Official Releases

You can find the following information from GitHub Releases as well.

Bug Fix

  • Re-release without +dirty version annotation.

Artifacts

                                                          sha256  file
d1989a9ab588928ffb3d7721a5711ce99e83ab98d6e2b5c5dab114f102dee3ba  ssoca-client-0.19.2-darwin-amd64
ee6ee19b2aadc00b69b2db13f66555ebd33de7d3bced23ab97b42679732a9caf  ssoca-client-0.19.2-linux-amd64
035ad5b64cbfff175c95e51383618b23b4f455c5a5d8e14581ae6d8c8ec5022f  ssoca-client-0.19.2-windows-amd64.exe
4c7aa8ea3f1973f86e219d35e4e7399d0c1de9d51c77aaa69f58d70a56f442b0  ssoca-server-0.19.2-darwin-amd64
d45685e014e7c17a77fb8e59c63bcf1a04a88e311db5f565f80122ba384f34c6  ssoca-server-0.19.2-linux-amd64
69502342a076e00b501ca6caf17f838df5bf29f94fe050756a9563bc0f49e96e  ssoca-server-0.19.2-windows-amd64.exe

Internal

  • Update to go/1.14.5.
  • Update go module dependencies.

Internal

  • Web server now includes the server version in the server response header.

Development

  • Switch to Go modules.
  • Update numerous dependencies.
  • Update to go/1.13.6.

Enhancements

  • Automatically restart OpenVPN client when static certificates fail (#16).
  • Improve logging of static certificate fallback and handling of the deprecated CLI flag.

Development

  • Update to go/1.13.3.

Enhancements

  • Add internal workaround of errors when executing openvpn with recent versions of openssl (avoids need for using --static-certificates; #13).

Development

  • Configure default HTTP timeouts for clients.
  • Update to go/1.13.1.

Enhancements

  • Rename the download service to file service to clarify it as a resource rather than an action (download currently remains as an alias).
  • Support using simple globs in file names with file get.
  • Add file exec command to temporarily download and then execute a file.
  • Improve interactive browser login prompts for Linux and Windows.
  • Require all server services to have at least one access requirement defined in order to avoid accidental, public services.
  • Support multiple authentication providers within a single environment.
  • Updated server configuration file format (auth services should now be configured in the services section).
  • Client auth login operations will now timeout with an error after no activity (default 15 minutes).

Bug Fixes

  • Fix case where invalid OpenVPN static configuration files were generated after the user was automatically reauthenticated.

Development

  • Significant refactoring of authentication providers and endpoints. The changes should be compatible with both old/new and new/old client/server configurations.
  • Switch errors and log messages to consistently use lower case.
  • Update to go/1.12.9.

Features

  • Add /usr/sbin to fallback search path for openvpn (#11).
  • Use password authentication for openvpn management interface (#14).
  • Improve openvpn reconnection behavior to request a new certificate upon rapid connection failures.

Development

Bug Fixes

  • Build binaries with CGO_ENABLED=0 for improved compatibility.

Development

  • Update to go/1.11.5

Features

  • Log additional request data for environments running behind proxies (#6). To enable detection of proxied client IPs, you must explicitly configure your proxy server IPs or CIDRs with the server.trusted_proxies list.
  • When executing openvpn, add /usr/local/sbin to the list of fallback paths to search (#9).
  • Improve the get command of downloads to support sending the file to STDOUT after a successful download.
  • Improve CLI options handling of the --service flag so it can be passed next to the service rather than its subcommand.
  • Improve the documentation site and switch to hugo.
  • Configurable robots.txt setting via server.robotstxt (defaults to disallowing all crawlers).

Bug Fixes

  • Fix sudo passwords being ignored after authentication interrupts a service command (#8).
  • When executing Tunnelblick’s openvpn executable on macOS, avoid using older, unsupported versions.

Development

Features

  • Support overriding which UAA client prompts are required to authenticate

Bug Fixes

  • Fix UAA client used for authentication to be configurable
  • Fix templating of Critical Options for SSH

Features

  • Support creating launchd services for OpenVPN services
  • Support creating ONC profiles for OpenVPN services
  • Support configuring auth callback bind addresses with auth.bind environment option
  • Add Contains and Matches helpers for checking groups in templatized configuration values

Bug Fixes

  • Restore UAA authentication support

Development

  • Update to go1.11

Features

  • Support running the server behind SSL-terminating proxy servers.

Features

  • Add env rename command to change the name of an environment
  • Build linux binaries using glibc instead of musl

Bug Fixes

  • Add sanity check in openvpn Tunnelblick profile generation to possibly avoid empty files

Development

  • Switch to go/1.10

Features

  • Automatically validate the connection and CA certificate to an environment when configuring it, and show confirmation to the user
  • Automatically prefix environment URLs with https:// if it is not already specified for slightly shorter commands
  • Show slightly more descriptive HTTP error messages when requests fail (e.g. show 403 Forbidden instead of 403)
  • Rename env add to env set to clarify it can be used for updating settings as well (env add currently remains as an alias)
  • Rename env info to env services, and add env info for showing the environment name, URL, and banner
  • Improved auth info behaviors:
    • Additional options to show only specific pieces of data (i.e. --authenticated, --id, and --groups)
    • Now exit with an error if the user is not authenticated
  • Improved openvpn create-tunnelblick-profile --install behaviors:
    • Create and secure Tunnelblick directories, if necessary, to avoid Tunnelblick needing to be installed/run beforehand
    • Preset connection profile options to: ensure automatic reconnect on certificate expiration; and avoid automatic IP change detection and prompts
    • Require Tunnelblick to not be running during install to ensure settings are applied and avoid confusion about new profiles not immediately appearing
  • Show new, updated client version confirmation after using env update-client

Bug Fixes

  • Fix or authorization filter to error with specific error type (avoids generic 500 internal server errors and enables automatic re-login attempts)

Features

  • show a warning message on authentication result pages if an outdated client is detected
  • easier installation of Tunnelblick profiles with the --install option

Bug Fixes

  • Tunnelblick profiles use the correct user home directory (caused errors when user did not match home path)
  • Tunnelblick re-authentication prompts should not become detached from desktop interactions (caused hanging processes)

Development

  • switch to vendoring with dep
  • update some vendored dependencies
  • refactor ssh client for easier imports

Features

  • redirect authentication requests to canonical hostname
  • set authentication cookies with domain, path, and secure attributes
  • improve error messages when temporary authentication cookies are incorrect
  • avoid caching API responses in browser UI

Features

  • client can now upgrade itself from remote servers running 0.7.0+ (ssoca-client env update-client)
  • cleanup default browser UI for better download/configuration/usage instructions
  • embed version information in client (ssoca-client version)
  • the server certauth setting for services is now optional, defaulting to certauth named default
  • add Shimo and Viscosity to list of OS X paths used for finding an openvpn binary
  • rename ssoca-client openvpn connect to ssoca-client openvpn exec (connect remains as an alias for now)
  • Tunnelblick profiles are now named after environment (rather than generic openvpn, by default)
  • restart openvpn connections if there are frequent, repeated authentications via management service (for cases where server has rotated credentials)
  • client version is now reported in API requests for easier investigations from server logs

Fixes

  • server API now returns correct Content-Type header for JSON
  • custom auth success/failure pages now work correctly
  • improved authentication vs authorization error handling - now using HTTP 401 Unauthorized when auth tokens are invalid (previously 403 Forbidden was used; this may break automatic reauthentication attempts in older clients)

Development

  • automate builds of binaries and publishing of releases
  • continue improving test coverage