PAS 4.7

The highlights for the 4.7 release include support for BankID RP-API v6.0, support for new Skolfedartion and multiple SAML updates.

BankID Säker Start RP-API v6.0

PAS 4.7 now have support for BankID RP-API v6.0 released mid May. This release is part of BankID “Säker Start” to improve security for BankID users by removing support of starting a BankID transaction where the user fills in their Personnummer. Services should instead use QR Code or Autostart, both already supported by PAS in earlier versions. It is strongly recommended to update to RP-API v6.0, by updating to PAS 4.7, since BankID will end support for earlier versions already May 1st 2024.

PAS 4.7 supports both new v6.0 and previous version, making it possible for the administrator to migrate to v6.0 in a controlled and secure manner. PhenixID will help with guides on best-practice for migration. Don’t hesitate to contact PhenixID for more information about BankID Säker Start and what is needed on the service.

Skolfederation

In March, Skolfederation together with Internetstiftelsen released a new version of Technical Profile for SAML WebSSO for Skolfederation. PAS 4.7 release complies with this new profile and are ready to be used for all entities connected to Skolfederation.

SAML and EFOS

Several updates for the SAML protocol has been added to fully comply with the EFOS specification. These updates are generic and will be beneficial for all SAML installations.

Improved functions

In addition, several features have received minor improvement including:

• MyApps have been updated to comply with WCAG
• Improved error handling using authenticators
• Improved debug logging for HTTP valves

Miscellaneous bug fixes

Defect fixes recommended for all users, including

• PHX-2899 Internal SAML: Entity not found
• PHX-3029 Dispatch based on query string in OIDCToSAMLBroker
• PHX-3047 FrejaEID login on same device does not take you back to the original app after auth
• PHX-3083 EFOS – SAMLResponse must be signed
• PHX-3084 EFOS – Include information on what failed to validate
• PHX-3086 EFOS – Error in SAMLAuthSigning documentation
• PHX-3087 EFOS – SAMLAuthForSigning error when not logged in
• PHX-3088 EFOS – PrincipalSelection value missing in SAMLAuthForSigning
• PHX-3089 EFOS – signMessageDigest addtribute always added – not documented
• PHX-3090 EFOS – Encrypted signMessage doesn't work
• PHX-3091 EFOS – PAS crash when Assertion is encryted and signed
• PHX-3092 EFOS – Config example for solution missing
• PHX-3094 EFOS – Requestedauthncontext missing if no dispatcher
• PHX-3095 EFOS – Multiple AuthnContextClassRef
• PHX-3096 EFOS – AssertionConsumerServiceURL fail for LOA4/HOK
• PHX-3097 EFOS – Holder-of-Key generates validation error

Read the full release notes for Authentication Services here: