Skip to end of metadata
Go to start of metadata


About the used number-syntax below:


  • Correctly provision some specific changes (email lists, authenticators) to COpersons to the SAML database [Zoneprovisioner]
  • Correctly provision and deprovision a COperson when status is changed to/from active [Zoneprovisioner]
  • Use the service_label instead of the entitlement_uri or service_url to register entityid or OIDC client id for Services [Zoneprovisioner]
  • Fix for error "The specified Source Key is already linked to an existing Org Identity" when enrolling to a CO for the second time [SAMLsource]
  • Don't verify email addresses that are already verified during enrollment [COmanage] (CO-1647)
  • Fix to allow users to verify their own email address [COmanage] (CO-1648)
  • Redirect to email view instead of logout after email confirmation [COmanage] (CO-1649)
  • If an email address is already verified, propagate the "verified" flag to other instances of this email address for the same user [COmanage] (#159918356, CO-1651)
  • Allowing empty selection field, plus fixes in validation (related to issue #160127692: allow empty default for Affiliation selection during enrollment) (CO-1655)
  • Fix approval messages during enrollment [COmanage] (issue #159918321)

  • Fix an issue in which an add button for email addresses is shown even if no self-service permissions are set to allow any type of email address to be added [COmanage] (CO-1650)


  • VOperson attributes are available in the main ldap
  • Fix LDAP authorizations
  • Allow ldap synchronization for ldap client database


  • SAML metadata is automatically reloaded
  • Simplify generation of platform metadata
  • Work around a bug in the pysaml library, which would cause logins from Shibboleth-IdPs to fail.  As a result, SAML SPs will temporarily receive their SAML attributes in "friendly name" format (e.g. givenName), in addition to to the "oid" format (e.g., urn:oid: and the "urn:mace" format (e.g., urn:mace:dir:attribute-def:givenName).
  • SAML SP's get two new attributes to relay information about the authenticating IdP: idpName and idpCountry


  • Added Microsoft LiveID as a guest IdP
  • Added Orcid as guest IdP
  • Add support for delegated authentication from a browser to a non-web client (see PAM Module)
  • Allow acces from all eduGAIN IdPs


  • Easier management of OIDC clients
  • When developing, deploying to Docker is now recommended over full VMs
  • No labels