Changes

This release includes hardening around authorization as well as these improvements in single sign-on with SAML:

• Gateway now supports SAML on the tenant level, allowing for organization-specific SAML authentication in multi-tenant implementations. (CLOUD-3239)

• Gateway has better token handling on SAML logouts. (CLOUD-3245) 

Fixed

Invalid methods on an SCSP request returned 400 Bad Request instead of the expected 405 Method Not Allowed responses. (CLOUD-3228)

Upgrade Impacts

To upgrade from a version of Gateway 6, see Upgrading Gateway. If you are migrating from Elasticsearch 2.3.3 and Gateway 5, see Upgrading from Gateway 5.x.

Address the upgrade impacts for this and each prior version since the currently running version:

See Content Gateway 6 Release Notes for impacts from prior releases.

Watch Items and Issues

These are known operational limitations that exist for Gateway.

• When using the default RHEL/CentOS configuration of IPTABLES, traffic to the Gateway is blocked unless action is taken to disable IPTABLES or to enable inbound traffic to the front-end protocol port(s).

• Gateway is not compatible with Linux PAM modules that depend upon interactive validation operations such as OTP or biometric scanners.

These are known issues in this release:

• The cloudgateway_audit.log shows a false HTTP 500 response for SCSP (format=json) listing requests. This can be ignored; the client receives an HTTP 200 OK with the correct list results. (CLOUD-3201)

See Content Gateway 6 Release Notes for known issues from prior releases that are still applicable, apart from those appearing above as Fixed.