Laserfiche Directory Server 11 Update 5 (11.0.2309.2278) includes the following new features:
- Adds support for SAML single logout (SLO), including support for both Service Provider-initiated single logout and Identity Provider-initiated single logout.
- Adds support for "Always require re-authentication" with SAML providers. When enabled, Laserfiche Directory Server sets the ForceAuthn="true" parameter in SAML requests. When ForceAuthn="true", the user will be forced to re-authenticate, even if they have an existing valid session with the identity provider (IdP). Verify IdP support for ForceAuthn before enabling this option, as not all respect the parameter.
- Note: It is generally recommended that administrators configure authentication policies within the SAML identity provider (e.g., Entra ID (formerly Azure AD), Okta, etc.) rather than within a SAML service provider (i.e., Laserfiche Directory Server) when possible. Identity provider authentication policies often provide useful conditional options, including risk-based ones.
Additional Changes
- Microsoft Windows Server 2012 and Windows Server 2012 R2 are no longer supported operating systems for Laserfiche Directory Server.
- IIS 8 (Windows Server 2012) and IIS 8.5 (Windows Server 2012 R2) are no longer supported for Laserfiche Directory Server.
Fixes
- Disabling authentication for an Active Directory identity provider now enforces blocking Windows Authentication sign-ins when not using Directory Server authentication (i.e., Laserfiche web client and Windows client non-SSO logins). (190551)
- The audit configuration page now validates inputs to prevent invalid configurations. (160013, 484216)
- Enabling the "Enable Windows Authentication" option for an identity provider is now audited. (229183)
- The list of registered instances for an application is now sorted alphabetically. (365534)
- The "Use TLS" option is now enabled by default when registering a new Active Directory (AD) or LDAP identity provider. When "Use TLS" is enabled, Directory Server communicates with the identity provider using LDAPS (LDAP over TLS/SSL, default TCP port 636) rather than unencrypted LDAP (default TCP port 389) (391498)
- You now receive a more descriptive error message when Directory Server is unable to renew the primary license due to an expired solution provider demo kit license. (400276)
- There are now short descriptions under the SAML Login configuration section on the General tab of the Settings page. (404869)
- Resolved a potential issue where the upgrade process could overwrite custom settings in the LFDS.exe.config configuration file. (424597)
- You now receive a prompt to save your changes when navigating away from the identity provider settings page and STS site settings page. (425098, 180638)
- When the "Allowed IFrame Hosts" configuration value is blank (the default), it now defaults to allowing URLs on AD domain of the STS machine (e.g., example.com). Specifically, when the value is blank, LFDSSTS sends a Content-Security-Policy (CSP) HTTP header that includes "frame-ancestors *.example.com;". Previously, in Laserfiche Directory Server 11 Update 4, when the "Allowed IFrame Hosts" value was blank, Directory Server did not send a CSP header. (430154)
- You now receive a more descriptive error message when Directory Server is unable to renew the primary license due to a change in included resources. (470236)
- Profile images for Laserfiche users and SAML users are no longer overwritten after signing in. (472033)
- You now receive a more descriptive error message when encountering certain unhandled exceptions. (472210)
- The Directory Server STS sign-in page no longer becomes unresponsive if you attempt to sign in with two separate accounts in the same browser session. If the first sign-in is successful, the second attempt is ignored. (474102)
Laserfiche Directory Server Update 5 is included as part of the Laserfiche 11 installation package.
Download the Laserfiche 11 package for the latest updates.
1014491 Release Notes for Directory Server 11 Update 5