<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 22:22:23 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[MODLOGSAML-134] SSO configuration fails with error &quot;not XML&quot; if IdP URL returns content-type is &quot;text/xhtml&quot; (mod-login-saml)</title>
                <link>https://folio-org.atlassian.net/browse/MODLOGSAML-134</link>
                <project id="10181" key="MODLOGSAML">mod-login-saml</project>
                    <description>&lt;p&gt;&lt;b&gt;Overview:&lt;/b&gt;&lt;br/&gt;
Validation of IdP metadata fails when an IdPs metadata URL has a content-type that does not contain the string &quot;xml&quot;. Failure to validate prevents you from saving the settings, and thus configuring SSO at all.&lt;/p&gt;

&lt;p&gt;This is currently preventing SSO configuration for Wellesley College, whose metadata has content-type &quot;text/xhtml&quot;. they are using a service called Duo for their SSO, and do not have the option of reconfiguring the content-type. &lt;/p&gt;

&lt;p&gt;For Wellesley to be able to use FOLIO SSO the validation would need to accept &quot;text/xhtml&quot;.&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;This request:
https:&lt;span class=&quot;code-comment&quot;&gt;//okapi-bugfest-kiwi.folio.ebsco.com/saml/validate?type=idpurl&amp;amp;value=https%3A%2F%2Fsso-c1bd2609.sso.duosecurity.com%2Fsaml2%2Fsp%2FDIW9G5WEO32MZZF6J8VO%2Fmetadata&lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;returns&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;{
    &lt;span class=&quot;code-quote&quot;&gt;&quot;valid&quot;&lt;/span&gt;: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;error&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;Response content-type is not XML&quot;&lt;/span&gt;
}&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Looking closer, you can see that the content-type of &lt;a href=&quot;https://sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata&lt;/a&gt; is indeed &quot;text/xhtml&quot;&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;curl -i https:&lt;span class=&quot;code-comment&quot;&gt;//sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata
&lt;/span&gt;HTTP/2 200
date: Tue, 15 Mar 2022 11:41:13 GMT
content-type: text/xhtml
content-length: 2559
server: Duo/1.0
etag: &lt;span class=&quot;code-quote&quot;&gt;&quot;e6323085147e62c182dfcc804accde6d0b17dbbf&quot;&lt;/span&gt;
content-disposition: inline
strict-transport-security: max-age=31536000
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-robots-tag: noindex, nofollow
content-security-policy: &lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;-src &lt;span class=&quot;code-quote&quot;&gt;&apos;none&apos;&lt;/span&gt;; style-src &lt;span class=&quot;code-quote&quot;&gt;&apos;self&apos;&lt;/span&gt; https:&lt;span class=&quot;code-comment&quot;&gt;//uw1.pwl.login.duosecurity.com; script-src &lt;span class=&quot;code-quote&quot;&gt;&apos;self&apos;&lt;/span&gt; https://uw1.pwl.login.duosecurity.com; font-src &lt;span class=&quot;code-quote&quot;&gt;&apos;self&apos;&lt;/span&gt;; frame-src &lt;span class=&quot;code-quote&quot;&gt;&apos;self&apos;&lt;/span&gt;  ; frame-ancestors &lt;span class=&quot;code-quote&quot;&gt;&apos;none&apos;&lt;/span&gt;; img-src &lt;span class=&quot;code-quote&quot;&gt;&apos;self&apos;&lt;/span&gt;   https://uw1.pwl.login.duosecurity.com; connect-src &lt;span class=&quot;code-quote&quot;&gt;&apos;self&apos;&lt;/span&gt; https://uw1.pwl.login.duosecurity.com&lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;b&gt;Steps to Reproduce:&lt;/b&gt;&lt;/p&gt;

&lt;ol&gt;
	&lt;li&gt;In Kiwi Bugfest, go to Settings &amp;gt; Tenant &amp;gt; SSO settings&lt;/li&gt;
	&lt;li&gt;In the field Identity Provider URL, type &lt;a href=&quot;https://sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Fill in the other properties with anything and hit save.&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;&lt;b&gt;Expected Results:&lt;/b&gt;  &lt;br/&gt;
Your new settings are saved.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Actual Results:&lt;/b&gt;   &lt;br/&gt;
The settings cannot be saved, as the IdP fails FOLIO&apos;s validation. Note the error message: &quot;This is not a valid Identity Provider URL&quot;&lt;/p&gt;

&lt;p&gt;&lt;span class=&quot;image-wrap&quot; style=&quot;&quot;&gt;&lt;img src=&quot;/rest/api/3/attachment/content/60242&quot; height=&quot;183&quot; width=&quot;200&quot; style=&quot;border: 0px solid black&quot; /&gt;&lt;/span&gt;&lt;/p&gt;



&lt;p&gt;&lt;b&gt;Additional Information:&lt;/b&gt;&lt;br/&gt;
The code that performs the validation is here: &lt;a href=&quot;https://github.com/folio-org/mod-login-saml/blob/f1767d3a6f4d0d990e07c5ce324bc42dd98e05c6/src/main/java/org/folio/util/UrlUtil.java#L28&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-login-saml/blob/f1767d3a6f4d0d990e07c5ce324bc42dd98e05c6/src/main/java/org/folio/util/UrlUtil.java#L28&lt;/a&gt;&lt;br/&gt;
Validation was implemented here: &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODLOGSAML-27&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/browse/MODLOGSAML-27&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Interested parties:&lt;/b&gt;  Wellesely College (&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c48e229cc3a1d3d8a2bbf75&quot; class=&quot;user-hover&quot; rel=&quot;5c48e229cc3a1d3d8a2bbf75&quot; data-account-id=&quot;5c48e229cc3a1d3d8a2bbf75&quot; accountid=&quot;5c48e229cc3a1d3d8a2bbf75&quot; rel=&quot;noreferrer&quot;&gt;Kara Hart&lt;/a&gt; &amp;amp; gravishanker@wellesley.edu)&lt;/p&gt;</description>
                <environment></environment>
        <key id="73385">MODLOGSAML-134</key>
            <summary>SSO configuration fails with error &quot;not XML&quot; if IdP URL returns content-type is &quot;text/xhtml&quot; (mod-login-saml)</summary>
                <type id="10005" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium">Story</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</assignee>
                                                                <reporter accountid="5afc1ced2083b15a0bd3e494">Lisa Sj&#246;gren</reporter>
                                    <labels>
                            <label>support</label>
                    </labels>
                <created>Tue, 15 Mar 2022 11:42:15 +0000</created>
                <updated>Fri, 20 May 2022 08:13:16 +0000</updated>
                            <resolved>Mon, 2 May 2022 09:06:36 +0000</resolved>
                                                    <fixVersion>2.4.5</fixVersion>
                                        <due></due>
                            <votes>0</votes>
                                    <watches>7</watches>
                                                                <comments>
                                                            <comment id="177501" author="632e148361dbef2805be710f" created="Tue, 22 Mar 2022 23:11:59 +0000"  >&lt;p&gt;I think this is a P2. It&apos;s not a blocker, but the only workaround is not really feasible in the medium-to-long term.&lt;/p&gt;</comment>
                                                            <comment id="177502" author="632e148361dbef2805be710f" created="Fri, 25 Mar 2022 06:30:15 +0000"  >&lt;p&gt;Going ahead and assigning this to Core: Platform. We need to get someone&apos;s eyes on it.&lt;/p&gt;</comment>
                                                            <comment id="177503" author="5d6eeadef989e00d8c7e897b" created="Mon, 28 Mar 2022 14:08:33 +0000"  >&lt;p&gt;Support: &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;&#160;should this ticket come to Tech council to see if we want text to come through, does this have any security issues or implications.&#160; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5afc1ced2083b15a0bd3e494&quot; class=&quot;user-hover&quot; rel=&quot;5afc1ced2083b15a0bd3e494&quot; data-account-id=&quot;5afc1ced2083b15a0bd3e494&quot; accountid=&quot;5afc1ced2083b15a0bd3e494&quot; rel=&quot;noreferrer&quot;&gt;Lisa Sj&#246;gren&lt;/a&gt;&#160;do we know if this impacts more than just Wellesley?&#160;&lt;/p&gt;</comment>
                                                            <comment id="177504" author="5afc1ced2083b15a0bd3e494" created="Tue, 29 Mar 2022 09:56:55 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5d6eeadef989e00d8c7e897b&quot; class=&quot;user-hover&quot; rel=&quot;5d6eeadef989e00d8c7e897b&quot; data-account-id=&quot;5d6eeadef989e00d8c7e897b&quot; accountid=&quot;5d6eeadef989e00d8c7e897b&quot; rel=&quot;noreferrer&quot;&gt;Anya&lt;/a&gt; I have not hear of this impacting anyone except Wellesley yet &amp;#8211; AFAIK not any library that we have worked with.&lt;/p&gt;

&lt;p&gt;Wellesley are using what I understand to be a rather common SSO provider in the US, though &amp;#8211; Duo. So it would be interesting to know if this issue would be shared by other institutions using SSO from Duo or if it is somehow unique to Wellesley&apos;s Duo setup.&lt;/p&gt;</comment>
                                                            <comment id="177505" author="5cf6c546b87c300f36eb7b9a" created="Wed, 30 Mar 2022 21:41:00 +0000"  >&lt;p&gt;I believe this is a relatively simple fix.&#160; I think it would only involve adjusting this conditional:&#160; &lt;a href=&quot;https://github.com/folio-org/mod-login-saml/blob/f1767d3a6f4d0d990e07c5ce324bc42dd98e05c6/src/main/java/org/folio/util/UrlUtil.java#L28&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-login-saml/blob/f1767d3a6f4d0d990e07c5ce324bc42dd98e05c6/src/main/java/org/folio/util/UrlUtil.java#L28&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;That said, we&apos;d have to try it.&#160; It&apos;s possible that the underlying pac4j-saml library wouldn&apos;t like the text/xhtml content-type either.&#160; I took a quick peek at the pac4j-saml code and don&apos;t see anything like that but I didn&apos;t do an extensive search either.&#160;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                                                            <comment id="177506" author="5d6eeadef989e00d8c7e897b" created="Mon, 4 Apr 2022 14:24:04 +0000"  >&lt;p&gt;Support: Cornell uses Duo, and SSO, and they have had no issues... could this be a local configuration issue?&#160;&lt;/p&gt;

&lt;p&gt;CC &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5afc1ced2083b15a0bd3e494&quot; class=&quot;user-hover&quot; rel=&quot;5afc1ced2083b15a0bd3e494&quot; data-account-id=&quot;5afc1ced2083b15a0bd3e494&quot; accountid=&quot;5afc1ced2083b15a0bd3e494&quot; rel=&quot;noreferrer&quot;&gt;Lisa Sj&#246;gren&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="177507" author="5afc1ced2083b15a0bd3e494" created="Tue, 5 Apr 2022 17:26:42 +0000"  >&lt;p&gt;Thank you, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5d6eeadef989e00d8c7e897b&quot; class=&quot;user-hover&quot; rel=&quot;5d6eeadef989e00d8c7e897b&quot; data-account-id=&quot;5d6eeadef989e00d8c7e897b&quot; accountid=&quot;5d6eeadef989e00d8c7e897b&quot; rel=&quot;noreferrer&quot;&gt;Anya&lt;/a&gt;! I will check again with Wellesley.&lt;/p&gt;</comment>
                                                            <comment id="177508" author="5ee89462f7aa140abd82d11d" created="Mon, 11 Apr 2022 16:08:46 +0000"  >&lt;p&gt;Is&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
content-type: text/xhtml
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;an HTTP header line with a valid content-type?&lt;/p&gt;

&lt;p&gt;For HTTP/1.1 the spec is RFC 2616 section 3.7: &lt;a href=&quot;https://datatracker.ietf.org/doc/html/rfc2616#section-3.7&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://datatracker.ietf.org/doc/html/rfc2616#section-3.7&lt;/a&gt; :&lt;br/&gt;
 It says that media-type values are registered with the Internet Assigned Number Authority (IANA).&lt;/p&gt;

&lt;p&gt;For HTTP/2.0 the spec is RFC 7540 section 8.1.2: &lt;a href=&quot;https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2&lt;/a&gt; :&lt;br/&gt;
 It refers to the &quot;Message Header Field&quot; registry maintained at &amp;lt;&lt;a href=&quot;https://www.iana.org/assignments/message-headers&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.iana.org/assignments/message-headers&lt;/a&gt;&amp;gt;.&lt;/p&gt;

&lt;p&gt;IANA maintains the list of registered media types: &lt;a href=&quot;https://www.iana.org/assignments/media-types/media-types.xhtml&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.iana.org/assignments/media-types/media-types.xhtml&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It contains&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
text/xml
application/xml
application/xhtml+xml
application/samlmetadata+xml
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;but it doesn&apos;t contain&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
text/xhtml
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;See also &lt;a href=&quot;https://datatracker.ietf.org/doc/html/rfc3023#appendix-A.1&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://datatracker.ietf.org/doc/html/rfc3023#appendix-A.1&lt;/a&gt; : &quot;use of text/xml or application/xml to label discrete media types will hinder correct dispatching and general interoperability.&quot;&lt;/p&gt;

&lt;p&gt;mod-login-saml is a security sensitive module. Therefore external input like IdP metadata must be validated, filtered, or sanitized because it might be hostile data.&lt;/p&gt;</comment>
                                                            <comment id="177509" author="5ee89462f7aa140abd82d11d" created="Mon, 11 Apr 2022 16:17:42 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c48e229cc3a1d3d8a2bbf75&quot; class=&quot;user-hover&quot; rel=&quot;5c48e229cc3a1d3d8a2bbf75&quot; data-account-id=&quot;5c48e229cc3a1d3d8a2bbf75&quot; accountid=&quot;5c48e229cc3a1d3d8a2bbf75&quot; rel=&quot;noreferrer&quot;&gt;Kara Hart&lt;/a&gt;: Can you ask the sysops of &lt;a href=&quot;https://sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://sso-c1bd2609.sso.duosecurity.com/saml2/sp/DIW9G5WEO32MZZF6J8VO/metadata&lt;/a&gt; to fix the content-type header line?&lt;/p&gt;

&lt;p&gt;Changing&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
text/xhtml&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;to any of the registered values&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
text/xml
application/xml
application/xhtml+xml
application/samlmetadata+xml&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;will fix the issue.&lt;/p&gt;</comment>
                                                            <comment id="177510" author="5ee89462f7aa140abd82d11d" created="Wed, 13 Apr 2022 07:39:09 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5afc1ced2083b15a0bd3e494&quot; class=&quot;user-hover&quot; rel=&quot;5afc1ced2083b15a0bd3e494&quot; data-account-id=&quot;5afc1ced2083b15a0bd3e494&quot; accountid=&quot;5afc1ced2083b15a0bd3e494&quot; rel=&quot;noreferrer&quot;&gt;Lisa Sj&#246;gren&lt;/a&gt;, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c48e229cc3a1d3d8a2bbf75&quot; class=&quot;user-hover&quot; rel=&quot;5c48e229cc3a1d3d8a2bbf75&quot; data-account-id=&quot;5c48e229cc3a1d3d8a2bbf75&quot; accountid=&quot;5c48e229cc3a1d3d8a2bbf75&quot; rel=&quot;noreferrer&quot;&gt;Kara Hart&lt;/a&gt; : Do you need a mod-login-saml hotfix, or can you continue to use your workaround and try to get it fixed at sso-c1bd2609.sso.duosecurity.com?&lt;/p&gt;

&lt;p&gt;I block this issue until we get a response from Wellesley.&lt;/p&gt;</comment>
                                                            <comment id="177511" author="5afc1ced2083b15a0bd3e494" created="Thu, 14 Apr 2022 11:00:02 +0000"  >&lt;p&gt;Thank you &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt;! I had noted the same thing about text/xhtml not being included in lists of valid content-types, and it is very useful to have your insights into the practical and security implications of this.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c48e229cc3a1d3d8a2bbf75&quot; class=&quot;user-hover&quot; rel=&quot;5c48e229cc3a1d3d8a2bbf75&quot; data-account-id=&quot;5c48e229cc3a1d3d8a2bbf75&quot; accountid=&quot;5c48e229cc3a1d3d8a2bbf75&quot; rel=&quot;noreferrer&quot;&gt;Kara Hart&lt;/a&gt; Would you be able to double-check with your IT department if there is any chance of correcting this on your side &amp;#8211; either doing it yourselves, or by contacting Duo support? The fact that Cornell are also using, and their metadata comes with a valid content-type, raises some new hope that this might be configurable.&lt;/p&gt;

&lt;p&gt;The only &quot;workaround&quot; available I can think of is for librarians to continue logging into the FOLIO admin interface using their FOLIO login and password. &lt;/p&gt;</comment>
                                                            <comment id="177512" author="5afc1ced2083b15a0bd3e494" created="Thu, 14 Apr 2022 15:28:04 +0000"  >&lt;p&gt;Cornell has clarified that they are using Dup for 2FA, not SSO &amp;#8211; so that glimmer of hope has been extinguished now. &lt;/p&gt;</comment>
                                                            <comment id="177513" author="5c48e229cc3a1d3d8a2bbf75" created="Thu, 14 Apr 2022 16:23:58 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; ,&#160; Our DUO tech says the DUO setting cannot be altered.&#160; So we do need the change in accepted content types in FOLIO if possible.&#160;&lt;/p&gt;</comment>
                                                            <comment id="177514" author="557058:003b2b3f-c9ac-4207-96eb-21cdb3765e26" created="Mon, 18 Apr 2022 12:30:07 +0000"  >&lt;p&gt;Moved to Morning Glory release.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt;&#160;suggest that FOLIO&apos;s security team raises an issue (CVE) against Duo software. We might need a temporary fix in FOLIO.&lt;/p&gt;</comment>
                                                            <comment id="177515" author="5ee89462f7aa140abd82d11d" created="Mon, 2 May 2022 09:06:10 +0000"  >&lt;p&gt;Duo says at &lt;a href=&quot;https://duo.com/support/security-and-reliability/security-response&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://duo.com/support/security-and-reliability/security-response&lt;/a&gt; :&lt;/p&gt;

&lt;p&gt;&quot;Security Reports We Are Not Interested In&quot;&lt;br/&gt;
&quot;Security best practice concerns&quot;&lt;br/&gt;
&quot;Missing HTTP Headers&quot;&lt;br/&gt;
&quot;Duo Security Integrations that default to fail-open/fail-safe behaviors&quot;&lt;/p&gt;

&lt;p&gt;Duo doesn&apos;t care about appropriate technical measures that are state of the art. Duo and institutions using Duo could be in violation of GDPR Article 32 and similar laws and policies.&lt;/p&gt;

&lt;p&gt;Therefore it is wasted time to file an issue at Duo.&lt;/p&gt;

&lt;p&gt;mod-login-saml v2.4.5 has been released with this workaround:&lt;/p&gt;

&lt;p&gt;The &quot;Content-Type: text/xhtml&quot; header is accepted provided that there exists a &quot;Server: Duo/1.0&quot; header. This doesn&apos;t affect the security of institutions that don&apos;t use Duo.&lt;/p&gt;</comment>
                                                            <comment id="177516" author="5afc1ced2083b15a0bd3e494" created="Thu, 5 May 2022 16:02:40 +0000"  >&lt;p&gt;Thank you &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; for putting this targeted workaround in place for institutions using Duo, and for looking into the possibility of Duo addressing this on their side.&lt;/p&gt;</comment>
                                                            <comment id="177517" author="632e148361dbef2805be710f" created="Thu, 5 May 2022 16:04:35 +0000"  >&lt;p&gt;Hope none of Wellesley&#8217;s students, faculty, or staff ever use their systems from Europe&#8230; ��&lt;/p&gt;</comment>
                                                            <comment id="177518" author="5ee89462f7aa140abd82d11d" created="Fri, 20 May 2022 08:13:16 +0000"  >&lt;p&gt;mod-login-saml v2.4.5 is a patch version that will automatically been included in all flower releases that use mod-login-saml v2.4.*.&lt;/p&gt;

&lt;p&gt;2022 R2 Morning Glory GA: &lt;a href=&quot;https://github.com/folio-org/platform-complete/blob/master/install.json&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-complete/blob/master/install.json&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;2022 R1 Lotus Hot Fix #1: &lt;a href=&quot;https://github.com/folio-org/platform-complete/blob/R1-2022/install.json&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-complete/blob/R1-2022/install.json&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;2021 R3 Kiwi Hot Fix #3: &lt;a href=&quot;https://github.com/folio-org/platform-complete/blob/R3-2021/install.json&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-complete/blob/R3-2021/install.json&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                            <attachment id="60242" name="image-2022-03-15-12-25-52-474.png" size="59432" author="5afc1ced2083b15a0bd3e494" created="Tue, 15 Mar 2022 11:25:53 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i04b9m:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10046" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Release</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10057"><![CDATA[Morning Glory (R2 2022)]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1432">CP: sprint 138</customfieldvalue>
    <customfieldvalue id="1435">CP: sprint 137</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 22 Mar 2022 23:11:59 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>