Single sign on solution for

Changelog

Version 7.2.0 beta

  • added Dynamic Groups – configuration,management + new windows client
  • added Server status to bottom left corner of web interface
  • other minor fixes and improvements

Version 7.1.0

  • fixed SHIFT key issue on Windows 10 lockscreen
  • fixed problem with HW token drivers when using fast user switching (driver held by first KeyShield client that opened it and was not being released)
  • fixed default client configuration values for lockscreen options (manual login/user switching) – no buttons were displayed when using local configuration file
  • other minor fixes

Version 7.1.0 beta 2

  • fixed NTLM authentication domain comparison – fixing ‘Access denied (authentication not allowed for domain…’ error
  • fixed client configuration download when ‘Override client config’ is enabled and no ‘Custom username label’ is not provided
  • fixed Windows client lock on start (lock delay is no longer applied)
  • fixed Windows client inactivity timeout when using local client configuration
  • fixed Windows client lockscreen when using local client configuration
  • fixed missing search in progress icon during user lookup in token manager
  • improved AD setup script – added output to txt file

Version 7.1.0 beta

  • new Windows client with fixes and improved locking (logout delay)
  • reorganized Client Configuration – locking options, added logout delay – client is not disconnected immediately after lock
  • added ability to force immediate logout using SHIFT+card on reader shortcut
  • when Override client config is enabled – kshield.cfg available in Downloads section will contain all options configured on server (and use them before the server connection is established)
  • fixed dev_pcprox/dev_authentec Estellar code computation differences

Version 7.0.3

  • fixed SAML incompatibility with Office 365

Version 7.0.2

  • better Linux installer message explaining LSB and Java requirements
  • improved RADIUS user group configuration (sorting + group count limit), only listed groups are now sent, previously all LDAP groups were sent when no group was listed
  • fixed private key export form title and labels, improved help
  • SAML request RelayState parameter is now optional
  • fixed Kerberos keytab download
  • fixed diagnostic logging mode configuration from Current log page
  • other minor fixes

Version 7.0

  • added more Help texts in Configuration and Certificate management
  • fixed form validation issues in Certificate management
  • updated JVM to 1.8_122 – fixed issue with cryptogrpahic algorithm aliases in JVM during private key export (Java 8 is now required to run KeyShield SSO)
  • other minor fixes

Version 7.0 RC

  • added restart option after modifying in-use certificate
  • updated Windows client – modified behavior when lock/disconnect delay was active and card of another user was presented
  • fixed UI problem with some configuration forms
  • other minor server bugfixes (e.g. audit not working before web admin password was configured)

Version 7.0 beta

  • added certificate management (KeyShield CA)
  • added SIEM/SYSLOG logging of diagnostic and audit log
  • added Lock/Logout delay
  • updated Windows client
  • minor bugfixes

Version 6.5

  • improved filter in user list (roles,yellow message)
  • simplified Kerio JWT configuration
  • updated Mac client – signed with added links, change password, etc. in menu
  • minor bugfixes

Version 6.3.3 beta 3

  • improved Windows Client installer – ability to configure server connection and authentication method, better unattended installation (configuration parameters)
  • added option to perform OES Client Login after successfull manual authentication
  • added option to map home directory from Windows Server (AD) after successfull manual authentication
  • added unattended Windows Client installation instructions to Downloads
  • improved Kerberos login and authentication method user resolution – both Kerberos password verification and authentication
  • fixed SAML/JWT/NTFY/Redirect URLs in Configuration when interface was configured for 0.0.0.0 wildcard address
  • fixed issue with Windows client displaying HWTOKEN id instead of username

Version 6.3.3 beta 2

  • improved Kerberos login and authentication method user resolution – both Kerberos password verification and authentication method now use implicit UPN and not CN
  • improved Kerberos setup documentation
  • improved Mac OS X client realm and authentication user resolution (realm lookup is now case insensitive)
  • added Mac OS X client kerberos localization strings

Version 6.3.3 beta

  • added Kerberos authentication method to connector configuration
  • added Kerberos authentication in Mac OS X client
  • added Kerberos authentication in Windows Windows Client (only when Active Directory authentication is configured, with Kerberos auth enabled on server)
  • added ability to login as different user when eDirectory,Active Directory or Kerberos authentication is used on Windows/Mac OS X (controlled by Manual authentication switch in client configuration)
  • added OS column in user list (for Windows and MacOS clients, that send OS info to KeyShield SSO)
  • improved MacOS X client – show display name in status window
  • fixed user switching in Mac OS X and Windows client

Version 6.3.2

  • added online HW token driver library documentation (link in client configuration)
  • added basic option to all HW token driver
  • fixed cosmetic issues with eDirectory schema extensions (schema error messages were not being cleared)
  • changed licensing to allow separate licensing of RADIUS/SAML/JWT/NTFY/redirect features
  • uploading a new license will now restart KeyShield SSO server
  • other minor fixes

Version 6.3.2 beta

  • added JWT token SSO/authentication support
  • improved eDirectory configuration – added schema extensions for HW tokens and ACLs for fullName/displayName, added better message with explanation of configuration steps
  • reworked client Lockscreen – added option to unlock with password when using eDir/AD authentication method
  • added display name support to client status/lockscreen and user lists in KeyShield SSO web console
  • changed meaning of API Authorization required – API keys are now not required at all when this is set to false
  • improved connector validation message with HW token authentication enabled and no HW token attribute is specified
  • added OKsmart 3.0 card support (dev_oksmart3)
  • changed dev_scard to accept card UIDs of 4 chars or more

Version 6.3.1

  • fixed problem with JCE policy being overwriten during update of private JRE
  • added warning JCE policy missing warning at the end of installation script
  • improved Apply/Revert message to indicate multiple pending configuration changes are possible
  • updated KeyShield SSO client – fixed 2FA icon problem with basic cards when hold time was 0

Version 6.3

  • added links to API certificate download and for API testing
  • new client with added icon indicating two-factor authentication when card/token is present
  • improved Apply/Revert message to indicate multiple pending configuration changes are possible
  • added ability to browse user groups in messaging and LDAP viewer
  • minor fixes

Version 6.3 beta

  • fixed LDAP connection pooling issue with Active Directory randomly closing old connections – all connections older than 5 minutes are now closed and are not cached in the pool
  • fixed RADIUS client excess retries when target Radius Accounting server is unresponsive (added throttling delay)

Version 6.3 preview2

  • added Active Directory configuration, added detailed guide and PowerShell setup script
  • added ability to browse user in user role management and messaging
  • improved Apply/Revert message to indicate multiple pending configuration changes are possible
  • added memory usage statistics to Statistics page
  • LDAP user list in Viewer and Token management now displays username configured for corresponding LDAP connector
  • Token management now displays Full Name/Display Name in token assignment window in addition to username
  • RADIUS Accounting – redesigned client and server
  • RADIUS Accounting – improved performance, logging and reliability
  • RADIUS Accounting – improved compliance with Radius Accounting rfc

Version 6.3 preview

  • reworked web interface configuration
  • improved RADIUS Accounting packet structure checking and diagnostic messages in DETAILED log
  • added HTTP Redirect configuration
  • new client API doesn’t request certificate over http, but uses client interface connection to get it

Version 6.2.1

  • fixed user management user DN matching to be case insensitive
  • fixed ‘values should be unique’ error when creating new connector with HW token authentication not enabled
  • fixed upgrade from very old KeyShield SSO versions (4.x)
  • updated Windows client – added Slovak translations

Version 6.2

  • minor bugfixes

Version 6.2 (beta)

  • added token management interface for simple token assignment
  • split token id assignments to permanent and temporary (two LDAP attributes)
  • reworked LDAP browser and lookup (multiple tree search)
  • improved user configuration in config -> General
  • added links to administration,messaging and token management to client menu (new client)
  • added clientInfo into user info response (client version,OS version and workstation name)
  • fixed SAML attribute value escaping – caused problems with some SPs with complicated assertion consumer URL (e.g SugarCRM)
  • fixed logging issue with some API call parameters

Version 6.1

  • corrections in the Swedish localization

Version 6.1 (beta7)

  • addes user yellow messagaging support (go to /user/message.page or / URI authenticated using KeyShield SSO client)
  • added localization support (moved messages.properties to resources subdirectory, added resources/custom subdirectory for user supplied messages)
  • added localization messages for SAML login page and user Yellow Message page
  • added missing client localization strings

Version 6.1 (beta6)

  • added Display Name and Description to various configuration sections
  • improved SAML handling of multivalue user id attributes
  • improved SAML error handling and logging
  • improved SAML Login page

Version 6.1 (beta5)

  • added hold time parameter for basic card reader (authentec)
  • added option to disable custom SAML templates with explanation in Help
  • fixed RADIUS server problems with reading user attributes
  • fixed several client token problems
  • improved client API (state change detection)
  • improved configuration dialogs (timeouts, RADIUS shared secret field)

Version 6.1 (beta4)

  • improved startup logging when API or client connection log level is enabled
  • added sendClientMessage API (API key required)

Version 6.1 (beta3)

  • updated Windows and Mac client
  • add Swedish language localization to Mac Client
  • hardware token (RFID) fixes
  • added buttons to allow configuration section copying
  • added user lookup shortcut to connector configuration to allow user lookup testing
  • improved user lookup page in LDAP Viewer
  • improved JCE warning message, added link to Oracle download page
  • various bugfixes

Version 6.1 (beta2)

  • added Swedish language localization to Windows Client
  • added client configuration parameter examples to kshield.cfg downloaded from server
  • added hwTokenPresent to role attribute of user authentication certificate
  • configuration UI improvements

Version 6.1 (beta)

  • added support for two-factor authentication using hardware tokens (RFID cards)
  • added support for pcProx and Authentec RFID card readers
  • added per connector Client Configuration
  • added support for Client locking on MS Windows – with support for RFID token locking/unlocking/authentication
  • added support for RADIUS client authentication – RADIUS Accounting SSO Server can authenticate Windows client if enabled
  • improved Active Directory support (ignoring referrals when looking for users, etc.)
  • added support for nested LDAP groups
  • new client for Windows – improved client reliability, performance (and battery consumption on Laptops)
  • added Warning when Unlimited Strength Jurisdiction Policy Files are not installed in Java runtime (must be installed manually)
  • minor bugfixes

Version 6.0.2

  • fixed KeyShield SSO iOS client connection issues

Version 6.0.1

  • fixed RADIUS Accounting Server configuration

Version 6.0

  • fixed possible logout problem when user has multiple username attribute values
  • minor UI fixes

Version 6.0 (beta 4)

  • improved KeyShield SSO Client with better GroupWise 2014 beta support on Windows XP
  • fixed problem with Network address update causing exception during startup
  • fixed IdP metadata namespace inconsistency

Version 6.0 (beta 3)

  • improved SAML support (now tested with Google Apps, Microsoft Office 365 and Salesforce)
  • fixed errors with certificate file paths in SAML/embedded LDAP, etc.
  • fixed IdP metadata download
  • fixed log viewer problem with very long log lines

Version 6.0 (beta 2)

  • improved SAML support (tested with Google and Salesforce)
  • improved configuration UI
  • added self-signed certificate generation for corresponding config sections

Version 6.0 (beta 1)

  • added Kerberos Authentication option to Manual authentication method
  • added RADIUS Server – accepting RADIUS Accounting packets with authentication information (e.g. from VPN,Firewall)
  • added attribute aliases to connector configuration to allow attribute mapping across LDAP servers from different vendors or with different schemas
  • renamed RADIUS Accounting to RADIUS Client – added option to specify username attribute (you can use attribute alias for this)
  • fixed LDAP viewer 1000 object limit

Version 5.4

  • added API certificate validity configuration option
  • added host OS version to about.page

Version 5.4 (beta 5)

  • improved connector configuration
  • don’t allow search from root of the Active Directory tree
  • fixed LDAP viewer with OpenLDAP directory server
  • minor fixes in configuration UI

Version 5.4 (beta 4)

  • extended certificate API to support GUID attribute
  • added ACL for GUID attribute on eDirectory
  • improved connector configuration – selects default user id attribute and GUID attrtibute according to directory server type
  • added api/userByIP/myip URI to get user info/certificate for current IP
  • added Windows client API for requesting client status and obtaining certificates for authenticated user
  • fixed LDAP viewer for certain connector configurations
  • fixed whois page when API key was configured

Version 5.4 (beta 3)

  • fixed NullPointerException when user was not authenticated and API key with connector limitation was set

Version 5.4 (beta 2)

  • added LDAP Viewer page

Version 5.4 (beta 1)

  • added address and port override to client interface configuration
  • added rememberCredentials= enabled/disabled/secure to kshield.cfg on Mac OS X (enabled = store username and storing credentials in
  • keychain, secure = allow only keychain, disabled = don’t remember credentials)
  • changed configuration directory to .kshield in Mac OS X client

Version 5.3

  • fixed typo in eDirectory installation dialog
  • added value examples/descriptions in eDirectory installation dialog
  • added licensing note to welcome page

Version 5.3 (beta 2)

  • fixed problem with configuration.new file during upgrade from previous versions of KeyShield SSO

Version 5.3 (beta)

  • added RADIUS Accounting SSO (tested with FortiGate firewall)
  • added check to Windows Client to prevent execution without installation from msi package (to prevent usage of eDirectory and AD authentication on workstations wher no KeyShield SSO was installed by Administrator)
  • added check to KeyShield SSO server to prevent eDirectoyr and AD authentication with older Windows KeyShield SSO client

Version 5.2 (beta 2)

  • fixed yellow mesage from
  • fixed IE font issue in input fields
  • list element in forms no longer allows empty values

Version 5.2 (beta 1)

  • added support for API authorization keys
  • added certificate download link for uploaded SSL keystores

Version 5.1

  • added NTLM Active Directory authentication
  • added NTLM authentication to KeyShield SSO Windows client
  • fixed connect timeout in Windows client (was not respecting configured Connect timeout value)
  • KeyShield SSO client now works in RDP session to remote workstation

Version 5.0

  • SAML Web Browser SSO Profile – authentication to Google Aps or similar SAML Service Providers
  • SAML Login for users not authenticated using KeySheild SSO client
  • multiple LDAP servers per connector (failover)
  • multiple Manual Login attributes for LDAP user object lookup (manual authentication)
  • fixed problem with incorrect LDAP attribute being used for screenName when using manual authentication
  • improved log viewer performance

Version 4.3

  • fixed ‘detailed logging not flushing log file’ problem
  • fixed embedded LDAP server database reset
  • fixed problem with embedded lDAP server user/group names containing spaces
  • fixed some spelling issues in configuration
  • fixed IE 8/9 issue with detecting password field changes in connector configuration
  • improved log viewer performance with large log files
  • fixed licensing issue

Version 4.3 beta

  • only authenticated clients now consume user license
  • added current log viewer
  • log level can be set without restarting KeyShield SSO
  • added multiple diagnostic log levels/filters: default, client communication,API calls,…
  • authentication connector can be configured to search subtree or only directly inside the search base container
  • improved connector configuration dialog
  • contextual help in configuration dialogs
  • all authentication methods now retrieve screenName from the configured user id attribute
  • improved java selection during installation (when JAVA_HOME is set)

Version 4.2

  • WSTrust is now KeyShield SSO
  • added Embedded LDAP server
  • added Embedded LDAP server user managmenet page
  • improved keystore management (for https web interface, API and Embedded LDAP)
  • moved optional API attributes to connector definition
  • added optional API attribute validation (against LDAP schema)
  • renamed LDAP authentication method to Manual authentication method
  • improved client communication logging (added connector id + authentication method)
  • new clients for Windows, Mac OS X and Linux (renamed to KeyShield SSO client)
  • Windows client run after installation checkbox now checked by default
  • MacOS X client now uses Keychain API to optionaly store login information
  • MacOS X client reconnects immediately after sleep mode wake up

Version 4.1.2 IR1

  • Fixed init script to work with systemd init daemon.
  • Improved installation script Java selection when JAVA_HOME is set.

Version 4.1.2

  • new Linux installation and init.d script (LSB compliant) tested on SuSE, CentOS, Ubuntu Server, Fedora, RedHat
  • added path to JVM bin directory to system service startup on Windows

Version 4.1.1

  • eDirectory access rights are now granted only to search base container
  • eDirectory access rights validation
  • windows installer now doesn’t overwrite configuration.properties
  • eDirectory installation now allows to override wstrust manager DN and password

Version 4.1

  • new diagnostic information on summary screen
  • updated clients for Mac OS X, Windows, Linux, BlackBerry
  • added xml format to new API at /api/userByIP
  • improved UI

Version 4.0.1

  • updated Windows client – improved compatibility with fast user switching
  • fixed invalid configuration error ‘Missing mandatory value’ in LDAP configuration
  • updated Windows installer – improved system service startup during installation

Version 4.0

  • improved LDAP configuration – new directory service connector and interfaces definition allow much more flexible configuration and reduce LDAP configuration redundancies
  • improved configuration UI – tabbed configuration, highlighted mandatory fields, example values in fields, etc.
  • added ability to change KeyShield SSO web interface path (default is /) to e.g. allow running behind Apache proxy mod
  • improved Message sending – doesn’t fail if one or more directory services are unavailable
  • client configuration file from download section now contains only address:port for selected interface, options are sent during client authentication by default
  • updated clients for iOS,Android,Windows,Linux
  • minor bugfixes

Version 3.0.6

  • fixed authentication certificate compatibility issues with OpenSSL
  • added view password feature to all password boxes
  • client MSI installation package now doesn’t remove wstclient.cfg in target directory when no wstclient.cfg is present in the directory where MSI file is located
  • new KeyShield SSO client (2.5)
  • fixed Enter on Whois page
  • label misspeling fixes

Version 3.0.5

  • added links for iOS and BlackBerry Playbook clients
  • added authentication certificate API
  • fixed licensing problem with unlimited license
  • fixed IE8/9 server response caching issue

Version 3.0.1

  • Android client added

Version 3.0

  • redesigned user interface
  • online configuration
  • Linux client added
  • added Yellow message
  • clients support disclaimer display option
  • dynamic client configuration from the server
  • fixed AD authentication with unavailable server
  • statistics shows last 48 hours
  • server address shown in client status

Version 2.1

  • added attributes query to SSO API (e.g. ?attributes=cn,mail,x-memberOf)
  • added AD LDAP options to configuration.properties and about -> view configuration page
  • added optionalAPIAttributes parameter
  • added French client localization

Version 2.0.1

  • installation will grant only limited eDirectory ACL for wstrustmgr
  • fixed KeyShield SSO shutdown problem with invalid configuration file
  • added de_DE client localization

Version 2.0

  • merged wstrust.properties and configuration.properties into single configuration file (configuration.properties)
  • !! When upgrading from previous versions, you must overwrite existing configuration file !!
  • added about -> config web page with runtime configuration report
  • enabled SSO to KeyShield SSO web interface – space-delimited list of admin user FDNs in ssoWebAdmins
  • HTTPS support for web and API (httpsWebPort,httpsKeystorePassword = password for keys/ssl.p12 server private key and certifcate keystore)
  • added webHTTPMode option for setting plaintext HTTP interface mode to disabled/API/enabled
  • replaced ldapSearchBase with separate configuration for UID and LDAP authentication (ldapAuthLDAPSearchBase and uidAuthLDAPSearchBase)
  • renamed host to webAddress
  • renamed port to webPort
  • renamed username to webUsername
  • renamed password to webPassword
  • fixed memory access error in UID authentication dialog

Version 1.9.1

  • client – don’t allow empty password for LDAP authentication
  • client – fixed missing localization for “Authenticated” popup

Version 1.9

  • added LDAP authentication – username and password dialog box on client and LDAP authentication backend on server
  • renamed manual authentication to UID authentication – renamed many configuration options, previous names still valid for backwards compatibility
  • wstrust.properties – changed ldapManualUserIdAttribute to uidAuthUserIdLDAPAttribute
  • wstrust.properties – changed enableManualAuth to enableUIDAuth
  • wstrust.properties – added ldapAuthUsernameLDAPAttribute – default value is cn and it’s used to lookup user FDN during LDAP authentication
  • wstrust.properties – added enableLDAPAuth option
  • client registry options – authentication dialog is now enabled and configured using authDialog string value (possible values: LDAP,UID,disabled )
  • changed Users page to display Authentication type column instead of Manual column
  • LDAP networkAddress attribute updating is now disabled by default (enableNetworkAddressUpdate in wstrust.properties)

Version 1.8.1

  • added manual authentication as a feature of client msi installer (msiexec /i WSTClient.msi ADDLOCAL=MANUAL)
  • disabled LDAP networkAddress update by default (enable with enableNetworkAddressUpdate=1 in wstrust.properties)

Version 1.8

  • added Stats page with connected clients/authenticated clients/SSO requests charts

Version 1.7

  • added acceptedDomains parameter to wstrust.properties
  • fixed text wrapping problem with long FDN in client status window
  • improved performance of concurrent client authentication
  • fixed startup delay caused by blocking /dev/random
  • authenticated users list is now sorted by IP address

Note: Before installing new version is necessary to stop a running instance of the KeyShield SSO server (rcwstrust stop).

Version 1.6

  • added Users web page with IP network address and username filtering (substring / regex)
  • added search autocomplete history on Whois and Users web page
  • added About web page with ability to upload KeyShield SSO license
  • updated client to version 1.9.1 – fixed clientOptions updating after server restart

Version 1.5

  • added /xml/userByIP XML interface
  • fixed client Active Directory authentication not working in some cases

Version 1.4

  • minor licensing service improvmenents

Version 1.3

  • manual authentication is now using LDAP attribute lookup to find user and the KeyShield SSO server returns EDIRECTORY as AuthType