What's Changed

🛠️ Stability & Fixes

• Prevent issue with SPRING_JDBC in Flyway by @strehle in #3949
• Pr/issue 3701 by @fhanik in #3951
• fix: handle race condition on addUser by @mikeroda in #3952
• Potential fix for code scanning alert no. 106: Disabled Spring CSRF protection by @strehle in #3946

⬆️ Dependency Bumps

• build(deps): bump the selenium group with 3 updates by @dependabot[bot] in #3948
• build(deps): bump org.opensaml:opensaml-saml-api from 5.2.2 to 5.2.3 by @dependabot[bot] in #3956
• build(deps): bump gradle-wrapper from 9.5.1 to 9.6.0 by @dependabot[bot] in #3955
• build(deps): bump actions/checkout from 6 to 7 by @dependabot[bot] in #3957
• build(deps): bump tomcat from 11.0.22 to 11.0.23 by @dependabot[bot] in #3959

Full Changelog: v79.0.0...v79.1.0

What's Changed

🚨 New Feature - Spring Boot 4.1

• Migrate to spring boot 4 by @gdgenchev in #3805
• Migrate to Java 25 by @duanemay in #3705
• Bump minimum Java to 25 (LTS) by @duanemay in #3932
• build(deps): bump tomcat from 10.1.55 to 11.0.22 by @dependabot[bot] in #3920
• refactor: allow multiple UaaTokenEnhancers by @peterhaochen47 in #3904
• expand refresh token validity resolver by @fhanik in #3942

🛠️ Stability & Fixes

• Update redirect matching for oidc10 site by @duanemay in #3925
• Fix CodeQL finding - regex by @strehle in #3926
• Review on spring boot 4 migration - leftover by @strehle in #3924
• Call helper function for killUaa task by @duanemay in #3934
• Migrate Gradle to Kotlin by @duanemay in #3684
• fix: resolve SAML entity ID from metadata when external_key is null by @fhanik in #3933
• Remove unused dependency: aspectjrt by @duanemay in #3935
• Potential fix for code scanning alert no. 27: Query built from user-controlled sources by @strehle in #3930
• Migrate to scim2-sdk-common by @duanemay in #3939
• Migrate from TimGroup's java-statsd-client to Datadog's java-dogstatsd-client by @duanemay in #3940
• Unsigned SAML logout message validation by @duanemay in #3945

⬆️ Dependency Bumps

• build(deps): bump org.jacoco:org.jacoco.agent from 0.8.14 to 0.8.15 by @dependabot[bot] in #3938
• build(deps): bump jasmine from 6.2.0 to 6.3.0 in /uaa by @dependabot[bot] in #3937
• build(deps): bump jasmine-core from 6.2.0 to 6.3.0 in /uaa by @dependabot[bot] in #3936
• build(deps): bump org.apache.directory.api:api-ldap-model from 2.1.7 to 2.1.8 by @dependabot[bot] in #3928
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.9 to 10.9.1 by @dependabot[bot] in #3927
• Update openapi version to 3.0.3 by @strehle in #3931
• build(deps): bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 7.3.0.8198 to 7.3.1.8318 by @dependabot[bot] in #3929
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 7.6.0.202603022253-r to 7.7.0.202606012155-r by @dependabot[bot] in #3941
• build(deps): bump springBoot from 4.0.6 to 4.1.0 by @dependabot[bot] in #3943
• build(deps): bump com.icegreen:greenmail from 2.1.8 to 2.1.9 by @dependabot[bot] in #3947

Known Issue - #3950

Full Changelog: v78.16.0...v79.0.0

What's Changed

🛠️ Stability & Fixes

• fix: restore X-Frame-Options: none on /session and /session_management by @fhanik in #3922
• Fix DuplicateKeyException on concurrent JDBC session writes by @fhanik in #3921

⬆️ Dependency Bumps

• build(deps): bump org.json:json from 20251224 to 20260522 by @dependabot[bot] in #3923

Full Changelog: v78.15.0...v78.16.0

What's Changed

Fixes

• Fix SAML encrypted assertion handling by @duanemay in #3908
• Fix duplicate group membership preventing user deletion (#3479) by @strehle in #3896
• review subdomain zone selection by @fhanik in #3918
• Fix: SAML metadata ACS URL ignores zone subdomain when entityBaseURL is set by @fhanik in #3915
• Enhance flaky job rerun summary with detailed logs for failed tests by @duanemay in #3885
• Update default redirect url matching to be more secure by @duanemay in #3913

Misc

• Migrate DaoAuthenticationProvider from deprecated no-arg constructor by @gdgenchev in #3867
• Replace Spring Security Base64 with java.util equivalent by @gdgenchev in #3857
• Remove unneeded Maven repository declarations by @duanemay in #3902
• Remove deprecated setIgnoreDefaultModelOnRedirect by @gdgenchev in #3868
• Migrate MediaType.sortByQualityValue() to local implementation by @gdgenchev in #3856
• Migrate to Gradle Version Catalog by @duanemay in #3910
• Rename integration_test_properties to mockmvc_unittest_properties by @duanemay in #3914
• Configure HttpClient connection timeout via ConnectionConfig by @strehle in #3892

Dependency Bumps

• build(deps): bump nokogiri from 1.19.2 to 1.19.3 in /uaa/slate by @dependabot[bot] in #3906
• build(deps): bump actions/dependency-review-action from 4 to 5 by @dependabot[bot] in #3907
• build(deps): bump gradle-wrapper from 9.5.0 to 9.5.1 by @dependabot[bot] in #3909
• build(deps): bump versions.seleniumVersion from 4.43.0 to 4.44.0 by @dependabot[bot] in #3911
• build(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /uaa by @dependabot[bot] in #3916
• Align and lock library versions by @duanemay in #3917 and update with this to Upgrade Tomcat to version 10.1.55
• Pin cryptacular dependency to version 1.2.6 to consume Opensaml5 updates by @strehle in #3903
• dependency: OpenSAML 5.1.6 upgrade by @strehle in #3840
• build(deps): bump org.opensaml:opensaml-saml-api from 5.2.1 to 5.2.2 by @dependabot[bot] in #3912

Full Changelog: v78.14.0...v78.15.0

What's Changed

New Feature

• Initial AI agent rules by @duanemay in #3884
• Replace Dumbster with GreenMail for SMTP testing by @duanemay in #3888

Fixes

• Fix missing leading slash in requestMatcher pattern by @gdgenchev in #3880
• Fix: improve invitations flow by @fhanik in #3891
• Fix potential ClassCastException during shadow user create by @strehle in #3893
• Fix for Issue #3650 by @strehle in #3894
• Fix bean field naming conflict in SpringServletXmlBeansConfiguration by @mortenrie in #3836
• Fix: Update saml-legacy-uaa.yml by @fhanik in #3898

Misc

• Refactor JavaScript bundling in API docs by @duanemay in #3879
• Remove joda-time dependency and replace with java.time API by @duanemay in #3886
• Remove deprecated PortResolver by @gdgenchev in #3869
• Remove deprecated setters in SpringServletXmlBeansConfiguration by @gdgenchev in #3870
• Add explicit bcutil-fips dependency declaration by @duanemay in #3897
• Replace deprecated APPLICATION_JSON_UTF8 import with local constant by @gdgenchev in #3876
• Remove deprecated XSS protection setter from HttpHeaderSecurityFilter by @gdgenchev in #3871
• Consolidate JWT keys usage stored in Clients for client authentication by @fhanik in #3878
• Improve JWT keys validation furthermore - based on AI review by @strehle in #3895
• Migrate deprecated RestTemplate.doExecute by @gdgenchev in #3873
• Migrate ResponseErrorHandler.handleError by @gdgenchev in #3872
• Migrate deprecated getStatusCodeValue/getRawStatusCode by @gdgenchev in #3875
• Remove Unused dependencies by @duanemay in #3887
• Remove ApacheDS dependencies by @duanemay in #3889

Dependency Bumps

• build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 by @dependabot[bot] in #3877
• build(deps): bump joda-time:joda-time from 2.14.1 to 2.14.2 by @dependabot[bot] in #3881
• build(deps): bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 7.2.3.7755 to 7.3.0.8198 by @dependabot[bot] in #3890
• build(deps): bump gradle-wrapper from 9.4.1 to 9.5.0 by @dependabot[bot] in #3882

New Contributors

• @mortenrie made their first contribution in #3836

Full Changelog: v78.13.0...v78.14.0

What's Changed

🚨 Breaking Change

• SAML authentication now requires signed responses or assertions; unsigned responses with only encrypted assertions will be rejected.

New Feature

• Add an optional consent modal before login by @duanemay in #3792
• feat: token exchange for UAA-issued opaque access tokens by @mikeroda in #3845

Fixes

• Fix YAML validator by preventing Spring expression evaluation by @gdgenchev in #3843
• Respect skipSslVerification flag in TLS hostname verification logic by @duanemay in #3850
• fix: allow removing group names with quotes by @duanemay in #3851
• feat: omit explicit DB Statement for health check by @tack-sap in #3731
• Add full /oauth/token support for SAML2 bearer grant by @strehle in #3846
• saml improvements by @fhanik in #3859
• Ensure EC keys work as expected by @duanemay in #3861
• Remove the decline button when there is no declineLink by @duanemay in #3862

Misc

• Use WebDriverWait on some flaky tests by @duanemay in #3798
• docs(oauth): refresh token API docs, Slate, and client-auth notes by @fhanik in #3842
• Add documentation for SAML Bearer Grant (two endpoints) by @fhanik in #3844
• Backfill tests for #3845 by @fhanik in #3853
• Integration test for the yaml validation fix by @strehle in #3847
• Migrate from AntPathRequestMatcher to PathPatternRequestMatcher by @gdgenchev in #3854
• Migrate from NestedServletException to ServletException by @gdgenchev in #3855
• Replace UriComponentsBuilder.fromHttpUrl with fromUriString by @gdgenchev in #3858
• Explicitly require safe ActiveSupport version by @duanemay in #3863

Dependency Bumps

• build(deps): bump versions.guavaVersion from 33.5.0-jre to 33.6.0-jre by @dependabot[bot] in #3841
• build(deps): bump org.bouncycastle:bcpkix-fips from 2.1.10 to 2.1.11 by @dependabot[bot] in #3848
• build(deps): bump org.bouncycastle:bctls-fips from 2.1.22 to 2.1.23 by @dependabot[bot] in #3849
• build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 by @dependabot[bot] in #3865
• build(deps): bump versions.springBootVersion from 3.5.13 to 3.5.14 by @dependabot[bot] in #3866

Full Changelog: v78.12.0...v78.13.0

What's Changed

Fixes

• Fix UAA start with legacy key setup by @strehle in #3837
• Move signingKey back to legacy structure by @strehle in #3839

Dependency Bumps

• build(deps): bump jasmine-core from 6.1.0 to 6.2.0 in /uaa by @dependabot[bot] in #3832
• build(deps): bump jasmine from 6.1.0 to 6.2.0 in /uaa by @dependabot[bot] in #3831

Full Changelog: v78.11.0...v78.12.0

What's Changed

Known Issue

• UAA may fail to start with some legacy key setups

New Feature

• OpenAPI document endpoints by @joemahady-comm in #3689

Fixes

• Fallback to client_id when cid is missing by @duanemay in #3790
• Restrict HTTP Methods returned by OPTIONS Call to Login Endpoint by @adrianhoelzl-sap in #3804
• Handle custom issuer configuration in getTokenEndpointUrl method by @duanemay in #3815
• Resolve session concurrency issues with static resources by @duanemay in #3817
• Add OpenSaml work around for FIPS initialization by @strehle in #3809
• Fix Issuer URI Configuration for Default Identity Zone by @duanemay in #3823
• Allow configuration of logged_out page content by @duanemay in #3824
• Revert "Add OpenSaml work around for FIPS initialization" by @strehle in #3826
• OAuth Group Mapping Behavior - Combine #3814 and #3820 by @fhanik in #3821
• Run boot war on standalone Apache Tomcat by @fhanik in #3825
• Fix Apache Http Client dependency by @strehle in #3830
• Add OpenSaml work around for FIPS initialization by @strehle in #3829

Misc

• Remove unused Kubernetes configurations and custom matchers by @duanemay in #3784

Dependency Bumps

• build(deps): bump versions.braveVersion from 6.3.0 to 6.3.1 by @dependabot[bot] in #3799
• build(deps): bump versions.springBootVersion from 3.5.12 to 3.5.13 by @dependabot[bot] in #3801
• build(deps): bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.7.0 to 2.8.16 by @dependabot[bot] in #3802
• build(deps): bump brace-expansion from 5.0.2 to 5.0.5 in /uaa by @dependabot[bot] in #3803
• build(deps): bump rack from 2.2.22 to 2.2.23 in /uaa/slate by @dependabot[bot] in #3806
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.8 to 10.9 by @dependabot[bot] in #3807
• build(deps): bump org.passay:passay from 1.6.6 to 2.0.0 by @dependabot[bot] in #3808
• build(deps): bump addressable from 2.8.7 to 2.9.0 in /uaa/slate by @dependabot[bot] in #3816
• build(deps): bump versions.seleniumVersion from 4.41.0 to 4.42.0 by @dependabot[bot] in #3818
• build(deps): bump versions.seleniumVersion from 4.42.0 to 4.43.0 by @dependabot[bot] in #3828
• build(deps): bump org.barfuin.gradle.jacocolog:gradle-jacoco-log from 4.0.1 to 4.0.2 by @dependabot[bot] in #3834
• build(deps): bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.8.16 to 2.8.17 by @dependabot[bot] in #3833

Full Changelog: v78.10.0...v78.11.0

What's Changed

New Feature

• Path based Identity Zone by @fhanik in #3730
• AI generated configuration reference by @fhanik in #3768

Fixes

• Cleanup dependabot configuration by removing redundant Gradle entries… by @duanemay in #3770
• Fix unbound variable issues by @duanemay in #3786
• Use single boot start check logic by @duanemay in #3787

Misc

• Update password change audit events to include principal name by @joemahady-comm in #3760
• Change userDatabase autowired type to UaaUserDatabase by @gdgenchev in #3789
• Remove scripts by @duanemay in #3783
• Remove unused tail_uaa_log script by @duanemay in #3785
• Improve rerun flaky tests by @duanemay in #3788

Dependency Bumps

• Update Bouncy Castle FIPS dependency versions by @strehle in #3763
• Update Gradle wrapper to version 9.4.0 by @strehle in #3765
• Update nimbus-jose-jwt library version to 10.8 by @strehle in #3766
• Update joda-time dependency to version 2.14.1 by @strehle in #3764
• Update commons-io version to 2.21.0 by @strehle in #3769
• build(deps): bump org.json:json from 20250517 to 20251224 by @dependabot[bot] in #3772
• build(deps): bump com.unboundid.product.scim:scim-sdk from 1.8.26 to 2.0.0 by @dependabot[bot] in #3777
• build(deps): bump org.jacoco:org.jacoco.agent from 0.8.13 to 0.8.14 by @dependabot[bot] in #3780
• build(deps): bump versions.guavaVersion from 33.4.8-jre to 33.5.0-jre by @dependabot[bot] in #3775
• build(deps): bump com.icegreen:greenmail from 2.1.5 to 2.1.8 by @dependabot[bot] in #3776
• build(deps): bump versions.seleniumVersion from 4.40.0 to 4.41.0 by @dependabot[bot] in #3778
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 7.3.0.202506031305-r to 7.6.0.202603022253-r by @dependabot[bot] in #3771
• build(deps): bump org.barfuin.gradle.jacocolog:gradle-jacoco-log from 3.1.0 to 4.0.1 by @dependabot[bot] in #3774
• build(deps): bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 7.0.1.6134 to 7.2.3.7755 by @dependabot[bot] in #3773
• build(deps): bump commons-codec:commons-codec from 1.19.0 to 1.21.0 by @dependabot[bot] in #3781
• chore(deps): update ubuntu docker tag to v24 by @strehle in #3782
• Bump Gradle to 9.4.0 by @duanemay in #3791
• build(deps): bump k8s.io/client-go from 0.35.2 to 0.35.3 in /k8s by @dependabot[bot] in #3793
• build(deps): bump gradle-wrapper from 9.4.0 to 9.4.1 by @dependabot[bot] in #3796
• build(deps): bump versions.springBootVersion from 3.5.11 to 3.5.12 by @dependabot[bot] in #3797

Full Changelog: v78.9.0...v78.10.0

What's Changed

Security

• Addresses CVE-2026-22724

Fixes

• Add ProxyRestriction Validator by @mikeroda in #3758
• fix saml and invitations beans by @fhanik in #3762

Misc

• Rerun flaky tests in integration tests pipeline by @duanemay in #3752

Dependency Bumps

• build(deps): bump k8s.io/client-go from 0.35.1 to 0.35.2 in /k8s by @dependabot[bot] in #3754
• build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #3756
• build(deps): bump minimatch from 10.2.2 to 10.2.4 in /uaa by @dependabot[bot] in #3757
• build(deps): bump docker/login-action from 3 to 4 by @dependabot[bot] in #3759

Full Changelog: v78.8.0...v78.9.0