Support for SHS (“Secure HandShake”) has been removed completely, as this feature is not supported properly with TLS 1.3 and most current web browsers. Please check the migration guide for information about how to update or replace existing login models that made use of this feature.
Removed support for the obsolete, proprietary ELCARD adapter authentication system as the ELCARD authentication system has been end-of-life for several years. As of today, any installation using it should switch to either OpenID Connect or SAML. There is not specific migration path other than that.
redirect_uri in case of an unknown
or missing client_id in the authentication request, in order to prevent
attacks that would redirect via the trusted OP domain to an “evil” domain.
(5.19.0.4)http.ssl.accepted.cns is set to a list of CNs in the HTTP Adapter
(or http.ssl.accepted.cns in the WS Adapter), previous behavior was to only
check if the certificate CN is part of this list. Now the check is also OK
if any of the SANs (Subject Alternate Names) is in the list of accepted CNs.
(This reflects the fact that if http.ssl.enforce.host=true the hostname
is allowed if it matches the cert CN or any of the cert SANs.) (5.19.0.0)do.redirect and do.logout in the case
where the url.absolute.allow model parameter is set to true,
e.g. URL myscheme99://somehost.net/... (5.19.0.0)crypto.base32encode and crypto.base32decode
script functions. (5.19.0.0)response.setHeader() function
disabling the ‘SLSPrefs’ cookie. (5.19.0.0)