OIOSAML for Java release 2.0.3 has been made available. This release contains the following changes

• Fixed a NPE when using a custom Logger implementation
• Added support for eID during metadata generation - the configuration wizard supports generating eID gateway compatible SAML metadata
• Fixed a NPE in the configuration wizard, that shadowed a wrong-password error message on the uploaded keystore
• Fixed a special case where the SHA-256 signature configuration would be overwritten by a 3rd party library (see more below)

This version is especially important for users that use OIOSAML together with older versions of the CXF webservice framework, and who wish to use rsa-sha256 as the signature algorithm.

The CXF framework (up to at least the 3.0.x release branch) will perform a reset of the OpenSAML frameworks configuration when the first webservice call is performed. This reset will configure OpenSAML to use rsa-sha1 as the signature algorithm, and as OIOSAML relies on OpenSAMLs configuration for certain signatures, this can potentially cause OIOSAML to revert back to rsa-sha1 instead of rsa-sha256.

Note that this issue only happens when the following is true

• OIOSAML is used together with CXF version 3.0.x or earlier
• OIOSAML is configured to use rsa-sha256 as the signature algorithm
• No webservice calls are made, using CXF, until AFTER the first user has logged in using OIOSAML

In this specific case, OIOSAML will use rsa-sha1 (instead of the configured rsa-sha256) AFTER the first CXF webservice call.

This version fixes this issue, by ensuring that rsa-sha256 is used, even if CXF performs a reset of the OpenSAML configuration.

Code repository

The code is still available through Softwarebørsen SVN, and can be located here

https://svn.softwareborsen.dk/oiosaml.java/oiosaml2/

Maven repository

The binary artifacts are distributed as Maven dependencies, and can be located here

https://mvnrepository.com/artifact/dk.digst/oiosaml2.java