA-Compatible header required to support some IE embedded browsers

* Stepup-Tiqr 3.0.4
- Disable fragment support
- Add X-UA-Compatible header required to support some IE embedded browsers

* Stepup-Azure-MFA 1.4.1
- SECURITY: Fix RCE by disabling fragments and setting APP_SECRET. See https://www.ambionics.io/blog/symfony-secret-fragment
  for more information on this type of attack.
- Add X-UA-Compatible header to support IE embedded browsers
- Use email address from user's login to SelfService (https://www.pivotaltracker.com/story/show/175121584) during
  registration instead of asking the user to enter their email address.

* Stepup-Webauthn 1.0.7
- SECURITY: Fix RCE by disabling fragment support and setting APP_SECRET. See https://www.ambionics.io/blog/symfony-secret-fragment
  for more information on this type of attack
- Add X-UA-Compatible header required to support some IE embedded browsers
- Log unknown attestation certificates (https://www.pivotaltracker.com/story/show/175325410)
- Fix layout not being applied

INSTALL:
* Update all.yaml group_vars and set Stepup-Gateway as PHP 7.2 component. I.e.:
  app_php72_components:
  - stepup-middleware
  - stepup-ra
  - stepup-selfservice
  - stepup-tiqr
  - stepup-gateway
  app_symfony_3_components:
  - stepup-keyserver

You need to run the app role to apply these changes. I.e.:
  "ansible-playbook site.yml -t app -i <environment>/inventory"

* Deploy components:
- Stepup-Middleware 4.1.4
- Stepup-Selfservice 3.3.0
- Stepup-Gateway 3.2.2
- Stepup-Tiqr 3.0.4
- Stepup-Azure-MFA 1.4.1
- Stepup-Webauthn 1.0.7


Release 20.4
See release 21


Release 20.3
Not released


Release 20.2
* Stepup-tiqr 3.0.3
- Upgraded to PHP 7.2 and Symfony 4, drop support for PHP 5.6
- Add /heath and /info endpoints
- Fix rare chrome issue where location.reload() is not working (#106)

INSTALL:
* Update all.yaml group_vars and set Stepup-tiqr as PHP 7.2 component. I.e.:
  app_php72_components:
  - stepup-middleware
  - stepup-ra
  - stepup-selfservice
  - stepup-tiqr
  app_symfony_3_components:
  - stepup-gateway
  - stepup-keyserver

You need to run the app role to apply these changes. I.e.:
  "ansible-playbook site.yml -t app -i <environment>/inventory"

* Deploy components:
- Stepup-tiqr 3.0.3


Release 20.1
* Stepup-Azure-MFA 1.3.3
- Add /info and /health endpoints
- Fix client-side email validation

* Stepup-Webauthn 1.0.6
- Add /health and /info endpoints

INSTALL:
* Deploy components:
- Stepup-Azure-MFA 1.4.1
- Stepup-Webauthn 1.0.7


Release 20
* Stepup-SelfService 3.2.0
- Upgraded to PHP 7.2 and Symfony 4, drop support for PHP 5.6
- Allow HTML in explanation/description text for GSSPs (https://www.pivotaltracker.com/story/show/174901359)

INSTALL:
Update all.yaml group_vars and set Stepup-SelfService as PHP 7.2 component. I.e.:
  app_php72_components:
  - stepup-middleware
  - stepup-ra
  - stepup-selfservice
  app_symfony_3_components:
  - stepup-gateway
  - stepup-tiqr
  - stepup-keyserver

You need to run the app role to apply these changes. I.e.:
  "ansible-playbook site.yml -t app -i <environment>/inventory"

* Deploy components:
  - Stepup-SelfService 3.2.0


Release 19
* Stepup-Deploy
  - Added skip_prove_possession_second_factors to the all.yml groups_vars. This controls whether the second factor proof
    of possession step during vetting in the RA is skipped for the listed second factors. The middleware must be redeployed
    after changing this option.

  - Stepup-Middleware 4.1.2
    - Added identity & token bootstrap console commands (for test) #302 #303 #304 #305
    - Drop support for php5.6 and support php7.2
    - Make prove possession step optional
  - Stepup-RA 4.1.1
    - Drop support for php5.6 and support php7.2
    - Make prove possession step optional

  - Make nginx log to rsyslog directly instead of reading from the nginx log files. Requires a redeploy of the "app" role.

  - Require TLS for logging to rsyslog_remote_server. This is only enabled when rsyslog_remote_server is defined.
    - You must add rsyslog_certificate, rsyslog_key and rsyslog_ca_certificate to the all.yml group_vars.
    - Requires redeploy of the "common" role.
    - Fix: syntax error in rsyslog.conf when using rsyslog_remote_server introduced in R17

INSTALL
* Update all.yaml group_vars to set the middleware and RA to SF 4 and PHP 7.2. I.e.:
  app_php72_components:
  - stepup-middleware
  - stepup-ra
  app_symfony_3_components:
  - stepup-gateway
  - stepup-selfservice
  - stepup-tiqr
  - stepup-keyserver

  You need to run the app role to apply these changes. I.e.:
  "ansible-playbook site.yml -t app -i <environment>/inventory"

* Deploy components:
  - Stepup-Middleware 4.1.2
  - Stepup-RA 4.1.2


Release 18
* Add two new GSSPs: Stepup-Webauthn and Stepup-Azure-MFA
  To use the new GSSP:
  - Enable them in the all.yml groups_vars by adding them to stepup_enabled_generic_second_factors
  - Add the GSSP configuration to the gateway.yml, selfservice.yml and ra.yml group_vars
  You need to redeploy the Gateway, SelfService and RA components after making these changes.

  Installing Release 19, which add support for skip_prove_possession_second_factors, and disabling proof of possession
  is recommended because PoP is very user unfriendly and does not add to the security for these methods.

* Support migration of components from Symfony 3 to Symfony 4 and from PHP 5.6 to PHP 7.2. For more information
  see: https://github.com/OpenConext/Stepup-Deploy/wiki/component_info-RFC
  In this release the new Stepup-Webauthn and Stepup-Azure-MFA use Symfony 4 and PHP 7.2, all the other components
  remain at Symfony 3 and PHP 7.2

* Stepup-Deploy
  - Added app_php72_components and app_symfony_3_components to app.yml group_vars. These control the Symfony version and
    PHP version configuration of the vhosts. The vhosts for the new Stepup-Webauthn and Stepup-Azure-MFA components are
    by default configured for Symfony 4 and PHP 7.2. So these components do not need to added there. For this release
    use the configuration below. Not you must run the app role from site.yml playbook after making these changes
    app_php72_components: []
    app_symfony_3_components:
    - stepup-middleware
    - stepup-gateway
    - stepup-selfservice
    - stepup-ra
    - stepup-tiqr
    - stepup-keyserver

  - Added app_remove_php56 to the app.yml group_vars to control whether the PHP 5.6 RPMs are removed when it is determined
    that none of the vhosts use PHP 5.6. The default is false.
  - During deployment of a component, using the deploy.yml playbook that is called from the deploy.sh script, it is
    verified that the PHP and Symfony configuration of the running vhost matches that of the component. The vhost
    configuration is retrieved using the http://<vhosts>/vhost_component_info URL exposed by the vhost. The component
    requirements are read from a component_info file in the tarball of the component. The component_info file is optional
    in which case PHP 5.6 and Symfony 3 is assumed.
  - Added webauthn_vhost_name and azuremfa_vhost_name to the all.yml groups_vars

* Infrastructure
  - The vhosts now expose a http://<vhosts>/vhost_component_info URL that returns the current Symfony and PHP vhost
    configuration in JSON format.

INSTALL
* Run "ansible-playbook site.yml -t app -i <environment>/inventory" to deploy only the app role
  This updates the nginx vhost configuration of all vhosts and installs PHP 7.2 when a vhost requires it.
  This makes the http://<vhosts>/vhost_component_info URL available that is required to deploy components

* Deploy components:
  - Stepup-Webauthn 1.0.3
  - Stepup-Azure-MFA 1.2.1
  - Stepup-Gateway 3.0.1
  - Stepup-SelfService 3.1.0
  - Stepup-RA 3.1.3


Release 17.2
Bugfix release.

CHANGES:
* Stepup-Gateway:
  - Fix: No SAMLError response is sent when using the SFO endpoint (https://www.pivotaltracker.com/story/show/172262049)

* Stepup-Middleware:
  - Fix: Performance issue updating the ra_candidates projection. For lager number of users with an active token this
    results in a PHP execution timeout when pushing an institution configuration or when assigning an RA or RAA role to
    a user. (https://www.pivotaltracker.com/story/show/172245466)

INSTALL
 * Deploy components
   - Stepup-Gateway 3.0.1
   - Stepup-Middleware 3.1.7

 * Update middleware database schema to 20200416135127 (from 20190211163604) by running /root/01-middleware-db_migrate.sh
   on an app server.
   A restore of the middleware and gateway schema's is required to perform a rollback of the middleware.


Release 17.1
Support a normal and a SFO authentication concurrently in the same session in the Stepup-Gateway. This allows the
remote IdP to use SFO.

CHANGES
* Stepup-Gateway
  - Allow a normal and a SFO authentication concurrently in the same session in the Stepup-Gateway.
    This allows the remote IdP (e.g. OpenConext EngineBlock) to use SFO. This allows seamless migration of SPs, that
    meet the requirements of the remote IdP, from the Stepup-Gateway to the remote IdP
    (https://www.pivotaltracker.com/n/projects/1163646/stories/171569114)

INSTALL
 * Deploy components
   - Stepup-Gateway 3.0.0


Release 17
More fine grained authorization (FGA) of RAs, Fix wrong Issuer in Gateway SAMLResponse

This release introduces the possibility for users to have the RA or RAA role in other institutions than their own institution.
The institutions for which a user can be an RA(A) are controlled though the institution configuration.

CHANGES
* Stepup-Middleware
  - Add "select_raa", "use_ra" and "use_raa" optional configuration options to the institution configuration. These
    options list the institutions (by SHO) from which users can get the RA(A) ("select_raa") role for the institution, or
    from which all RAs (use_ra) or RAAs (use_raa) have will have role for this institution.
    See https://github.com/OpenConext/Stepup-Middleware/blob/master/docs/MiddlewareConfiguration.md#institution-configuration-structure
  - Update xmlseclibs for CVE-2019-3465

* Stepup-RA
  - Add "Institution Configuration" page where (S)RAAs can view the configuration of the institutions where they have (S)RAA
    rights (https://www.pivotaltracker.com/story/show/160283525)
  - Add institution selector on the "RA Locations" page
  - Removed the institution switcher for SRAAs. SRAAs now use the same new way of switching institutions as RA(A)s
  - Make the institution explicit in roles by displaying them as "role @ institution", because a user can now have different
    roles in different institutions.
  - "RA Management" screen allow searching by role, institution, email and name and add paging
  - Remove the "Change role" option from the "RA Management" screen. To change the role of a user, remove the role and then add
    the new role
  - Add a "My Profile" screen that shows all the user's current roles. Both the roles explicitly assigned though the "RA Management"
    screen as user's the roles because of "use_ra" and "ra_raa" are shown.
  - Fix: Missing paging controls in token overview page (https://www.pivotaltracker.com/story/show/165629990)
  - Show the SHO of the RA that vetted the user in the audit log (https://www.pivotaltracker.com/story/show/160283522)
  - Fix XML Signature validation bypass critical vulnerability (CVE-2019-3465)

* Stepup-Selfservice
  - Fix XML Signature validation bypass critical vulnerability (CVE-2019-3465)

* Stepup-Gateway
  - Add WantAuthnRequestsSigned="true" to thew IDPSSODescriptor in the IdP metadata (https://www.pivotaltracker.com/story/show/166266929)
  - Fix: Wrong Issuer and incomplete Status code from gateway in response to GSSP AuthnFailed (https://www.pivotaltracker.com/story/show/164657123)
  - Fix XML Signature validation bypass critical vulnerability (CVE-2019-3465)

* Stepup-tiqr
  - Removed tiqr_gcm_apikey. The google cloud messaging API has been deprecated by Google.
  - Update xmlseclibs for CVE-2019-3465

* Infrastructure
- Added a second, independent and optional, remote loghost for sending logs using RELP over TLS.
  Enabled by defining rsyslog_remote_server, rsyslog_remote_port, rsyslog_certificate, rsyslog_ca_certificate and rsyslog_key
  See all.yml in the template environment for details.


INSTALL
* Deploy components
  - Stepup-Middleware 3.1.6
  - Stepup-Gateway 2.10.6
  - Stepup-SelfService 3.1.0
  - Stepup-RA 3.1.3
  - Stepup-tiqr 2.1.15

* Update middleware database schema to 20190211163604 (from 20180409100948) by running /root/01-middleware-db_migrate.sh
  on an app server.
  The new gateway will continue to work with the database schema of release 16. The new middleware (and by extension the
  SelfService and the RA components) require the database schema to be updated to work.


Release 16
Update Symfony to 3.4 LTS, bugfixes, Tiqr push notification fixes

CHANGES
* All stepup applications (except the keyserver) were updated to Symfony 3.4 LTS

* Stepup-SelfService
  - Open help page in new tab (https://www.pivotaltracker.com/story/show/161718649)
  - Fix: Do not load assets over http during PDF generation (https://www.pivotaltracker.com/story/show/161719264)

* Stepup-RA:
  - Fix: Non-descriptive error-message when non-RA authenticates to Stepup-RA (https://www.pivotaltracker.com/story/show/158894749)
  - Fix: Untranslated error "ra.verify_yubikey_command.otp.otp_invalid" during vetting (https://www.pivotaltracker.com/story/show/160228972)
  - Open manual in new tab (https://www.pivotaltracker.com/story/show/161718649)
  - Fix: Sorting on document number the in token overview results in an error (https://www.pivotaltracker.com/story/show/161721636)

* Stepup-tiqr:
  - Fix: tiqr server keeps sending push notifications when challenges expire (https://www.pivotaltracker.com/story/show/159101661)
  - Fix: tiqr server blocks during authentication when translation service is unavailable (https://www.pivotaltracker.com/story/show/160510558)
  - The user can click on the QR code as an alternative to scanning it. This allows tiqr to be used for authentication using a QR code
    to a application on the mobile device itself (https://www.pivotaltracker.com/story/show/161311010)
  - Fix: .php and .htaccess files in the tiqr web directory can be downloaded. (https://www.pivotaltracker.com/story/show/158356638)
  - Allow tiqr server to use both GCM and Firebase for sending push notifications to Android devices (https://www.pivotaltracker.com/story/show/163974611)
    Depending on the Time of registration,  Android version and the version of the Tiqr App either the GCM or the Firebase API
    must be used. This version allows Firebase to be used when GCM fails. To use the Firebase fallback you must add the tiqr_firebase_apikey
    to the stepup-tiqr.yml group_vars.

* Stepup-Gateway:
  - Make the name of the Stepup Gateway displayed in the HTML title and on the Error pages of the Stepup-gateway configurable
    using the gateway_app_name group_var stepup-gateway.yml

* Stepup-Deploy
  - Add new variable 'gateway_app_name' to stepup-gateway.yml group_vars for the display name of the gateway. See the template environment for a description of
    this variable. You must add gateway_app_name in your environment(s).
  - The 'logout_redirect_url' in the app.yml group_vars is now set per locale. See the template environment for a description of
    this variable. You must update logout_redirect_url in your environment(s).
  - Improved Python and Ansible compatibility of Stepup-Deploy. The Ansible playbooks and scripts in Stepup-Deploy are now compatible with
    both Python 2.7 and Python 3 and Ansible versions from 2.2 to 2.7
  - Because of changes to the way includes work in Ansible, handlers (i.e. notify) are not called for tasks in tasks/common.yml in
    the environment. Verify and update the tasks/common.yml in your environment(s). The handlers/common.yml is no longer included
    and can be removed from your environment(s). See the template environment for alternative to using handlers.
  - Change the Java heapsize for elasticsearch from 2GB to half the system's memory during deploy
  - The environment.conf is now stored in the environment directory instead of using the environment.conf from the Stepup-Deploy
    directory. This allows the modifying the environment.conf to work well with version control and multiple environments.
    See scripts/create_new_environment.sh for details.
  - Add script to get SP configuration from OpenConext-manage and convert it to the JSON format used in
    templates/middleware/middleware-config.json.j2. See scripts/middleware-config-from-manage.sh for details
  - Stepup-Deploy can now be used to deploy a development VM (see OpenConext/Stepup-VM) and run behat integration tests in this
    VM.


* Infrastructure:
  - Restrict download of .php files for tiqr app. Redeploy the app role to update the nginx config for tiqr

INSTALL
* Deploy components:
  - Stepup-Middleware 2.9.3
  - Stepup-Gateway 2.10.3
  - Stepup-SelfService 2.10.6
  - Stepup-RA 2.10.6
  - Stepup-tiqr 2.1.12

* Redeploy the app role
  - Run "ansible-playbook site.yml -t app -i <environment>/inventory" to deploy only the app role
    This updates the nginx configuration for tiqr to disallow the download of .php files.
* Redeploy the es role
  - Run "ansible-playbook site.yml -t es -i <environment>/inventory" to deploy only the es role
    This updates the elasticsearch Java heap size to half the system's memory during deploy.
* Redeploy the manage role
  - Run "ansible-playbook site.yml -t manage -i <environment>/inventory" to deploy only the manage role
    This updates the logstash processing rules for the way the tiqr logs


Release 15
Support for multiple ACS locations, various improvements to error pages, several UI improvements, multiple-token configuration per-institution, various bugfixes and Stepup is now brandless (no more "SURFisms").

CHANGES
* Gateway:
  - Support multiple ACS locations and use the AssertionConsumerServiceUrl from the AuthnRequest (https://www.pivotaltracker.com/story/show/155288768)
  - Improve styling of WAYG token selection screen (https://www.pivotaltracker.com/story/show/152918604)
  - Change layout of login screens (https://www.pivotaltracker.com/story/show/155856648)
  - Change layout of error screens (https://www.pivotaltracker.com/story/show/156343095)
  - Document use of state by the different SAML flows that are supported by the Stepup-Gateway (https://www.pivotaltracker.com/story/show/155969747)
* SelfService:
  - Show end-user if his activation code has expired (https://www.pivotaltracker.com/story/show/155467915)
  - Confusing UI when testing one of several tokens with different LoAs (https://www.pivotaltracker.com/story/show/154476963)
  - Modify token order in self-service (https://www.pivotaltracker.com/story/show/156311244)
  - Improve button layout with mutiple-token support (https://www.pivotaltracker.com/story/show/156220699)
  - Better handling of token registration errors (https://www.pivotaltracker.com/story/show/157843953)
* RA:
  - Bugfix: White page when insufficient rights for RA (https://www.pivotaltracker.com/story/show/155008515)
  - Bugfix: RA-candicate error when vetting second token for (S)RAA (https://www.pivotaltracker.com/story/show/156122609)
  - Bugfix: Untranslated error in Yubikey verification screen (https://www.pivotaltracker.com/story/show/158660535)
* Middleware:
  - Multiple-token support configurable per institution (https://www.pivotaltracker.com/story/show/156565700)
  - Make "SelfServiceUrl" available in vetted mail template (https://www.pivotaltracker.com/story/show/155428664)
  - Bugfix: Unintended 'email verified' entries in audit log when email verification is disabled (https://www.pivotaltracker.com/story/show/156884910)
  - Bugfix: Allowed second factor unique constraint violation error when pushing config (https://www.pivotaltracker.com/story/show/156466792)
  - Better handling of edge-case while vetting (https://www.pivotaltracker.com/story/show/157687939)
* Tiqr:
  - Complete overhaul of tiqr. Tiqr is now based on the (new) GSSP library and uses Symfony
  - Change tiqr authenticaton screens (https://www.pivotaltracker.com/story/show/156334113)
  - Add cancel button that uses the GSSP cancel mechanism (https://www.pivotaltracker.com/story/show/144103525)
* All components:
  - Generic error screen improvements (https://www.pivotaltracker.com/story/show/137516239)
  - Specific user error messages for common error situations (https://www.pivotaltracker.com/story/show/155515714)
  - Remove SURFisms from Stepup applications (https://www.pivotaltracker.com/story/show/155700619)
* SS, RA and GW:
  - Fix /csp/report (https://www.pivotaltracker.com/story/show/158719739)

* Infrastructure
  - rsyslog configuration updates: enable the rsyslog stats and mark modules and lower the RELP reconnect time
  - manage: update logstash configuration. Retain context and extra json logged by stepup apps, parse rsyslog stats
            and sendmail messages

Important changes - attention required:

* Verify configured ACS locations for ADFS service providers in middleware-config before deployment
  - The ACS URL sent by ADFS in the AuthnRequest is now validated by matching it against one or more configured
    allowed ACS locations in the service provider configuration in middleware. The beginning of the ACS URL must
    start with one of the configured values.
* New required configuration parameter in Gateway:
  - new parameters.yml parameter `app_name` (example values: "Stepup Gateway", "SURFsecureID Gateway")
* Dropped configuration parameter in SelfService:
  - the parameters.yml parameter `number_of_tokens_per_identity` can be removed from SelfService,
    in Middleware, the parameter is still required

INSTALL
* Deploy components:
  - Stepup-Middleware: 2.8.2
  - Stepup-Gateway: 2.9.2
  - Stepup-SelfService: 2.9.2
  - Stepup-RA: 2.9.2
  - Stepup-tiqr: 2.0.1

* Update middleware database schema to 20180409100948 (from 20180330094402)
  - On an app server run "/root/01-middleware-db_migrate.sh" to update the middleware schema.
    Replay of the event log is not required, nor desired.
    The new middleware, selfservice and RA require the new database schema to work. The new gateway works
    with the schema of the previous release.

* Redeploy the app role
  - Run "ansible-playbook site.yml -t app -i <environment>/inventory" to deploy only the app role
    This is required for the new Tiqr to work.
    The new Tiqr requires a different nginx configuration than the old one.

* Redeploy the common role with the rsyslog tag
  - Run "ansible-playbook site.yml -t rsyslog -i <environment>/inventory" to update only the rsyslog configuration
    This enables rsyslog stats and mark modules and lowers the RELP reconnect time

* Redeploy the manage role with the logstash tag
  - Run "ansible-playbook site.yml -t logstash -i <environment>/inventory" to update only the logstash configuration
    This enables additional parsing of log messages


Release 14
Export RA token overview, add GSSP tokens though configuraton, registration code expiry reminder emails support for
multiple tokens per user (experimental)

CHANGES
* Allow multiple tokens per user (experimental). Tokens must be of a different type. I.e when set to 2, a user could
  register a Tiqr token and a yubiKey token, but not two YubiKey tokens or two Tiqr tokens.
  This is a global setting that is configured though 'number_of_tokens_per_identity' in group_vars/all.yml. Setting this
  to "1" retains pre Release 14 behaviour. This variable must be added to existing environments.
* Email verification can be disabled on a per institution basis in the middleware-institution config.
  (https://www.pivotaltracker.com/story/show/153358379)
  - A new mandatory configuration option "verify_email" was added to the institution configuration. Set to "true" to
    keep the pre Release 14 behaviour. This option must be added to the institution config of existing environments.
  - During registration a user can print and/or download a pdf of the registration code confirmation email.
* Make the default locale and the available locales for the stepup applications configurable using group_vars.
  See the playbook variables "default_locale" and "enabled_locales" in group_vars/all.yml. These two variables
  must be added to existing environments.
* Removed the lb role. Added "lb_addresses" in group_vars/all.yml. When using a load balancer, set this variable to an
  array of IP addresses of the loadbalancers. Used in nginx config and default ip(6)tables config.
* The middleware-config in template environment now reads the email templates from separate files to make
  editing of email templates easier.
* Improved handling of expiry of the registration code:
  - When a registration code is expired, the RA shown an error immediately after entering the expired
    registration code.
  - Added "second_factor_verification_reminder_with_ra_locations" and "second_factor_verification_reminder_with_ras"
    email templates. Existing environments must be updated to add these templates
    These two new templates are used by the new "middleware:cron:email-reminder" console command.
    (https://www.pivotaltracker.com/story/show/90086932)
  - The date at which the registration code expires is available as "expirationDate" is the
    registration_code_with_* email templates and in the newly added second_factor_verification_* email
    templates (https://www.pivotaltracker.com/story/show/90086996)
* RA token page improvements:
  - Show totals on token page (https://www.pivotaltracker.com/story/show/152075386)
  - Export to CSV (https://www.pivotaltracker.com/story/show/153357335)
* Allow generic SAML stepup providers (GSSP) to be added though configuration
* Add /health and /info endpoints to the applications, except tiqr (https://www.pivotaltracker.com/story/show/133514143)
* Bug fixes:
  - The gateway now allows any attribute to be passed though the gateway
    (https://www.pivotaltracker.com/story/show/156264642)
  - Fix: "Unknown Generic SAML Stepup Provider requested on gateway after tiqr registration from selfservice"
    (https://www.pivotaltracker.com/story/show/155774630)
  - Fix alignment of SMS send and cancel buttons
    (https://www.pivotaltracker.com/story/show/151327094)
  - Fix: "verify identity" button not working in small browser window
    (https://www.pivotaltracker.com/story/show/144698163)

INSTALL
* Deploy components:
  - Stepup-Middleware 2.7.1
  - Stepup-Gateway 2.8.3
  - Stepup-SelfService 2.8.0
  - Stepup-RA 2.8.1

* Update middleware database schema to 20180330094402 (from 20170216085513)
  - On an app server run "/root/01-middleware-db_migrate.sh" update the middleware and gateway database schemas.
    Replay of the event log is not required, nor desired.
    The new middleware, selfservice and RA require the new database schema to work. The new gateway should be able to work
    with the schema of the previous release.


Release 13.2 (hotfix)

CHANGES
- Hotfix for two SimpleSAMLphp vulnerabilities
- Fix Tiqr authentication from Microsoft Office 365 applications

* All Stepup components:
- Update SimpleSAMLphp with fixes for 201802-01 and 201803-01

* Stepup-tiqr
- Fix a Script error when authenticating with Tiqr from Microsoft Office 365 applications

INSTALL
* Deploy components:
  - Stepup-Gateway 2.7.5
  - Stepup-SelfService 2.7.2
  - Stepup-RA 2.7.3
  - Stepup-tiqr 1.1.8


Release 13.1 (hotfix)
Hotfix for matching case-insensitive identifiers

Install:
* Deploy component
  - Gateway 2.7.3


Release 13
Bugfix release solving two issues:
- fix an issue with pushing institution config changes, which was broken in release 12
- fix an issue with determining an institution-specific LoA for unknown users

In addition, Kibana log retention is extended from 90 to 120 days.

Install:
* Deploy components:
  - Gateway 2.7.2
  - Middleware 2.6.4
  - RA 2.7.1

* run manage role (for manage_keep_logs_days)
  ansible-playbook site.tyml -i <inventory> -t manage -l <host>


Release 12
Add support for the SFO extension for Microsoft ADFS (https://github.com/SURFnet/ADFS-MFA-SAML2.0-Extension) to the
Setup-Gateway

* Gateway
- Add support for receiving SAML AuthnRequests using the the HTTP-POST binding
- When the ADFS specific "AuthMethod" and "Context" are present the SFO endpoint will switch to "SFO extension for ADFS"
  mode:
  - It adds "AuthMethod" and "Context" HTTP POST variables from the request to the response
  - It returns the SAMLResponse in a HTTP POST variable "_SAMLResponse" instead of "SAMLResponse"

* Deploy
- "app" role: Added "lb_addresses" variable to specify trusted IPs for the X-Forwarded-For header. Stopped using hosts
  from lb group for this purpose as the lb role is going to be removed from the playbook. If you are using the lb role
  you should set "lb_addresses" variable add redeploy the app role.

Install:
* Deploy components:
  - Gateway 2.7.0

* Rerun app role (for lb_addresses)
  ansible-playbook site.yml -i <inventory> -t app -l <host>


Release 11
Fix for per institution LoA configuration, add GSSP though configuration, update Swiftmailer because of CVE-2016-10074,
show error when missing EPTI attribute.

* Gateway
- Fix: Update swiftmailer because of CVE-2016-10074. Exploitation requires the attacker to control the email address.
- Fix: Per IdP LoA configuration for an SP by institution ID. Institution ID's are now recognised in the loa definition of
  an SP as described in https://github.com/OpenConext/Stepup-Middleware/blob/master/docs/MiddlewareConfiguration.md#service-providers
- Fix: The gateway would generate a SAML Assertion without a Subject when the Assertion from the remote IdP did not
  contain a eduPersonTargetedID attribute with a NameID. Now an error is shown on the gateway when this occurs.

* Middleware, Gateway, SelfService and RA
- A new GSSP can be though configuration. The Ansible environment must be updated:
  - A new parameter "stepup_enabled_generic_second_factors" was introduced
  - The "stepup_enabled_factors" parameter was updated
  When using the existing GSSPs "tiqr" and "biometric", the changes are minimal. The requied changes are described in
  docs/add-gssf-to-stepup.md

Install:
* Deploy components:
  - Middleware 2.6.0
  - Gateway 2.6.0
  - RA 2.7.0
  - SelfService 2.7.0


Release 10
Add option to test 2nd factor in SelfService, bugfixes

* Upgrade Guzzle4 to Guzzle6

* SelfService:
  - The user now has the option to test authentication with their token in the self service interface.

* Gateway:
  - Fix: wrong entity added for saml:AuthenticatingAuthority

* Middleware:
  - Fix: bootstrapping an identity leads to unusable identity

* Tiqr:
  - Fix: no push notifications received when changing phones
  - Fix: minor layout and translation issues
  - Accounts are blocked after 5 authentication failures
  - Improved support for browsers on mobile devices

Install:
* Deploy components:
  - Middleware 2.5.0
  - Gateway 2.5.0
  - SelfService 2.6.2
  - RA 2.6.1
  - Tiqr 1.1.5


Release 9
Limit token types per institution, AuthnRequest signature validation error bug,
Mixed case schacHomeOrganization bug

* The repositories were moved from the GitHub SURFnet organization to the OpenConext organization

* Middleware:
  - Fix: Error when applying an institution configuration when to institution is using a mixed case
    schacHomeOrganization
  - The institution configuration now requires an "allowed_second_factors" option. This option can be used
    limit the available token types

* Gateway:
  - Security: Use HTTPS instead of HTTP when validating a yubikey challenge at the Yubico validation service.
    This makes validation more robust against attacks on the message signatures.
  - Fix: Mishandeling of the URL encoding of SAML AuthnRequests causes valid signatures to be considered
    invalid by the Gateway

* SelfService interface:
  - The available token types that a user can select can be limited on a per institution basis

Install:
* Deploy components:
  - Middleware 2.4.0
  - Gateway 2.4.2
  - SelfService 2.5.0

* Run database migrations
  - Run "/root/01-middleware-db_migrate.sh" on an app server


Release 8
Revocation email, UI improvements

* Middleware:
  - Send an email when an active second factor is revoked. Added a "second_factor_revoked" mail template to
    "template/middleware/middleware-config.json.j2"

* RA interface:
  - Fix: sorting the audit log fails for some fields
  - Fix: no error message was shown when a user with an expired registration code was vetted
  - Fix: RA's could vet users belonging to other institutions
  - Added help text under the search box in the "Token Activation" screen
  - Limited input in the document number field to 6 characters
  - Remove text 'optional' in tokens screen
  - The Manual link URL in the footer is now per language and must be set through "ra_manual_url" in
    "stepup-ra.yml"
  - Check the Issuer in the SAML Response. It must matches the saml_remote_idp_entity_id set in "paramters.yml"

* Selfservice interface:
  - Help link URL in the footer is now per language and must be set through "ss_support_url" in
    "stepup-selfservice.yml"
  - Check the Issuer in the SAML Response. It must matches the saml_remote_idp_entity_id set in "paramters.yml"

Install:
* Deploy components
  - Middleware 2.3.1
  - Selfservice 2.3.0
  - RA 2.4.0


Release 7
RA Locations, Institution configuration, Server-side session expiry

* Added per institution configuration through the middleware API of the way the RA location are shown to users in the
  selfservice interface and email.
  - The RAA contacts can be hidden, so only RA contacts are shown. Defaults to old behaviour (show both RA and RAA contacts)
  - Instead of RA(A) contacts RA locations can be shown. When enabled the RAA of an institution can edit the list of the
    RA locations through the RA interface. Defaults to old behaviour (show RA(A) contacts)
  - Added an institution configuration for enabling/disabling the above two options. Configuration though the template
    in <inventory>/templates/middleware/middleware-institution.json
    See https://github.com/SURFnet/Stepup-Middleware/blob/2.1.0/README.md for configuration format
  - The email template for 'registration_code' in middleware-config.json.j2 is replaced by 'registration_code_with_ras'
    and 'registration_code_with_ra_locations'.
    See https://github.com/SURFnet/Stepup-Middleware/blob/2.1.0/README.md for configuration format
* Added server side session timeouts based on absolute (since login) and relative (since last client interaction with the
  server) through "app_session_max_duration" and "app_session_expiry_time" group_vars.
* RA interface changes
  - Show the document number in the tokens overview in the RA interface (requires event replay)
  - The time in the audit log is now shown in the timezone configured in the webbrowser instead of in UTC
* The Selfservice, RA and Gateway now set/update a HTTP cookie named "stepup_locale" with the current known preferred
  locale of the user. The domain for which the cookie is set is configured through the "locale_cookie_domain" group_var.
* Various minor UI layout fixes/improvements.
* Fix: middleware:event:replay may fail with Middleware < 2.1.0.
* tiqr fixes
  - solves a problem with iOS10 devices
  - small layout en translation improvements

Install:
* Deploy components
  - Middleware 2.1.0
  - Gateway 2.2.0
  - Selfservice 2.2.0
  - RA 2.2.0
  - tiqr 1.1.4

* Run database migrations
  - Run "/root/01-middleware-db_migrate.sh" on an app server

* Replay eventlog
  - Prevent changes during the replay by taken middleware offline (or take the SS and RA offline)
  - Change to middleware directory (e.g. /opt/www/middleware.example.org)
  - Run "php app/console middleware:event:replay --env=prod_event_replay" on an app server
    The replay runs in a single database transaction. It replays all events en recreates the projections. This may take
    some time depending on the number of events in the events table.


Release 6
Ansible 2, Second factor only (SFO) authentication, biometric authentication type

* Deploy now requires Ansible 2
* Set "serial: 1" in site.yml playbook, to deploy one host at a time, even when more than one host is targeted
* Add second factory only (SFO) authentication to the GW, disabled by default
* Add support for a "biometric" authentication type using GSSP
* Added vars for SFO: gateway_second_factor_only, stepup_uri_sfo_loa2, stepup_uri_sfo_loa3
* Added var for stepup cookie domain: locale_cookie_domain
* Service providers in the middleware configuration require two new configuration keys. To keep the current
  behaviour add:
    "second_factor_only": false,
    "second_factor_only_nameid_patterns": [],
* Add translations for tiqr error messages, fix regression error in tiqr userId

Install:
* Run the app role from the site.yml playbook
* Deploy components
  - Middleware 1.6.0
  - Gateway 2.0.0
  - SelfService 1.4.0
  - RA 1.4.0
  - tiqr 1.1.3


Release 5.2
Infrastucture changes: Read-only accounts for external access to middleware and gateway databases,
SMTP smarthost and disable IPv6

Security: Block HTTP Proxy header in haproxy and nginx (CVE-2016-5385)

* Optionally use SMTP smarthost on servers with app role. Configuration through sendmail_smarthost in group_vars/app.yml
* Optionally create gateway_ro and middleware_ro accounts for read only access to the gateway and middleware databases
  Configuration in group_vars/dbcluser.yml though database_(gateway|middleware)_readonly_(user|password)
* Disable IPv6

Install:
* Run the dbcluster, lb and app roles from the site.yml playbook
* Deploy component
  - none


Release 5.1 (hotfix)
Hotfixes for loadbalancer configuration (fixes issues with tiqr registration)

* Updated sysctl-local.conf to allow nonlocal binds
* Updated nginx.yml tasks and nginx.vhost.conf.j2 template to have nginx listen on dedicated IP addresses

Install:
* Run the lb role from the site.yml playbook
* Deploy component
  - none


Release 5
Allow scripted / automated middleware configuration updates from remote

* Moved the 02-middleware-config.sh and 04-middleware-whitelist.sh scripts from root to /opt/scripts and made these scripts
  executable by the stepup-deploy user. The scripts in /root/ are replaced by symlinks
  The configuration (middleware-config.json and middleware-whitelist.json) is now stored in /opt/scripts
* Added app group_vars: app_deploy_user_ssh_key and app_deploy_user_ssh_from
* Updated push-mw-config.yml and push-mw-whitelist.yml playbooks to use the stepup-deploy user
* Added scrips/push-config.sh script

Install:
* Run the app role from the site.yml playbook
* Deploy component
  - Middleware 1.4.0
    Note: Do redeploy if 1.4.0 is already installed because of updates in the stepup-middleware that update the middleware
          configuration scrips


Release 4
* Moved the PHP session dir from /var/lib/php/session/ to /var/lib/stepup/session/. The contents of the old directory can be removed
* Tighten PHP session configuration in php.ini. Use /dev/urandom for entropy, set session.cookie_secure = session.cookie_httponly = session.hash_function = 1;
* Added app_session_expiry_time and (currently unused app_session_max_duration group_vars
* Set session.cookie_domain and session.cookie_(gc_max)lifetime in fpm.ini
* Added stepup_enabled_factors group_var to control which 2nd factors are enabled
* A database schema for u2f was added. Added database_u2f_(name|user|password) group_vars
* Added /root/01-gateway-db_migrate.sh script
* A added a /etc/cron.d/curator job on manage node that runs "curator" to delete old logstash indexes. The manage_keep_logs_days group_var configures how many days of logs to keep
* Added stepup_enabled_factors group_var to control which 2nf factors are enabled in SS, RA and GW
* Update scripts from https://github.com/pmeulen/ansible-tools
* A deploy user for the gateway component was added with corresponding database_gateway_deploy_(user|password)

Install:
* Run site.yml playbook on all hosts
* Deploy components:
  - Middleware 1.4.0
  - Gateway 1.3.3
  - SelfService 1.3.1
  - RA 1.3.1
  - Tiqr 1.1.0
  - oath-service-php 1.0.1
* Run DB migrations
  - /root/01-middleware-db_migrate.sh
  - /root/01-gateway-db_migrate.sh