2.4.0 (June 5, 2026)

• Enh: Require core 1.19 (UserSource refactor).
• Enh: Opt-in SamlUserSource — when enabled in the SAML settings, new SAML users are owned by a dedicated saml source, IdP-mapped attributes get locked in the profile, and approval bypass is now controlled by an explicit checkbox.
• Breaking: Removed the implicit ApprovalBypass and SyncAttributes markers from the SAML AuthClient (deprecated in core 1.16/1.19). When the new SamlUserSource is not enabled, new SAML users now follow the global Require approval before login setting like any other auth client — to keep the old "SAML always bypasses approval" behaviour, enable the new User Source option and leave its bypass-approval checkbox on.
• Fix: SAML AuthClient now extends yii\authclient\BaseClient directly and implements SerializableAuthClient — the previous humhub\modules\user\authclient\BaseClient was removed by core 1.19 along with its built-in beforeSerialize() hook.
• Enh: Migrated to core's new CustomAuth interface (replacing the deprecated StandaloneAuthClient marker). The legacy authAction($authAction) method was renamed to handleAuthRequest(): ?Response — return a Response to redirect (SP → IdP) or null to hand control back to AuthAction::authSuccess(). Behavior unchanged for end users.
• Enh: Single Logout now uses the new SingleLogout interface — SAML::logout() was renamed to singleLogout(): ?Response and is dispatched by core's AuthController::actionLogout() directly. The previous EVENT_BEFORE_ACTION interception was removed.
• Enh: Auto-detect standard SAML claims for id / email / username / firstname / lastname from a curated list of well-known attribute names (LDAP OIDs, ADFS/SOAP schemas, Azure AD claims, raw shortnames). Fresh installs no longer get a pre-filled URN-only default mapping; admins only configure overrides or custom profile fields. Existing admin-configured mappings continue to win.
• Sec: Update onelogin/php-saml to 4.3.2 (xmlseclibs to 3.1.5) — fixes CVE-2026-32313.
• Sec: SAML signatures now default to SHA-256 (rsa-sha256 signature algorithm, sha256 digest algorithm). SHA-1 is deprecated and rejected by an increasing number of IdPs.
• Sec: New setting Require signed assertions (default on) — HumHub now rejects unsigned SAML assertions by default. Existing installs whose IdP doesn't sign assertions need to either configure their IdP to sign (recommended) or disable the setting under Security in the SAML settings.
• Enh: NameID format is now configurable from the admin form (dropdown). Previously hardcoded to Unspecified; pick Email address, Persistent, Transient, etc. when the IdP rejects the request or expects a specific format.
• Enh: New settings Sign LogoutRequest and Sign LogoutResponse (both default off) — sign outgoing SLO messages with the SP private key when the IdP rejects unsigned logout messages (common with Microsoft ADFS). Requires a configured SP certificate and private key under SP settings. Outgoing LogoutRequest is still sent via HTTP-Redirect — the bundled OneLogin library doesn't support HTTP-POST for this direction.
• Enh: New setting Sign AuthnRequest (default off) — sign the SP-initiated login request with the SP private key. Some enterprise IdPs reject unsigned AuthnRequests. Requires SP certificate and private key.
• Enh: New settings Require encrypted NameID and Require encrypted Assertion (both default off) — refuse to process responses unless the IdP encrypts the NameID / full Assertion with the SP public certificate. Requires SP certificate and private key.
• Enh: New setting Required authentication method (requestedAuthnContext, default None — IdP decides) — ask the IdP to enforce a specific authentication strength (Password, Multi-Factor, Smartcard/PKI, Kerberos, X.509, TOTP). Useful to require MFA at the IdP for HumHub logins.
• Enh: New Import IdP metadata button at the top of the SAML settings form — paste the IdP's metadata XML to auto-fill Entity ID, SingleSignOn/SingleLogout URLs, IdP signing certificate and NameID format. Imported values are pre-filled into the form for review and only persisted after explicit Save. Closes humhub/saml-sso-issues#6.
• Enh: New Managed profile fields setting (visible only when SAML manages user profiles is enabled) — explicit list of HumHub profile fields the SAML IdP is expected to deliver. Defaults to email, username, firstname, lastname. Remove a field if your IdP doesn't deliver it so the user can still edit it manually. Auto-approve new SAML users now also only appears when the User Source is enabled (the setting had no effect otherwise).
• Fix: Add 'saml' to LDAP's allowedAuthClientIds on upgrade when SAML force-auth is enabled, preserving the legacy LDAP+SAML combo under the core 1.19 UserSource allow-list (would otherwise lock LDAP users out).
• Fix: Single Logout — local HumHub session is now reliably terminated even when the IdP's LogoutResponse never reaches HumHub (e.g. Authentik Logout Method: Front-Channel (IFrame) and similar setups where the response leg is delivered via cross-site iframe and the SP session cookie is blocked by SameSite=Lax). The SP-initiated logout flow now builds the SAML LogoutRequest URL via $stay=true, clears the local Yii identity before redirecting to the IdP, and the /saml-sso/logout callback resolves the auth client from the authclient query parameter instead of User::getCurrentAuthClient(). Also fixes a latent bug where samlLogoutRequestID was captured before Auth::logout() had built the LogoutRequest (resulting in null being stored and InResponseTo validation being silently skipped on the response leg). Requires core 1.19.

2.3.8 (Unreleased)

• Enh: Remove deprecations

2.3.7 (February 23, 2026)

• Enh: Use getLastErrorReason() instead of getLastErrorException() for error logging
• Enh: Set log level to info for logging available attributes.

2.3.6 (February 16, 2026)

• Fix: Always use configured Base URL

2.3.5 (December 12, 2025)

• Fix #12: Fix infinite redirection when the SAML authentication method is disabled
• Enh: Updated dependencies

2.3.4 (October 6, 2025)

• Fix: Missing dependencies

2.3.0 (August 28, 2025)

• Enh #11: Migration to Bootstrap 5 for HumHub 1.18
• Fix: Update module resources path

2.2.1 (May 5, 2025)

• Enh: Updated Keycloak documentation

2.2.0 (January 29, 2025)

• Enh: Improved URL detection with reverse proxy
• Enh: Updated SAML library to 4.2.0
• Enh #9: Use PHP CS Fixer

2.1.1 (May 21, 2024)

• Fix: Registration Error on Serialize

2.1.0 (January 19, 2024)

• Enh: Changed since v1.14 deprecated method 'AuthClientHelpers'
• Fix: Not all SyncAttributes applied to user on login

2.0.4 (March 2, 2023)

• Enh: Perform automatic login also based on 'username'

2.0.3 (December 2, 2021)

• Enh: Allow Metadata Download with uninitialized config

2.0.2 (September 1, 2021)

• Fix: Flush Caches after Migration

2.0.1 (September 1, 2021)

• Fix: Logout POST Support for Humhub 1.9.1

2.0.0 (July 30, 2021)

• Enh: Added support for advancedSettings in module configuration
• Enh: Updated translations
• Enh: Better visibility of the Metadata Download button
• Enh: Grouping of the setting options
• Enh: New SP Entity ID format for better ADFS compatibility (+Legency Handling)
• Fix: No AuthContext will be sent in the AuthNRequest by default

1.1.2 (January 25, 2021)

• Fix: Improved handling of empty attribute value arrays
• Enh: Updated translations

1.1.1 (May 20, 2020)

• Fix: Problem with console usage

1.1.0 (May 19, 2020)

• Enh: Added "Information" section to SAML configuration

1.0.0 (January 7, 2020)

• Enh: Initial commit of first beta version