Changelog

Version 3.10, 2024-09-03

  Features:
  * Node-specific realms (#3758)
    * Add node names and UUIDs to database (#3757)
    * Add, remove and configure realms with node-specific resolver configuration (API and WebUI)
  * Add token containers (#1291)
    * There are three container types (generic, smartphone, and yubikey) which can contain different token types
    * A container can have one owner and multiple tokens
    * Tokens can be added to a container on the fly during the enrollment, on the token, user and container page
    * Perform actions on all tokens of a container (enable, disable, delete)
    * Event Handler
    * Admin and user policies (similar to tokens)
    * Added container serial and type as columns to the audit log

  Enhancements:
  * Drop support of Python 3.6 and enable Python 3.11 and 3.12 (#3593, #3711, #3760)
  * UI: Capitalize headings
  * UI: Enable/disable tokens, reset the fail counter, delete tokens and unassign user from token in user details
  * UI: The support button in the footer will now initiate an email to ease the request of support (#3919)
  * UI: Add multiple choice elements for realms and resolvers (#3793)
  * UI: Hide enroll token menu entry, if no token-type is allowed (#4053)
  * MS CA Connector: Added certificate revocation (#3316)
  * Email and Phone number attributes can be used in challenge texts (#2917)
  * Validity of JWT can be configured (#3996)
  * PUSH: Optionally, the user can be required to press a number or character that is displayed on login
                to complete the push authentication (#3897)
  * PUSH: Add event handler for declining push requests (#3632)
  * PUSH: Allow tags in PUSH notifications (#3227)
  * Added "Authentication" condition to event handlers, which can be used to distinguish between
    SUCCESS, FAILED and CHALLENGE (#3886)
  * Enrollment via validate can have a custom enrollment text (#3884)
  * Allow case insensitive usernames in policies (#3281)
  * Cleanup of expired challenges externally (#3920)
  * Tools: Migration of several tools to the click framework (#2498, #3769)
  * Add functionality to dump token data to YAML (#3005)
  * Allow extended notes on policies (#1814, #3895)
  * WebAuthn: Allow offline usage (#3764, #3857, #3866)
  * Add user-agent to audit log (#3856)
  * Check Yubikey OTP length before validating (#3746)
  * Check secret length for Yubikey token during enrollment (#3725)
  * Enable user-agent version in subscription checks (#3800)
  * Enhance offline token to allow refill for WebAuthn tokens (#3764)
  * Add policy to disable PIN+OTP check when using challenge-response (#4051)
  * Add privacyIDEA version to exported data and warn during import if versions mismatch (#4055)
  * Make token description available as a tag in the user-notification handler (#3763)
  * Add "creator" tag to QR-code for enrollment (#3902)
  * Add email validation to enrollment (#3918)

  Fixes:
  * UI: Added translation for page navigation in the user details and list pages
  * UI: Fixed open and close all actions in create new policy and conditions in create new event handler
  * UI: Removed duplicated controller calls resulting in duplicated API calls (#3421)
  * UI: Cancel poll-transaction in case another token is used (#3861)
  * UI: Fix reset of user filters when changing user view (#3543)
  * UI: Fix error during generation of drop-down lists in UI (#3937)
  * UI: Hide "unassign" button in token view if the user does not have the proper rights (#3966)
  * When attaching a token to a machine, validate the serial and the application (#4019)
  * The realm of the token owner can not be removed from the token, unless the token is unassigned from the user (#3986)
  * PUSH: Declined PUSH requests are now saved as such and can no longer be polled (#4026)
  * PUSH: Label policies are now considered for PUSH token enrollment via validate (#3883)
  * Verify enrollment now works for indexed secret token (#3869)
  * Remove duplicate messages from response (#3989)
  * Lazy translation evaluation for static strings (#3721)
  * Truncate token description (#3747)
  * Use uppercase hash name for google-authenticator URLs (#3812)
  * Improve logging of event handler status in Audit log (#3781)
  * Update config description of LDAP resolver to remove warning (#3854)
  * Add missing index to Challenge.expiration column (#3920)
  * Fix usage of challenge text and token defaults policies during multi-challenge enrollment (#3928, #3976)
  * Enable sms/email text policies when verifying enrollment (#3971)

Version 3.9.3, 2024-04-04

  Fixes:
  * Fix creation of database tables with galera cluster (#3863)

Version 3.9.2, 2023-12-20

  Fixes:
  * Allow verify-enroll for paper token and TAN token (#3809)
  * Fix offline data, when PIN is behind the OTP value (#3831)

Version 3.9.1, 2023-11-06

  Fixes:
  * Set correct start sequence for empty tables
  * Fix pi-manage backup
  * Add privacyIDEA CP to list of clients, that do not
    need to be unquoted. (#3770)
  * Fix problem with token description and verify enrollment (#3798)

Version 3.9, 2023-09-12

  Features:
  * Tokentype: Application Specific password (#3260, #3585)
  * Tokentype: Day password token (#2781)
  * Add machine grouping aka service IDs to be used with
    application specific passwords and SSH keys (#3300, #3246, #3533, #3573)

  Enhancements:
  * Add event handler to set token application like "offline" (#3335)
  * Add challenge response with pin reset for better usability with
    client plugins (#3261)
  * Add logged_in_user to g-object during /auth request (#3710)
  * Allow to force description during rollout (#3469)
  * Allow an administrator to explicitly (only) set a description (#3609)
  * Add verify enrollment for indexed secret token (#3452)
  * Handle declined PUSH requests so that plugins know, that they do
    not need to poll anymore (#3599)
  * Clean up the usage of PI_NODE and AUDIT_SERVERNAME to allow a
    consistent naming in the audit log (#3589)
  * Remove PI_VASCO_LIB error message in log file (#3470)
  * Add event handler status to audit log (#3430)
  * Optimize URL decoding for different clients (#3337)
  * Upgrade to SQLAlchemy 1.4 (#2798)
  * Add event for poll_transaction (#3692)
  * Make LDAP Resolver pooling strategy configurable (#3461)
  * Disable private key checking during loading for speed up (#3590)
  * Add tool for exporting tokens for database re-encryption (#3005)
  * UI: Multiselect policies in WebUI (#3493)
  * UI: Make the whole header of an accordion clickable (#3425)
  * UI: Improved grouping in the system menu (#3419)
  * UI: Moved the CA menu to config->system (#3419)
  * UI: Add italian translation (#3508)
  * UI: Add user information in selfservice/user context (#3688)
  * Docs: Improve documentation for /validate/check-enrollment (#3507)
  * Docs: Improve policy mangle documentation (#3565)
  * Docs: Add a detailed plugin guide how to write fully functional plugins (#3650)
  * Docs: Fix description of preferred_client_mode (#3661)
  * Docs: Update documentation (#3728, #3712, #3728)
  * Update translations
  * Infrastructure: Add Bandit and GraphQL runs for pull requests

  Fixes:
  * Fix /auth endpoint in case no password is available (#3438)
  * Return all images as data:image, so that they can be used by the
    client plugins (#3450)
  * Fix typo in policy definition to fix revoke permission (#3608)
  * Add missing thread ID to audit log in case of /validate/check
    (#3578)
  * Fix pi-manage backup with non-default SQL port (#3570)
  * Fix SQLAlchemy warnings (#3547)
  * Fix problems with naming object "." or ".." (#3409)
  * Use more secure secrets module instead of urandom (#3623)
  * UI: More explicit description for entering PIN or password (#3370)
  * Fetch error when decoding JWT (#3028)
  * UI: Fetch error when user does not exist (#3672)
  * Ensure subprocess calls are secure (#3625)
  * TOTP code cleanup: Use time2counter wherever necessary (#3664)
  * Fix totp.get_otp test function (#3660)
  * Fix typos (#3661)
  * Update docs about TOTP apps, that have limited capabilities (#3634)
  * Enhance schemas for urlopen (#3622)
  * Add timeout to requests calls (#3621)
  * Avoid exception if the provided password is shorter than the
    OTP length (#3467)
  * Ignore PIN policy during token rollover and verify to avoid
    wrong error (#2886)
  * Fixing response data of /auth endpoint to make the handling
    more consistent (#3436)
  * Fix parameter error in Webhook event handler (#3676)
  * Fix calculation of TOTP values (#3734)
  * Correct ID and help-text for Daypassword (#3742, #3744)

Version 3.8.1, 2023-02-06

  Fixes:
  * Update diag tool (#3146)
  * Fix tokengroup error in WebUI (#3441)
  * Fix dependencies when deleting tokengroups (#3423)
  * Fix wrong QR code in enroll-via-validate (#3427)
  * Add missing preferred client mode in validate-check-enrollment (#3429)
  * Add missing enrollment parameters with challenge-response-enrollment (#3478)
  * Fix password problem with special chars -
    Disable unquoting of LDAP-Proxy and simpleSAMLphp (#3337)
  * Remove false error message when user assigns a token (#3499)
  * Fix tags in email tokens (#3330)
  * Fix LDAP NTLM Authentication (#3482)
  * Add missing Webhook Eventhandler in UI (#3475)
  * Remove redundant id in SQL resolver (#3454)
  * Fix ca-parameter policy during enrollment (#3479)
  * Fix removing node from a policy (#3500)


Version 3.8, 2022-12-20

  Features:
  * Drop support for Python 3.5. Support for 2.7 will be dropped
    in privacyIDEA 3.9 (#3263)
  * Add MS CA connector to issue certificates from a Microsoft CA
    (#3233, #3232, #2966, #2158)
  * Add enrollment of HOTP, TOTP, SMS, Email or PUSH token during
    authentication via Multi-Challenge (#2993)
  * Add webhook event handler (#3178, #2938)
  * Allow Kerebos Authentication for LDAP resolvers (#770)
  * Add token groups in preparation for SSH key and Offline-Token
    management (#3299)

  Enhancements:
  * Avoid double registration of webauthn tokens per user (#3207)
  * Add WebAuthn attestation format "packed" (#3150)
  * Support Windows Hello as WebAuthn token (#3142)
  * Add preferred client mode to define the authentication behaviour of
    plugins (#3373)
  * Display multiple serials in auditlog in case of C/R (#3285)
  * Add PI_LOGOUT_REDIRECT_URL for using a SAML logout link from the WebUI  (#3257)
  * Add passthru policy to audit log, even if password was wrong (#3212)
  * Improve the description for appimageurl (#3133)
  * Allow to choose padding for default security module (#3115)
  * Make available languages configurable in pi.cfg (#3076)
  * Add translation for admin error messages (#3066)
  * Allow HTTPSMSProvider to send data as JSON (#3056)
  * Rename pi-manage createdb to create-tables (#2996)
  * Add ed25519-sk/ecdsa-sk for SSH tokens (#2792)
  * Avoid spamming with SMS or Email by allowing to increase failcounter
  * Add thread ID to audit log (#3381)
    during challenge-response (#933)
  * Configure Email address in the subject of a certificate request (#3327)
  * Be more relaxing about subscription checking of plugins (#3296)
  UI
  * Add policy for audit_page_size (#3167)
  * Add search highlighting in event handler conditions (#3062)
  * Link online documentation in WebUI (#2952)
  * Search and filter for actions in configured policies (#2788)
  Documentation
  * Add a glossary (#2783)

  Fixes:
  * Automatically delete MachineTokenOptions when a MachineToken is deleted (#3165)
  * Fixing int-str conversion with Python 3.10 (#3303)
  * Remove pillow dependency (#3268)
  * Fix default AD attributes to (ObjectCategory=person) (#3218)
  * Fix WebAuthn trust anchor directory (#3216)
  * Fix enrolling SSH keys with an empty comment (#3198)
  * Avoid fails in case of content-type header mismatch (#3194)
  * Fix App device in certain cases as WebAuthn token (#3136)
  * Fix ImportException to be subclass of privacyIDEAError (#3131)
  * Fix URL encoding in TiQR URL (#3121)
  * Add index for timestamp in DB (#3120)
  * AES module also encrypts empty strings (#2899)
  * Fix Push_Wait if user presses decline on smartphone (#2865)
  * Fix fetching SSH keys under certain circumstances (#3375)
  * Add missing sequences for certain database tables (#3356)
  * Remove user fields from token API (#3343)
  * Add SMPP encoding check (#3321)
  WebUI:
  * Disable realm button in case of reasolverread (UI) (#3149)
  * Add missing translation for PSKC import (#3129)


Version 3.8dev3, 2022-12-07

  Features:
  * Add enrollment of HOTP, TOTP, SMS, Email or PUSH token during
    authentication via Multi-Challenge (#2993)
  * Add token groups in preparation for SSH key and Offline-Token
    management (#3299)

  Enhancements:
  * Add thread ID to audit log (#3381)
  * Add preferred client mode to define the authentication behaviour of
    plugins (#3373)
  * Avoid spamming with SMS or Email by allowing to increase failcounter
    during challenge-response (#933)
  * Configure Email address in the subject of a certificate request (#3327)

  Fixes:
  * Fix fetching SSH keys under certain circumstances (#3375)
  * Add missing sequences for certain database tables (#3356)
  * Remove user fields from token API (#3343)
  * Add SMPP encoding check (#3321)
  * Fix encrpyting empty strings in AES module (#2899)
  * Rename createdb and dropdb to createtables and droptables (#2996)
  * Make subscription checking more relaxing (#3296)

Version 3.8dev1, 2022-10-06

  Features:
  * Drop support for Python 3.5. Support for 2.7 will be dropped
    in privacyIDEA 3.9 (#3263)
  * Add MS CA connector to issue certificates from a Microsoft CA (#3233,
  #3232, #2966, #2158)
  * Add webhook event handler (#3178, #2938)
  * Allow Kerebos Authentication for LDAP resolvers (#770)

  Enhancements:
  * add policy for audit_page_size (#3167)
  * Be more relaxing about subscription checking of plugins (#3296)
  * Display multiple serials in auditlog in case of C/R (#3285)
  * Add PI_LOGOUT_REDIRECT_URL for using a SAML logout link from the WebUI  (#3257)
  * Add passthru policy to audit log, even if password was wrong (#3212)
  * Avoid double registration of webauthn tokens per user (#3207)
  * Add WebAuthn attestation format "packed" (#3150)
  * Support Windows Hello as WebAuthn token (#3142)
  * Improve the description for appimageurl (#3133)
  * Allow to choose padding for defaul security module (#3115)
  * Make available languages configureable in pi.cfg (#3076)
  * Add translation for admin error messages (#3066)
  * Allow HTTPSMSProvider to send data as JSON (#3056)
  * Rename pi-manage createdb to create-tables (#2996)
  * Add ed25519-sk/ecdsa-sk for SSH tokens (#2792)
  UI
  * Add search highlighting in event handler conditions (#3062)
  * Link online documentation in WebUI (#2952)
  * Search and filter for actions in configured policies (#2788)
  Documentation
  * Add a glossary (#2783)

  Fixes:
  * Automatically delete MachineTokenOptions when a MachineToken is deleted (#3165)
  * Fixing int-str conversion with Python 3.10 (#3303)
  * Remove pillow dependency (#3268)
  * Fix default AD attributes to (ObjectCategory=person) (#3218)
  * Fix WebAuthn trust anchor directory (#3216)
  * Fix enrolling SSH keys with an empty comment (#3198)
  * Avoid fails in case of content-type header mismatch (#3194)
  * Fix App device in certain cases as WebAuthn token (#3136)
  * Fix ImportException to be subclass of privacyIDEAError (#3131)
  * Fix URL encoding in TiQR URL (#3121)
  * Add index for timestamp in DB (#3120)
  * AES module also encrypts empty strings (#2899)
  * Fix Push_Wait if user presses decline on smartphone (#2865)
  WebUI:
  * Disable realm button in case of reasolverread (UI) (#3149)
  * Add missing translation for PSKC import (#3129)

Version 3.7.4, 2022-10-18

  Fixes:
  * Fix the PassOnNoToken and passthru in Offline mode with Credential
  Provider (#3333)
  * URLencode password and username for remote token (#3337)


Version 3.7.3, 2022-08-01

  Fixes:
  * Preserve client information, when disabling a policy (#3243)
  * Fix spanish translation

Version 3.7.2, 2022-07-04

  Fixes:
  * Fix password recovery link (#3168)
  * Add missing user object in DEL /user/ request (#3192)
  * Compare users by uid, thus fixing 2step enrollment with case
    insensitive login names(#3186)
  * Downgrade ldap3 dependency to fix finding of 5c-users
    in objectGUID in Active Directory

Version 3.7.1, 2022-05-11

  Fixes:
  * Fix WebUI login with HOTP/TOTP challenge-response token (#3038)
  * Improve error handling for "/ttype" endpoint (#3090)
  * Removed redundant "user" option from offline token assignment (#3077)
  * Fix creation of download-links for certificates due to HTML sanitizer (#3088)
  * Fix policy descriptions containing HTML-like tags (#3118)
  * Add documentation for the CustomUserAttributeHandler (#3075)
  * Send Push message as notification and data to FireBase (#3117)
  * Fix translation issue in PSKC-import (#3126)
  * Add App-PIN policy for Push token (#3116)

Version 3.7, 2022-03-31

  Features:
  * Allow Offline Token without assigning to a specific IP address (#2926)
  * The enrollment of HOTP, TOTP, SMS and Email Tokens can be verified
    by entering a valid OTP value after the enrollment. (#2441)
  * Security: Add security module to decrypt encryption keys using HSM (#3003)

  Enhancements:
  * Token: Policy for Password token can create human readable passwords (#2864)
  * Token: Redesign the code logic of is_previous_otp and make it more robust for HOTP and TOTP tokens (#2916)
  * Token: Allow resyncing of a token via Multi-Challenge (#2349)
  * Token: consolidate client_wait in token enrollment. All tokens now
    get the rollout_state "clientwait" or "enrolled" which can
    be used in Token Handlers and in the token-janitor (#2784)
  * Security and Speed: Allow to choosing hashing algorithms in pi.cfg (#2981)
  * Policies: Also honor the user resolver in policies, when administrator is managing tokens (#2778)
  * Policies: Add policy extended conditions of webserver environment (#2510)
  * Event Handler: Token Handler can use the serial numbers of the tokens
    during token import (#2698)
  * Event Handler: Notification Handler now allows placeholders like "tokenowner" in reply-to. (#2711)
  * UI: Allow to login to WebUI using Push-Tokens (#2893)
  * UI: If an adminitrator is allowed to manage only one realm, this realm is autoselected in the UI. (#2908)
  * UI: Rename buttons from "create" to "save" to avoid misunderstanding (#2932)
  * UI: Use new dependency injection in javascript code (#1917)
  * UI: Policy to exclude tokeninfo in token details (#2819)
  * UI: Highlight policy search term (#2577)
  * Tools: The tokenjanitor can check for the pure existence of a tokeninfo key (#2753)
  * Tools: Improve the token janitor documentation (#2885)
  * Tools: LinOTP miration script now also works with PostgreSQL (#2770)
  * Tools: The "orphaned" parameter of the token-janitor allows to use
    0/False or 1/True to also search for non-orphaned tokens (#2838)
  * Tools: Add more export/import functions to pi-manage (#2455)
  * Add nightly tests with a MySQL database (2477)
  * Add new translated languages from the community: cs, es, it nb_NO, pl, ru, si, tr, uk, zh_HANS
  * Add extra_require in setup.py for PyKCS11 to allow installing via pip also in case of use with HSMs. (#2951)
  * Support SMTPS (#2568)
  * Documentation: Add documentation for max_identifier_length for Oracle DBs (#2986)
  * Documentation: Improve Event Handler documentation
  * Documentation: Add missing policy documentation (#2768)
  * Documentation: Add documentation about importance of time in privacyIDEA (#3026)
  * Add detailed log messages to track HSM sessions (#3000)

  Fixes:
  * Failures in submission to Firebase will not block Push-Poll (#2904)
  * Fix problems with CA certificate and StartTLS (#2892)
  * Dependency update (Pillow)
  * Token: Remove the tokenowner entry after the automatic deletion of the registration token (#2907)
  * Fix the usage of secondary login attribute (#2919)
  * Fix removal of the "alembic_version" table with dropdb (#2848)
  * Fix "validate_mac no_check" when importing tokens with the token janitor (#2755)
  * Update dependencies
  * UI: Fix reload of policy list (#2967)
  * UI: Remove the client side keygen tag for x509 certificates, since it is not supported by browsers anymore (#2968)
  * UI: Fix submenu links like "new" and the routing highlighting (#2546)
  * UI: Check the sanity of client IPs during creation of a policy (#2949)
  * Event Handler: Fix loading of boolean values in event handler options (#2310)
  * Token: Fix email token without an assigned user (#2990)
  * Token: Handle modhex error for invalid passwords in Yubikey token (#2896)
  * Do not use not-readily enrolled tokens for auth  (#2852)
  * Allow tokens in client_wait to be rolled over (#2763)
  * Make token-janitor robust against unknown chars in last_auth check (#2780)
  * Fix the manual setting of U2F tokens, which was overwritten by an
    automatic description (#2793)
  * Improve parameter parsing and decoding (#2810)
  * Fix policy import with missing "condition" keyword (#2829)
  * Add failsafe to raise an exception on the lib level when trying to assign a token
    to a user, if the token is already assigned. (#2860)
  * Fix AD little endian in objectGUID
  * Fix upper case realm names in policy check (#2869)
  * Fix deleting expired auth_cache entries (#2481)

Version 3.7dev4, 2022-03-20

  Features:
  * Security: Add security module to decrypt encryption keys using HSM (#3003)

  Enhancements:
  * UI: Policy to exclude tokeninfo in token details (#2819)
  * UI: Highlight policy search term (#2577)
  * Token: Policy for Password token can create human readable passwords (#2864)
  * Security and Speed: Allow to choosing hashing algorithms in pi.cfg (#2981)
  * Add documentation about importance of time in privacyIDEA (#3026)
  * Allow to login to WebUI using Push-Tokens (#2893)

  Fixes:
  * Failures in submission to Firebase will not block Push-Poll (#2904)
  * Fix problems with CA certificate and StartTLS (#2892)
  * Dependency update (Pillow)

Version 3.7dev3, 2022-02-22

  Features:
  * Allow Offline Token without assigning to a specific IP address (#2926)
  * The enrollment of HOTP, TOTP, SMS and Email Tokens can be verified
    by entering a valid OTP value after the enrollment. (#2441)

  Enhancements:
  * Policies: Also honor the user resolver in policies, when administrator is managing tokens (#2778)
  * Token: Redesign the code logic of is_previous_otp and make it more robust for HOTP and TOTP tokens (#2916)
  * Add detailed log messages to track HSM sessions (#3000)
  * UI: If an adminitrator is allowed to manage only one realm, this realm is autoselected in the UI. (#2908)
  * UI: Rename buttons from "create" to "save" to avoid misunderstanding (#2932)
  * UI: Use new dependency injection in javascript code (#1917)
  * Tools: The tokenjanitor can check for the pure existence of a tokeninfo key (#2753)
  * Tools: Improve the token janitor documentation (#2885)
  * Add new translated languages from the community: cs, es, it nb_NO, pl, ru, si, tr, uk, zh_HANS
  * Add nightly tests with a MySQL database (2477)
  * Add extra_require in setup.py for PyKCS11 to allow installing via pip also in case of use with HSMs. (#2951)
  * Documentation: Add documentation for max_identifier_length for Oracle DBs (#2986)
  * Documentation: Improve Event Handler documentation
  * Documentation: Add missing policy documentation (#2768)

  Fixes:
  * Token: Remove the tokenowner entry after the automatic deletion of the registration token (#2907)
  * Fix the usage of secondary login attribute (#2919)
  * Fix removal of the "alembic_version" table with dropdb (#2848)
  * Fix "validate_mac no_check" when importing tokens with the token janitor (#2755)
  * Update dependencies
  * UI: Fix reload of policy list (#2967)
  * UI: Remove the client side keygen tag for x509 certificates, since it is not supported by browsers anymore (#2968)
  * UI: Fix submenu links like "new" and the routing highlighting (#2546)
  * UI: Check the sanity of client IPs during creation of a policy (#2949)
  * Event Handler: Fix loading of boolean values in event handler options (#2310)
  * Token: Fix email token without an assigned user (#2990)
  * Token: Handle modhex error for invalid passwords in Yubikey token (#2896)

Version 3.6.3, 2021-11-18

  Fixes:
  * Fix endianess for certain GUID bytestrings in LDAP resovler returned from AD
  * Fix problem with old OTP values of TOTP tokens in autoresync


Version 3.7dev2, 2021-10-08

  Enhancements:
  * Support SMTPS (#2568)
  * Add policy extended conditions of webserver environment (#2510)

  Fixes:
  * Do not use not-readily enrolled tokens for auth  (#2852)
  * Allow tokens in client_wait to be rolled over (#2763)

Version 3.7dev1, 2021-08-25

  Features:
  Enhancements:
  * Allow resyncing of a token via Multi-Challenge (#2349)
  * Token Handler can use the serial numbers of the tokens
    during token import (#2698)
  * Notification Handler now allows placeholders like "tokenowner" in reply-to. (#2711)
  * LinOTP miration script now also works with PostgreSQL (#2770)
  * consolidate client_wait in token enrollment. All tokens now
    get the rollout_state "clientwait" or "enrolled" which can
    be used in Token Handlers and in the token-janitor (#2784)
  * The "orphaned" parameter of the token-janitor allows to use
    0/False or 1/True to also search for non-orphaned tokens (#2838)
  * Add more export/import functions to pi-manage (#2455)

  Fixes:
  * Make token-janitor robust against unknown chars in last_auth check (#2780)
  * Fix the manual setting of U2F tokens, which was overwritten by an
    automatic description (#2793)
  * Improve parameter parsing and decoding (#2810)
  * Fix policy import with missing "condition" keyword (#2829)
  * Add failsafe to raise an exception on the lib level when trying to assign a token
    to a user, if the token is already assigned. (#2860)
  * Fix AD little endian in objectGUID
  * Fix upper case realm names in policy check (#2869)
  * Fix deleting expired auth_cache entries (#2481)


Version 3.6.2, 2021-07-22

  Fixes:
  * Fix LDAP Resolver for old Python versions like in CentOS 7 #2835
  * Fix typo in pi-manage that breaks config restore #2829

Version 3.6.1, 2021-07-19

  Fixes:
  * Remove importlib-metadata from doc requirements
  * Add a safe_store feature #2794
  * Decode URL parameters for forms #2800
  * Prepare ADFS subscription #2801

Version 3.6, 2021-06-07

  Features:
  * Add custom user attributes that can be managed within privacyIDEA #680
  * Extended policy conditions can match on any token attribute #2590

  Enhancements:
  * Allow to use Push tokens without Firebase #2720
  * privacyidea-cron allow to choose retry if action failed #1179
  * UI: allow token rollover e.g. for smartphone swap #2613
  * pi-manage: allow configuration export and import #2467
  * Allow different PIN policies for different token types #2142
  * UI: Search in policy description, not only in policy action #2574
  * UI: Highlight found locations of search term in web UI #2577
  * UI: Allow configurable entry point for custom web UI #2592
  * UI: Add more descriptive tooltip to token when assigning to machine #2516
  * Import AES mode yubikeys created with Yubico Personalization tool #2594
  * token janitor can export arbitrary user fields #2569
  * token janitor: CSV token export can either export hex or base32 encoded seeds #2648
  * token janitor: CSV token export contains token owner #2664
  * Remote Token can now be configured with a privacyIDEA configuration
    instead of a distinct URL #2124
  * Allow additional tags like {username} in SMS token #2677
  * improve privacyidea-diag #2555
  * auth_cache can now cache the credentials for a certain number of usages #1059
  * Policy "add_user_in_response" also checks for user-realms #2642
  * Stamp the database version automatically during installation #2708
  * Audit Rotation is automatically added on new installation #1427

  Documentation:
  * Add note about SMS text formats #2151
  * Rewrite Yubikey enrollment documentation #2318

  Hardening:
  * Replace ecdsa module with stable pyca module #2410
  * LDAP resolver supports TLS 1.3 #2637
  * Update dependencies / requirements #2570
  * Choose more secure configuration defaults #2408

  Fixes:
  * Do not trigger disabled PUSH tokens #2723
  * Configuration default truncate Audit log #2699
  * Policy: Fix problems with extended policy conditions #2676
  * UI: Remove table borders in list views #2585
  * UI: Do not translate date in audit log #2579
  * Remove deprecated oauth2client #1990
  * Fix visibility of subscription for administrator #2609
  * Remove non-existing getOTP from documentation #2636
  * Remove undocumented and unused parameter aladdin_hashlib in token import #2634
  * Fix visibility of token wizard #2632
  * Create policy button is disabled if no scope is selected #1888
  * Re-enable enroll button in case of error during token enrollment #2717
  * Save fractions of seconds in the audit log #2706
  * Fix pi-manage restore #2728


Version 3.5.2, 2021-03-23

  Fixes:
  * Add serial to the request object in /ttype/ endpoint (#2605)
  * Fix missing audit entries missing_line and sig_check (#2627)
  * Fix backup on Ubuntu 20.04 (#2646)
  * Fix missing priority in policy import (#2643)
  * Fix DB migrate URI if it contains char % (#2661)
  * Fix long default POOLING_LOOP_TIMEOUT (#2662)

Version 3.5.1, 2021-01-28

  Fixes:
  * Fix DB migration script for update from prior of 3.3. (#2582)
  * Fix the internal interface of container audit module (#2562)
  * Add missing headers to /auth request (#2599)
  * Fix tokeninfo value filter with Oracle db (#2602)


Version 3.5, 2020-12-22

  Features:
  * 4Eyes token uses multi challenge authentication (#2317)
  * Require attestation certificate when enrolling
    certificate token (#2152)

  Enhancements:
  * Tokens
    * Allow to update firebase_token of a Push Token (#2436)
    * Support WebAuthn tokens without sign_count (#2361)
    * PSKC import now verifies the MAC of the token secrets (#2312)
    * Configure length and contents of registration token via policy (#2284)
    * The questionnaire token can now ask several questions from the list (#2137)
  * Event handler:
    * Choose SMS Gateway Identifier in Tokenhandler
      when enrolling SMS token (#2506)
    * Choose SMTP Identifier in Tokenhandler
      when enrolling Email token (#2452)
    * Increase or decrease failcounter in Tokenhandler (#2402)
    * Allow to set maxfail counter in event handlers (#2541)
  * Policies:
    * Add extended conditions for tokeninfo (#1947)
  * Web UI
    * PIN can be changed with Challlenge Response when authenticating
      at the WebUI (#2474)
    * Hide some audit log columns for service desk users (#2372)
    * Allow to configure a link to a policy statement/GDPR (#2325)
    * Audit log now contains start time, end time and
      duration of a request (#2254)
    * The length of the audit columns to be truncated can be
      configured in pi.cfg (#1756)
    * Action grouping in scope authorization (#2438)
    * Redesign welcome message for community version (#2397)
    * Add usernames and serials of failed authentications
      as shortlink into dashboard (#2475)
    * Policy to add node name in the web UI (#1961)
    * Make event conditions searchable (#2148)
    * Align search layout in event conditions and policy actions (#2557)
  * pi-manage: export resolver configuration (#1329)
  * Documentation:
    * Add note about SELinux and using non-standard ports (#2459)
    * Explain sync_to_database for script handlers (#2450)
    * Add documentation for RADIUS configuration (#2448)

  Fixes:
  * Allow equal signs in policy actions (#2494)
  * Challenge Response is now checked independently on the presence
    of a challenge in the database (#2491)
  * Fix enrollment of two tokens using double click (#2487)
  * Fix wrong (to few) number of authentication requests
    in the dashboard (#2473)
  * Allow setting an empty PIN in the UI (#2472)
  * The dashboard only displays information, which an admin is
    allowed to see, without throwing errors (#2456)
  * Fix length of hashed password column in auth_cache table (#2446)
  * Fix url_decode (#2345)
  * Fix missing adminuser when importing policies (#2340)
  * Hide browser autocomplete in user search field (#2292)
  * Disable browser autocomple fields that clash with
    search fields in the UI (#2401)
  * Fix challenge response with multiple FIDO2 tokens (#2092)


Version 3.4.1, 2020-10-09

  Fixes:
   * Fix the deletion of the registration token (#2356)
   * Add "messages" to JSON response in case of multi challenge
     pin change (2346)
   * Move from PBKDF2 to Argon2 for password hashes. Might want to
     reset local admin passwords to use new hashing algo (#2412)
   * Hide dashboard for normal users (#2384)
   * Fix problem with missing templates in CA conncetor (#2374)
   * Fix missing successful authentications in dashboard (#2394)
   * Improve error handling in token janitor in case of
     problematic user (#2405)
   * remove PI_PEPPER and pyCrypto (#2409)
   * only check for existing JWT algorithms (#2407)
   * Use Argon2 for PINs and local admins (#2413)
   * Fix error when logging in with REMOTE_USER (#2423)
   * Use a secure way to compare strings to avoid
     theoretical side channel attacks (#2415)

Version 3.4, 2020-09-08

  Features:
   * Add ScriptSMSProvider, that can send SMS through external
     Gateways using arbitrary scripts (#2236)
   * Add HTTP Resolver that can read users from web services
     via JSON responses (#2083)
   * Add a basic dashboard as start screen in the WebUI (#2177)
   * Allow using dynamic 3rd party token classes (#2321)
   * Allow multiple consecutive challenge responses for authentication
     or tasks like changing the token PIN (#2361)
   * PUSH token can communicate with privacyIDEA via polling
     as fallback to Google Push Service or Apple Notification Service (#2262)

  Enhancements:
   * Allow deletion of validity period via UI (#2263)
   * Remove marker for missing translations and allow to set a
     custom marker (#2223)
   * Add support for Python 3.8 (#2190)
   * Allow hiding description field for users during
     token enrollment (#2173)
   * Improve error message during token import (#2073)
   * Add Dutch translation (#2314)
   * Allow application to choose tokentypes in
     /validate/check and /validate/triggerchallenge (#2047)
   * HTTPSMSProvider can now have header parameters in the
     provider definition (#1963)
   * Events
     * Add failcounter as condition in event handlers (#2147)
     * The script handler allows to sync the database before
       running the script (#2293 #2302)
     * Allow using user_obj in pre event handlers for
       /auth event. (#2303)
   * Policies
     * Allow to define characters for set_random_pin policy (#2121)
     * Add privacyIDEA nodes to policy condition (#2108)
     * Add new authz policy action is_authorized to basically
       allow or deny access (#2275)
   * Allow ECDSA and other SSH key types (#2274)
   * pi-manage can import tokens including HOTP token counter (#2285)
   * Allow the token janitor to set tokenrealms (#2299)
   * Use our general webauthn client component in the
     privacyIDEA WebUI (#2273)

  Fixes:
   * Add missing audit data to container audit (#2264)
   * Add tokeninfo failsafe for LinOTP migration script (#2253)
   * Fix certain problems with the type of the userid
     in SQL-Resolvers with Oracle DB (#2219)
   * Fix default empty string problems with Oracle DB (#2218)
   * Fix a policy issue that would require admin policies to
     import tokens (#2209)
   * Fix inconsistent enrollment templates. Have description
     field for all tokentypes (#2208)
   * Fix floating problems with multiple QR images in enrollment UI (#2175)
   * Allow to edit realms without resolver priority (#2171)
   * Fix empty (None) values in SQL Resolver connect string (#2271)
   * Fix missing options parameter in RADIUS and REMOTE token (#2276)
   * Use UTC for challenge timestamp (#1586)
   * Fix exceeding max tokens when enabling a disabled token (#2215)
   * split@Sign setting is also applied to REMOTE_USER (#1954)
   * Fix privacyidea-diag and privacyidea-standalone to run with Python 3 (#1874)
   * Fix possible recursion error in 4eyes token (#1892)
   * Improve tests by fixing deprecation warnings (#2298)
   * Clean up the code for /validate/samlcheck
   * Fix censoring of Oracle connect strings (#2304)
   * Treat unsupported WebAuthn attestation as None attestation (#2342)
   * Fix admin/scope in import/export of policies with pi-manage (#2359)
   * Fix url_decode (#2360)
   * Fix token settings for Yubikey in UI enrollment (#2365, #2366)


Version 3.3.3, 2020-05-19

  Fixes:
    * Fix failing Challenge Response in WebUI (#2192)
    * Add better logging for contradciting policy calls
    * Case insensitive user check failsafe in policy matching (#2198)

Version 3.3.2, 2020-05-04

  Fixes:
    * Fix restricted audit log for helpdesk users (#2181)

Version 3.3.1, 2020-04-29

  Fixes:
    * Fix broken U2F support (#2157)
    * Fix creation of PGP keys with pi-maange (#2165)

Version 3.3, 2020-04-06

  Features:
    * New token type: WebAuthn/FIDO2 token is initially supported by privacyIDEA (#1468)
    * New token type: Indexed Secret token allows user
      to authenticate with a pre-known secret that can be
      initialized from the user store. (#1986)
    * New Event Handler Module: Logging module enables custom event-driven logging (#1580)

  Enhancements:
    * Event Handler:
      * The OTP token QR code can now be added not only inline but also as an attachment
        to email notifications (#1226)
    * Policies:
      * Added a policy to define the allowed characters for PINs (#2051)
      * Add policies to limit the number of destinct tokentypes per user (#1375)
      * Improved distinction between the username of the administrator
        and the username of the user. Add an admin username to policies. (#1867)
        Thus allowing:
        * User attribute conditions in admin policies
        * default settings for hashlib and otplen for HOTP and TOTP token
         and default timestep for TOTP token can now be dependent on
         admin user and for which user the admin does the enrollment
        * Enrollment settings for push tokens can distinguish better
         between admin users and user
        * Random PIN settings can be user dependent
    * WebUI
      * Added the option to filter tokens by tokenrealm (#545)
      * Prior to enrollment of soft tokens, such as HOTP, TOTP and PUSH the user is
        offered with a QR codes to direct him to the Authenticator App stores (#1919).
      * Adding version hashes to WebUI components to avoid working with outdated
        templates (#1871)
      * Updated bootstrap and AngularJS (#830)
      * Rework policy matching (#1691 #2024 #2038)
    * Documentation
      * The documentation was restructured and updated (#1967 #1981 #1504 #2049 #2089 #2090).
    * Tools
      * Added a migration script to update the database schema from 2.23.5 to 3.2.2 (#2040)
    * Misc
      * Added the remote serial to the tokeninfo of a remote token to better track
        authenticated devices (#2031)
      * Use dictConfig instead of fileConfig to read configurations (#2059)
      * Support logging configuration file in YAML format (#2080)
      * Support custom audit logger names (#2106)

  Fixes:
    * Fix unauthorized statistics view (#1238)
    * Fix a bug which caused an exception during PSKC key file container import (#1915)
    * Fix link on privacyIDEA logo in the WebUI when no user is logged in (#1944)
    * Updated CA files in testdata which were about to expire (#1960)
    * Fix API endpoints to avoid redirects (#1999)
    * Fix url_decode padding before it could cause any issues (#2000)
    * Initialize rtype in user_object correctly (#2007)
    * Fix an inconsistency of start_tls with postgres SQL (#2025)
    * Fix wrong type splitting of questionnaire token (#2026)
    * Fix a bug which could cause missing audit entries when using the
      ContainerAudit module (#2029)
    * Fix a bug which prevented defining an SQL resolver without a password (#2030)
    * Fix missing "position" argument on event import with pi-manage (#2036)
    * Fix timing issues in tests (#2041)
    * Fix documentation (#2049)
    * Fix sorting token table by column (#2111)

Version 3.2.2, 2020-01-17

  Fixes:
  * Fix Popen calls like with pi-manage backup restore
  * Fix retrieving the correct database for restore (#1993)
  * Fix caconnectorread policy (#1994)

Version 3.2.1, 2019-12-30

  Fixes:
  * Fix the wording and translation of the lost token scenario

Version 3.2, 2019-12-02

  Features:
  * New Event Handler: RequestMangler to modify request attributes (#1810)
  * New Event Handler: ResponseMangler to modify the response data (#1138)
  * New Audit Module to write to a file (#1072)
  * New Container Audit Module to write to several audit modules at once (#1072)
  * Applications can use the API with predefined asymmetric JWT (#1773)

  Enhancements:
  * Authentication:
    * Add endpoint /validate/polltransaction for an improved workflow
      for out-of-band challenges-responses like PUSH token (#1838)
    * Allow registration token to work as challenge/response (#1897)
    * RADIUS token also uses timeout and retries (#1931)
    * Improve the handling of splitAtSign, so that a multi-realm
      setup will be more consistent (#1808)
    * Use authentication and authorization policies also for the
      /auth endpoint (#1722, #1537)
  * Policies and events:
    * Allow HTTP AGENT and any arbitrary HTTP header in extended policy conditions (#1425)
    * Allow HTTP AGENT as condition for event handlers (#1260)
    * Event Handlers can match for the rollout_state (#1801)
    * Add write-to-file action to the notification handler (#717)
    * Allow user endpoints to trigger events (#1822)
  * Management:
    * Allow help desk to trigger a token PIN reset without actually seeing the PIN (#1196)
    * Allow "file:" syntax in email notification handler (#1939)
    * Allow more sophisticated Proxy settings for the OverrideClient settings (#1868)
    * LinOTP migration script to work with LDAP mixed endian notation (#1883)
    * triggerchallenge also writes the serial of the triggered token
      to the audit log (#1862)
    * Allow a dash ("-") in policy names (#1813)
    * The token janitor can return a list of users with tokens (#1705)
    * Restrict OTP length, hash and timestep also in admin policies (#1566)
  * User experience:
    * Clean up event handler view and put handler and
      position in extra columns (#1920)
    * Improve the serial number checking for disallowed characters (#1826)
    * The event handler list can be sorted and filtered (#1818)
    * The policy list can be sorted and filtered (#1817)
    * Show disallowed policy name characters in the UI (#1674)
    * Ask before deleting a hardware token (#954)
  * Performance:
    * Improve performance by reading event handlers only if the
      configuration has changed (#1823)
    * Store statistics data like event counters per node to improve
      HA and replication performance (#1819)
    * Improve performance of the pre-auth event handler (#1686)

  Fixes:
  * Delete entries from database tables, when the parent object
    is deleted (fixed for machineresolverconfig, resolverconfig,
    eventhandleroption) (#1927)
  * Comply to new pyredis parameters for apache auth module (#1925)
  * Fix filename parameter of HostMachineResolver (#1912)
  * Fix JSON content detection for endpoints like /validate/radiuscheck (#1850)
  * Fix integer UID with PostgreSQL databases (#1825)
  * Make the policy creation at the command line with pi-manage more
    consistent (#1807)


Version 3.1.2, 2019-11-15

  Fixes:
  * Fix the missing phone number field for SMS token, when a user
    wants to enroll an SMS token. (#1929)

Version 3.1.1, 2019-09-25

  Fixes:
  * Fix the wrong token_type key in the audit log which caused the tokentype
    to not be contained in the audit (#1846)


Version 3.1, 2019-09-04

  Features:
  * Allow user attributes in policy conditions (#1645)
  * Assign tokens and set old PIN during migration (#1619)
  * Admins can only see tokens within the realm they are allowed to manage (#1713)
    **Note**: During update a policy "pi-update-policy-b9131d0686eb" is added, which
    gives admins the previous read rights on tokens.
  * Add adminread policies for policies, events, resolvers, system, machineresolvers,
    smtpserver, radiusserver, privacyidea server, periodic tasks, smsgateways. (#1495)
    **Note**: During update a policy "pi-update-policy-3d7f8b29cbb1" is added, which
    gives read rights to all admins to provide backward compatibility

  Enhancements:
  * Authentication and Challenge Response:
    * RADIUS token supports a single AccessChallenge with the remote RADIUS server (#1790)
    * Improving Push token performance by reusing still valid access token (#1795)
    * Improving TiQR token: It returns the remaining attemps after a wrong PIN is given (#1777)
    * Improving TiQR token: Make TiQR info URL configurable (#1782)
    * Enhance validate check logic in regards to serials and user names (#1768)
    * User may now have several TiQR tokens at the same time (#1739)
    * Do not increase fail counter when *checking* for an answered challenge (#1697)
    * Allow additional token specific checks when answering challenge response (#1695)
    * Endpoint GET /token/challenges also takes transaction_id (#1689)
    * Push token can delay the response of /validate/check, so that there is no need
      to query the server to check if the push notification has been answered (#1583)
  * User experience:
    * Improve user experience when enrolling Yubikeys via ykpersonalize - Automatically
      removing whitespaces (#1735)
    * Allow user to change the token description (#1717)
    * Customize Web UI page title (#1624, #1243)
    * *search_on_enter* also applies to audit log (#1493)
    * Allow a welcome message in the Web UI if the user has no token (#1074)
    * Do not display token configuration hints in the UI to normal users (#1789)
  * Management:
    * Event handlers allow rollout_state as condition (#1801)
    * Add script to export OTP counters (#1728)
    * Allow many additional tags in email notifications: serial, user, givenname,
      surname, username, userrealm, tokentype, recipient_givenname, recipient_surname,
      time, date (#1703)
    * Improve diagnostics script by adding SQLAlchemy URL (#1667)
    * Add resolver conditions to several policy checks (#1646)
    * /auth entries in the audit log now also fill in resolver and serial (#1593)
    * `pi-manage backup` also backs up the FreeRADIUS configuration (#1575)
    * Allow event handlers on /auth endpoint (#1567)
    * Allow to force a PIN on tokens in the privacyIDEA Authenticator App (#1295)
    * New policy *max_active_tokens_per_user* (#1241)
    * Add image url to the otpauth QR code, allow images in e.g. FreeOTP (#1228)
    * Add MAC to PSKC token export (#1663)
  * Performance:
    * Make the serverpool in LDAP resolver persistant improving redundancy performance (#1396)

  Fixes:
  * Improve the stability of the schema-update-script (#1760)
  * Rearrange update order in migration scripts (#1733)
  * Adapt privacyidea-token-janitor to run with the TokenOwner table (#1709)
  * Reordering decorators and policy checks to avoid unnecessary error messages (#1751)
  * Fix user enrollment for tokens that require certain read rights for RADIUS and
    certificates by adding additional endpoint /system/names/... (#1749, #1748)
  * Use same transaction ID for all user tokens even with a  TiQR token (#1723)
  * Improve challenge response to also check the matching of the transaction ID
    right at the beginning (#1699)
  * Add event API requests to Audit log (#1600)
  * Fix configuring pre-eventhandler with empty condition makes authentication fail (#1658)
  * Improve UI by changing the cursor on all clickable elements (#1725)
  * Web UI: Focus the filter entry field in tables, when the filter is activated (#1661)
  * Fix some broken links in UI (#1610)
  * Fix double listing in policy list (#1132)
  * Remove additional empty line in audit log in case of an error (#1707)
  * Fix enrollment of certificate tokens under Python 3 (#1799)


Version 3.0.2, 2019-06-17

  Fixes:
  * Fix creation of table tokenover and update with PostgreSQL DB
  * Fix user assignment migration with non-ascii characters in userid

Version 3.0.1, 2019-05-23

  Fixes:
  * Fix PUSH token issues:
    * Add logic checking to setup of PUSH token (#1592)
    * Remove double enrollment notification of PUSH token in WebUI (#1598)
    * Fix to allow spaces in Firebase configuration (#1599)
    * Add support for iOS Firebase configuration (#1608)
    * Fix to allow PUSH token enrollment, even with Label-policy (#1589)
    * Fix to mark PUSH token challenge answered in the database (#1584)
  * Fix the validity period of the registration token (#1587)
  * Beautify the vertical alignment in the Web UI top menu (#1559)
  * Fix user cache configuration read - defaults to 0 (#1596)
  * Remove links in audit log for normal users (#1497)
  * Check UI rights for user resolvers (#1496)
  * Fix placeholder in realm dropdown in login dialog (#1498)
  * Fix enckey creation in Python 3 (#1594)
  * Allow the usage if "browserLanguage" in custom templates (#1620)
  * Open all accordions when searching for policy action (#1558)
  * Fix to hide support links also in menu (#1626)

Version 3.0, 2019-04-10

  Features:
  * Add Push Token that receives a Firebase push notification and allows login
    by confirming this notification. Works with privacyIDEA Authenticator. (#1342)
  * Add a queue to offload certain tasks from the original request.
    Allow sending emails via queue. (#1290)
  * Add API to write your own statistics-DB-module to be able to write
    to a time series DB (#1289)
  * The matching policies per request get written to the audit log (#874)
  * Support Python 3 (#676)

  Enhancements:
  * Enhance challenge response text, allows headers and footers and HTML
    in the challenge text (#1384)
  * Event Handlers may now depend on the user and IP address (#1435)
  * Improve documentation about customization (#1377)
  * Allow to use the client IP from X-Forwarded-For for all endpoints (#1399)
  * The otp-counter-condition for event handlers can also match greater
    than and less than (#1383)
  * Allow a token to use another SMS gateway than the default (#1358)
  * The policy "reset_all_user_tokens" will also work with challenge response (#1348)
  * Create more readable temporary token passwords based on base58. (#1325)
  * Allow support button in the UI to point to more sensible locations (#1331)

  Fixes:
  * Update LDAP3 dependency to 2.6 and fixes broken objectGUID (#1526)
  * Allow tokentype endpoints /ttype only for the specific tokentypes (#1528)
  * When logging in to the webui the client IP is only determined by
    X-Forwarded-For if the original (REMOTE_ADDR) is allowed to overwrite the client ip.
    (Side effect of #1392)
  * Remove submodules/authmodules from git repository and from base package (#1516)
  * Allow userid as integer in SQLResolver (#1513)
  * Fix revocation of certificates (#1510)
  * Fix manual resync of TOTP token (#1479)
  * Fix audit log entry if token resync fails (#1416)
  * Fix authcache to actually *write* values to the authcache (#1386)
  * Fix UI language determiniation in IE (#1379)
  * Fix tokenjanitor which sometimes did not delete all matching tokens (#1322)
  * Fix bug in two step enrollment (#1347)
  * Do not pass LDAP service account credentials in GET /resolver (#1271)
  * Redirect to login page in case of missing authorization header (#1326)
  * Respond with 404 if a non-existing object (like deleting event handler)
    is accessed (#817)
  * fix setrealm policy not to fail, if the original user does not exist (#1205)
  * Optimize hidden SQL queries (#1457)
  * Improve installation process and schema migration by initially stamping
    the database (#1489)

  Redesign:
  * Remove flask imports from libs to make code more modular (#331)
  * Making Token-User relation an n:m relation by moving the token assignment
    into its own database table. This will allow to assign several users to
    one token (#1288)
  * Unify password hashing in SQLResolver by using passlib (#1372)
  * Redesign the cryptolayer and replace pycrypto with cryptography (#1340)
  * Remove the old statistics, that were based on the audit log in favour
    of the generic event handler based statistics (#1314)
  * Deterministic installation with pinned dependencies on all distributions (#1127)


Version 2.23.5, 2019-03-04

  Fixes:
  * Fix authcache
  * Fix correct syncwindow for manually resyncing TOTP tokens


Version 2.23.4, 2019-02-06

  Fixes:
  * Make triggerchallenge HTTP response consistent
  * Add tokentype and message to response of triggerchallenges
  * Allow concurrent challenges
  * Fix accepted-language to support _only_ de-DE.
  * Avoid user resolving in event handler condition
  * Point the support button to better landing pages

Version 2.23.3, 2018-10-26

  Fixes:
  * Performance: avoid using wildcard serials in functions like
    get_tokens, get_realms_of_token and copy_token
  * Performance: avoid reload of static configuration
  * Performance: Clean up LDAP cache, so that it will not grow to big and
    further LDAP cache usage optimization (#1246)
  * Performance: Make signing the audit log configurable (#1262)
  * Performance: Make the auth counter per token configurable (#1262)
  * Performance: Fix HSM auto recovery after an HSM failure and make
    MAX_RETRIES configurable (#1278)
  * Fix the double get requests of challenges in the UI
  * Auditlog now honors the admin realm in the policies (#1244)
  * Fix description of realm dropdown policy (#1245)
  * Allow token janitor to use chunk sizes
  * Allow Audit rotation to be performed in chunks to avoid deadlocks.
  * Improve documentation about required and optional parameters in
    the SQL Audit module.
  * Cast userid to string to avoid casts problems with PostgreSQL
  * Update pyopenssl dependency.

Version 2.23.2, 2018-09-07

  Fixes:
  * Fix problem with empty username (#1227)

Version 2.23.1, 2018-09-06

  Fixes:
  * Fix PassOnNoUser in combination with event handler (#1206)
  * Fix loading of Event handler detail view (#1210)
  * Fix Challenge-Response login at Web UI (#1216)
  * Fix triggerchallenge to only use active tokens (#1217)
  * Write all installed package to diagnostics file and
    also write the resolver config in privacyidea-diag

Version 2.23, 2018-08-29

  Features:
  * Add periodic tasks including a privacyidea-cron script. (#992)
  * Add task module "Simple Stats" to generate time series of certain
    important statistics values in privacyIDEA (#1105)
  * Add task module "Event Counter" that allows to create time series of
    any arbitrary event. (#1029)
  * New token type: TAN list, that can also import a prefefined
    list of TANs (#1057)
  * Add Event Handler Pre-Handling, that e.g. allows for
    even more easy token enrollment concepts (#747)

  Enhancements:
  * Improve performance by adding SQL pooling for SQL Audit
    and SQL Resolvers. (#1167, #1140)
  * Improve SQL Resolver to also verify bcrypt-hash passwords (#1172)
  * Allow multiple WHERE conditions in SQL Resolver (#1039)
  * Allow objectGUID as loginname in LDAP resolver for better
    ownCloud support (#1076)
  * Add command in pi-manage to dump audit log information (#1120)
  * Add script to allow generation of AES keys on HSM (#1159)
  * Improve recovery mechanism from a lost HSM connection (#1069)
  * Improve Debug Logging to hide passwords in SQL connect strings (#1162)
  * Add script for easy privacyIDEA standalone setup (#1093)
  * ldap3, pyasn1, croniter updated in Ubuntu Launchpad repo (#1085)
  * Add a script that easily gathers support and diagnostic information (#829)
  * Add event handler management to pi-manage (#1119)
  * Allow to customize the challenge text for challenge response tokens (#1096)
  * Add user information to OATH CSV token import file (#998)
  * Improve migration scripts from LinOTP to also update counter values (#1075)
  * Add priority to policies to avoid contradicting policies (#1031)
  * The token event handler now can delete tokeninfo (#988)
  * Make the import of OATH CSV token specific, so that each
    tokentype can define its own import strategy (#1066)
  * The Event Counter module now allows to decrease the counter (#991)
  * Allow time deltas to also contain seconds (#1033)

  Fixes:
  * Allow to use unicode passwords with non-ascii characters for the
    connect string in SQL Resolvers (#1181)
  * Fix problem that a wrong password hash was used, if user is created
    in SQL Resolver (#1114)
  * Fix performance issue with slow token listing (#1123)
  * Fix the QR code regeneration if the user already has the maximum number
    of allowed tokens (#1153)
  * Fix problem with privacyidea-pip-update in case of pip version 10 (#1128)
  * Fix problem if max_token_per_user was higher than 9 (#1117)
  * Fix hash algorithm in QR Code (#1088)
  * Set focus in username field in the login dialog (#205)
  * Fix disappearing scrollbar issue (#1020)
  * Fix import of SHA256 tokens (#1061)
  * Convert string values to unicode in the database model to
    avoid misleading "error" messages (#1000)
  * Fix truncation of audit log in case of authentication failure (#1034)
  * Shorten audit information to fit into the database column (#1037)
  * Fix the RADIUS configuration test (#1042)


Version 2.22.1, 2018-04-20

  Fixes in WebUI:
  * Allow to display the messages of several C/R tokens (#995, #1004)
  * Use ng-if instead of ng-show to avoid errors in the javascript console (#963)
  * Remove reference to not-used system.addons.js to avoid errors in the javascript console
  * Remove reference to not-used system.addons.html to avoid errors in the javascript console
  * Use ng-src instead of src to avoid errors in the javascript console
  * Avoid request to /false is image is not existing - avoid error in the javascript console
  * Fix handling of U2F token in the WebUI login
  * Require serial number in the assignment form (#1011)
  * Fix PIN comparison in token enroll and token assign (#1010)
  * Fix the empty username in token enroll or assign (#918)

  Fixes in Server:
  * Add check for serial number present (#1011)
  * Fix validation of OCRA and TiQR token (#1008)
  * Add retry to cope with HSM issues (#1003)
  * Fix unicode in resolverconf database table with Oracle (#999)


Version 2.22, 2018-03-27

  Features:
  * Add automatic offline refill for Offline OTP tokens (#839)
  * Return realm and resolver of the user and allow mapping
    group membership to the RADIUS protocol (#896)
  * Add new tokenkind (hardware, software, virtual) for all tokens (#828)
  * Support Vasco tokens via Import and via Web Enrollment (#904, #903, #891)
  * Add arbitrary tokeninfo field to authorization policy (#873)
  * New SMPP SMS provider (#878)
  * New event handler Counter for counting events for statistics and monitoring (#951)

  Enhancements:
  * Enhance the statistics possibilities in WebUI (#950)
  * Allow reencryption of the database by importing PSKC to
    a new database (#940)
  * Allow token janitor to export "PW" token type to PSKC (#942)
  * Also export and import the counter values of HOTP/TOTP to PSKC (#943)
  * SMS token can dynamically read phone number from user source (#932)
  * Email token can dynamically read email address from user source (#932)
  * Add policy to ignore the validity of a U2F attestation certificate (#926)
  * Improve the speed of the LinOTP migration script to cope with tens of
    thousands of tokens (#914)
  * pi-manage can create API tokens with a chosen validity time (#931)
  * Allow user to set token description for HOTP and TOTP tokens
    during enrollment (#928) (Thanks to Taylor Chase for this contribution!)
  * Add timeout to SMTP server configuration (#919)
  * Allow complex email templates for email tokens (#684)
  * LDAP resolver now supports arbitrary multivalue attributes (#881)
  * Allow Event Handler to match failing authentication (#971)

  Fixes:
  * Several fixes in LDAP resolver to cope with ldap3/pyasn1 version issues and
    other issues (#911, #980, #982, #887)
  * Skip misguiding LDAP error "AttributeError NonType" in log file (#948)
  * Add missing validity time in /validate/check response for email tokens (#946)
    (Thanks to Kleber Rocha/klinux for this contribution!)
  * Fix the handling of the SMS expiration date (#937)
  * Fix serial length in the audit table to match the serial length in the token table (#929)
    (Thanks to Salvo Rapisarda for this contribution!)
  * Fix Mail content sent by email token is rendered as attachment (#915)
  * Fix Editing SMTP Server definition clears the password (#923)
  * Fix pi-manage backup crash (Thanks to Pavol Ipoth for this contribution!)


Version 2.21.4, 2018-01-24

  Fixes:
  * HTTP Timeout of HTTP SMS Gateway (#889)
  * Remove console.log from webui


Version 2.21.1, 2018-01-09

  Fixes:
  * Allow to use TLS1.1 and TLS1.2 for LDAP Resolver (#876)

Version 2.21, 2017-12-20

  Features:

   * Allow export of tokens to PKSC file (#790)
   * Implement two-step enrollment of HOTP/TOTP tokens (#797, #863, #865, #866)
   * Allow WebUI customization via policies (#795)

  Enhancements:

   * Add script to decrypt safeword tokens
   * Allow using tags in the tokenissuer of smartphone tokens
   * Try to re-establish lost HSM connections (#787)
   * Allow to rotate audit log based on multiple conditions (#780, #833)
   * Add dry-run option to audit log rotation (#801)
   * Allow dots in realm names (#808)
   * Mark empty but required fields in WebUI (#810)
   * Display success information after PIN is set (#822)
   * Add further tags to the user notification event handler (#824)
   * Add number of users to the subscription view (#800)
   * Add HTTP/HTTPS proxy settings to HTTP SMS Provider (#835)
   * Federation Handler allows to forward the authorization token (#838)
   * Use token janitor to export a user list (#852)
   * Use HSM for random key generation if possible (#783)
   * HTTP SMS Provider now takes TIMEOUT parameter into account
   * Allow to configure length of generated serial numbers (#583)

  Fixes:

   * Fix handling of only_realm option in token event handler (#809)
   * Fix scrollbar issues in WebUI (#806, #823)
   * Fix OTP counter of offline token (#840)
   * Fix conflicts between check_tokentype and passthru policies (#846)
   * Properly reset tab tile after session has been locked (#850)
   * Fix handling of fixed key size during enrollment (#820)
   * Make sure that only active policies are honored (#825)
   * Fix various bugs with non-ASCII data (#754)
   * Fix failcounter_clear_timeout (#831)
   * Only remove apache host definitions on first installation (#834)

Version 2.20.1, 2017-10-30

  Fixes:
   * /token/init allows to pass otpkey AND genkey=false (#793)
   * Cast date to string, to fix audit search for postgresql (#786)
   * Optimize the LDAP Resolver Redundancy to avoid LdapServerPoolExhaustedErrors (#802)
   * Preset default realm in token enrollment (#804)
   * Fix PassOnNoUser and PassOnNoToken (#798)
   * Fix genkey=0 error during token enrollment (#793)

Version 2.20, 2017-09-27

  Features:

   * New Token-Type OCRA and DisplayTAN to support
     transaction signing for online banking (#767)
   * Federation Handler allows to forward authentication
     requests and other REST API requests to a child
     privacyIDEA system (#711)
   * Improved Subscription Handling
   * Allow to login with multiple loginnames (#713)
   * Authentication Cache policy (#729)

  Enhancements:

   * !!!NOTE!!! following policies now also honor the resolvers,
    which they did not previously:
    (AUTH, challenge_response), (AUTH, otppin),
    (AUTHZ, auth_max_success), (AUTHZ, auth_max_fail),
    (AUTHZ, last_auth), (WEBUI, login_mode),
    (ENROLL,losttoken_pw_contents), (ENROLL,losttoken_validity),
    (ENROLL, losttoken_pw_len) (#736)
   * User can regenerate the QR Code during enrollment
     of smartphone app (#766)
   * Administrator can define remote privacyIDEA servers
     centrally (#711)
   * Events can now be ordered. This is important for the
     federation handling (#711)
   * Specify the hash algorithm that is used to save
     SQL users passwords (#745)
   * Add welcome dialog for administrator (#716)
   * Allow creating oracle DB (#752)
   * Event Handler can use timestamps and time offsets in
     conditions (#741)
   * Use challenge/response token to unlock the screen of
     the web UI (#702)
   * Support multiple challenge/response token at the same
     time (#722)
   * GPG keys are generated during package installation and
     show the GPG key in the import dialog (#742)
   * Failcounter clearing timeout in UI (#719)
   * Allow to send challenge data (like banking transaction) in
     email text and SMS text.

  Fixes:

   * Set default loglevel from DEBUG to INFO (#765)
   * Fixed PIN logging, which could lead to exceptions
   * Fixed unicode handling in log messages
   * Make LDAP Resolver work with utf8 (#738)
   * User can only choose hash algo according to policy (#723)
   * Add time period 30/60s to rollout URI (#744)
   * Fix deprecation warning for flask_migrate (#734)
   * Allow multiple tries for challenge/response (#708)
   * Fix problem with certificate serial number (#737)


Version 2.19.1, 2017-07-02

  Enhancements:

  * Add "pi-manage policy load" and "pi-manage policy export". (#721)
  * Allow customization via pi.cfg file.
  * Add {username} and {realm} as tags for the tokenhandler. (#735)

 Fixes:

  * Fix pi-manage file permission for backup
  * Fix search for resolver in audit log
  * Allow to read old legacy time from validity period
  * Fix wrong enddate with lost_token
  * Fix typos
  * Improve documentation for yubikey
  * Improve documentation for cache decorator
  * Improve documentation for webui policy


Version 2.19, 2017-05-25

  Features:
  * Add generic User Cache to speed up authentication (#670, #683)
  * Support multiple challenge-response tokens with the same PIN (#654)
  * Restrict U2F registration based on assertion certificte (#648)
  * Restrict authentication with U2F devices based on assertion
    certificate (#648)
  * Add privacyidea-token-janitor script, that can clean orphaned or
    expired tokens (#692)
  * Add API for mutual key generation during enrollment for easy
    Smartphone App development by introducing a generic
    2-step-rollout process (#627)
  * Add /validate/radiuscheck which works with rlm_rest and only uses
    HTTP return codes. (#703)

  Enhancements:

  * Allow to unset token validity period and other tokeninfo
    fields (#691)
  * Add a quick-resolver test for LDAP resolvers (#688)
  * Add additional tokeninfo tags {client_ip}, {ua_browser},
    {ua_string} in token handler (#687)
  * Allow to set decription of U2F tokens during enrollment (#685)
  * Reduce the number of LDAP requests to increase authentication
    performance (#664, #655, #650)
  * Realm administrator is only allowed to see actions on this allowed
    user realms (#663)
  * Add audit rotation to pi-manage (#657)
  * Speed up Audit Log calls by adding a second index (#656)
  * Allow to either lock und logout the UI after timeout (#653)
  * Allow string format {user}, {realm}, {serial}, {surname} in
    tokenlabel policy (#646)
  * Move to a consistent time format for validity period and all other
    user specific times also containing the timezone (#644)
  * Add TLS certificate check to LDAP machine resolver (#638)
  * Make TLS certificate the default option in LDAP resolvers (#639)
  * Allow to use privacyIDEA ownCloud App without subscription
    file with up to 50 users.

  Fixes:
  * Fix the datepicker for the token validity period (#644 / #693)
  * Fix LDAP resolver to respect all boolean configuration
    options (#658)
  * Fix serial number in challenge response validation response (#649)

  Commits added in version 2.19 by:
  (In the order of appearance)
  * Cornelius Kölbel
  * Quynh Nguyen
  * Friedrich Weber
  * Quoc Doan
  * blinkiz
  * Bernd Nicklas

Version 2.18, 2017-03-09

  Features:
  * Allow to disable the WebUI (#605)
  * The WebUI will lock the screen after a timeout instead of
    logging out the user. This allows to easily continue
    configuration work. (#621)
  * Improve the creation and handling of local CAs (#630, #632, #633)
    Allow certificate template for certificates with different runtime
    and x509v3 extensions.

  Enhancements
  Enhancements in Policies:
  * Allow regular expressions in usernames in policies. (#581)
  * Improve Policy creation with pi-manage from JSON formatted file.
  * WebUI: Add action grouping in policies.
  * WebUI: Add action filter in policy view.
  * Allow token specific PIN policies: The SPASS token can now
    have dedicated PIN policies.
  * Add PIN policies for administrators during enrollment and
    during assignment.
  * Add WebUI policy: only search on enter being pressed (#617)

  Enhancements in Event Handlers:
  * Add token_validity_period condition to event handlers. (#618)
  * Add additional options in token handler when creating
    SMS, Email or mOTP tokens.
  * Allow tokenhandler to set tokeninfo field.
  * Allow tokenhandler to set syncwindow.
  * Add event handler condition for count_auth_success and
    cound_auth_fail
  * Add event handler condition for last_auth.
  * Improve Audit Log for Event Handler. Each triggered action
    will now also create an audit entry. (#609)
  * Allow the use of {current_time} in tokenevent handler. (#628)

  Enhancements in LDAP Resolver:
  * Upgrade dependency to ldap3 version >=2.1.1 to improve LDAP
    performance in regards to redundancy and security
  * LDAP Resolver: Use get_info in bind requests to avoid querying
    of subschema. (#585)
  * LDAP Resolver: Support StartTLS over Port 389.
  * Simplify LDAP Resolver: Remove username from Attribute Mapping.
  * Simplefy LDAP Resolver: Remove reverse filter.

  Misc Enhancements:
  * Automatically add user's mobile number if tokentype is SMS.
  * Add example configuration for GTX messaging SMS gateway.
  * Add a script "privacyidea-get-unused-tokens" to find
    unused tokens
  * WebUI: Add a busy indicator spinner.
  * Improve the pi-manage script in regards to backup and restore.
    Let you choose whether to backup encryption key or not.
    Better handling for individual pathes. (#626, #623)

  Fixes:
  * LDAP Resolver: Verify SSL Certificate (Security)
  * LDAP Resolver: Allow special characters in NTLM password
  * LDAP Resolver: Allow searching for users with German umlaut
  * Remove the "unsafe" notation in the QR-Code link, so that
    a smartphone may import the key during HOTP/TOTP token enrollment
    by clicking the link. (#620)
  * Use defusexml to avoid XML bombs on token import (Security)
  * Replace eval with ast.literal_evel (Security)
  * Add missing attributes for U2F tokens in
    validate/triggerchallenge API
  * Let /validate/triggerchallenge write to audit log.
  * Fix mangle policy for users and realms
  * Avoid logging of password in check_user_pass in debug level
    (level=10)
  * Set encrypted PIN on enrollment for certificate tokens (#625)
  * Remove unused policy action "motp_webprovision"
  * Allow emailtext policy in triggerchallenge API (#642)


Version 2.17, 2016-12-29

  Features
  * Token Handler. Using the token handler the administrator
    can defined actions in response to events, to modify tokens
    like deleting, modifying, initilizing... tokens (#532)
  * Script Event Handler or Shell Event Handler allows to
    trigger an external shell script, if some event occurs. (#536)
  * Add additional endpoint to trigger a challenge response
    like the sending of an SMS, if the token PIN is not
    available (#531)
  * Policy Handling to also check for secondary resolvers of
    a user. This way a user can authenticate with his primary
    resolver but policy will also work for secondary resolvers (#543)

  Enhancements
  * The event handler conditions also determine a serial number
    even if there is no serial number in the request:
    If the user from the request only has one token assigned. (#571)
  * Allow event definitions to be disabled (#537)
  * Allow event to be addressed by a destinct name (#522)
  * Improving LDAP performance by addressing different functionality
    of ldap3 version 1.x and 2.x. (#549)
  * Improve SQL Audit by adding the SQL Audit table to the schema.
    Table is not created during HTTP request. (#557)
  * Limit audit log entry age. Users may only view audit
    log entries up to a certain age. (#541)
  * Add checkbox to only display used actions in a policy (#573)
  * In event handler: Use serial number of a user's token if the
    user has only one token (#571)
  * Download a filtered audit log (#539)

  Fixes
  * Add missing token serial number to audit log if token is
    deletes (#546)
  * Fix event handler saving (#551)
  * HttpSMSProvider accepts status codes 201 and 202 in addition
    to 200 (#562)
  * Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
  * Add documentation for SMS provider (#566)
  * Remove 301 redirects from WebUI (#576)


Version 2.16, 2016-11-10

  Featurs
  * Add HSM support via AES keys (#534)
  * Improved Event Handler for flexible notification (#511)
  * Signed subscription files for adding and checking
    for extra functionality during authentication request (#502)

  Enhancements
  * Allow additional filter attributes in the Audit Log (#519)
  * Show or hide realms in the login dialog via policy (#517)
  * Improve UI if admin is not allowed for certain actions (#516, #512)
  * Disable OTP PIN during enrollment via policy (#439)
  * Allow automatic sending of registration code via email (#514)

  Fixes
  * Allow compatibility with ldap3 >= 2.0.7 (#533 #535)
  * Fix problem with Notification when no tokenowner is available (#528)
  * Fix confusion of client HTTP parameters (#529)
  * Fix enabled flag with certain database types (#527)
  * Catch error in case of faulty overrideClient definition (#526)
  * Truncate Audit lines, that are too long for the DB table (#525)


Version 2.15, 2016-10-06

  Features
  * Client Overview. Display the type of the requesting
    authenticating clients (#489)
  * Support for NitroKey OTP mode (admin client)

  Enhancements
  * Performance enhancements using Caching singletons for
    Config, Realm, Resolver and Policies
  * Allow configuration of the registration email text (#494)
  * Return SAML attributes only in case of successful
    authentication (#500)
  * Policy "reset_all_user_tokens" allow to reset all
    failcounters on successful authentication (#471)
  * Client rewrite mapping also checks for
    X-Forwarded-For (#395, #495)

  Fixes
  * Fixing RemoteUser fails to display WebUI (#499)
  * String comparison in HOSTS resolver (#484)


Version 2.14, 2016-08-17

  Features
  * Import PGP encrypted seed files
  * Allow UserNotification for user actions
  * Allow UserNotification on validate/check events,
    to notify the user on a failed authentication or
    a locked token.

  Enhancements
  * Add thread ID in REST API Response
  * Performance improvement: Cache LDAP Requests #473
  * Performance improvement: Optimize resolver iteration #474
  * Add "Check OTP only" in WebUI
  * Improve "get serial by OTP" in WebUI
  * Add script to get serial by OTP

  Fixes
  * Restrict GET /user for corresponding admins #460


Version 2.13, 2016-06-30

  Features
  * Allow central definition of SMS gateways
    to be used with tokens. #392
  * User SMS for User Notificaton Event Handler. #435
  * Add PIN change setting for each token. #429
  * Force PIN change in web UI. #432

  Enhancements
  * Performence enhancements
    * speed up loading of audit log in web UI.
    * avoid double loadin of tokens and audit entries in web UI. #436
  * Additional log level (enhanced Debug) to even log passwords in
    debug mode.
  * Add new logo. #430
  * Add quick actions in the token list: reset failcounter,
    toggle active. #426
  * REST API returns OTP length on successful authentication. #407
  * Add intelligent OverrideAuthorizationClient system setting,
    that allows defined proxies to reset the client IP. #395

  Fixes
  * Display token count in web UI. #437
  * Use correct default_tokentype in token enrollment. #427
  * Fix HOTP resync problems. #412



Version 2.12, 2016-05-24

  Features
  * Event Handler Framework #360
  * local CA connector can enroll certificates
    for users. Users can download PKCS12 file. #383
  * Add and edit users in LDAP resolvers #372
  * Hardware Security Module support via PKCS11
  * Time dependent policies #358

  Enhancements
  * Policy for web UI enrollment wizard #402
  * Realm dropdown box at login screen #400
  * Apply user policy settings #390
  * Improve QR Code for TOTP token enrollment #384
  * Add documentation for enrollment wizard #381
  * Improve pi-manage backup to use pymysql #375
  * Use X-Forwarded-For HTTP header as client IP #356
  * Add meta-package privacyidea-mysql #376

  Fixes
  * Adduser honors resolver setting in policy #403
  * Add documentation for SPASS token #399
  * Hide enrollment link (WebUI) is user can not enroll #398
  * Fix getSerial for TOTP tokens #393
  * Fix system config checkboxes #378
  * Allow a realm to be remove from a token #363
  * Improve the date handling in emails #352
  * Sending test emails #350
  * Authentication with active token not possible if
    the user has a disabled token #339


Version 2.11, 2016-03-29

  Features
  * RADIUS Servers: Allow central definition of RADIUS servers
  * RADIUS passthru policy: Authentication requests for users
    with no tokens can be forwarded to a specified RADIUS server

  Enhancements
  * Allow objectGUID in LDAP-Resolver of Active Directory
  * Use paged searches in LDAP. LDAP resolver will find all
    users in the LDAP directory.
  * Allow privacyIDEA instance name to be configured for
    the AUDIT log
  * Allow special characters in LDAP loginnames and passwords
  * Add arbitrary attributes to SAML Authentication response
  * Enhance the handling of YUBICO mode yubikeys with the
    YUBICO API. The prefix is handled correctly.
  * Allow in get_tokens to be filtered for tokeninfo.
  * Add paged search in LDAP resolver. This allows responses
    with more than 1000 objects.

  Fixes
  * Fix SMTP authentication
  * Fix Enrollment Wizard for non-default realm users
  * Registration process: If an email can not be delivered,
    the token is deleted, since it can not be used.


Version 2.10, 2016-02-11

  Features
  * User Registration: A user may register himself and thus create
    his new user account.
  * Password Reset: Using a recovery token a user may issue a
    password reset without bothering the administrator or the
    help desk.
  * Enrollment Wizard for easy user token enrollment
  * SMTP Servers: Define several system wide SMTP settings and use
    these for
    * Email token,
    * SMTP SMS Provider,
    * registration process,
    * or password reset.

  Enhancements
  * Ease the Smartphone App (Google Authenticator) rollout.
    Hide otplen, hash, timestep in the UI if a policy is defined.
  * Add import of Aladdin/SafeNet XML file.
  * Add import of password encrypted PSKC files.
  * Add import of key encrypted PSKC files.

  Fixes
  * Support LDAP passwords with special non-ascii characters.
  * Support LDAP BIND with special non-ascii characters.
  * Fix problem with encrypted encryption key.
  * Fix upgrading DB Schema for postgresql+psycopg2.
  * Fix UI displaying of saved SMS Provider.
  * Do not start challenge response with a locked/disabled token.

Version 2.9, 2015-12-21

  Features
  * New token type: Security questions or questionnaire token.
  * New token type: Paper token. OTP values printed on a piece of paper.
  * Yubico Validation API: The yubikey tokens can authenticate via
    /ttype/yubikey which follows the Yubico Validation Protocol.

  Enhancements
  * Add Web UI view to display the active challenges.
  * The issuer for the Google Authenticator app can be configured.
  * The LDAP machine resolver uses an LDAP server pool.
  * The LDAP user resolver returns a list of mobile numbers.

  Fixes
  * The test email for the email token now has a sent date.
  * Fix problem when using encrypted encryption key.
  * Fix upper case problem when logging in to web UI
    with REMOTE_USER.
  * Fix allow set an empty PIN in the web UI.
  * Fix import of token file in Web UI.

Version 2.8, 2015-11-26

  Features
  * Improve U2F support with trusted facets
  * Add Challenge Response and U2F support to SAML
  * Add Web UI theming
  * Add possibility to use REMOTE_USER for authentication at Web UI
  * Fuzzy Authentication: restrict time since last authentication

  Enhancements
  * Allow mangle policy when fetching ssh keys
  * Add realm support to ownCloud plugin
  * Support Drupal passwords in SQL resolver
  * Add validity period to token enrollment
  * Set default enrollment token type in Web UI
  * Add scope to LDAP resolver

  Fixes
  * Fix failcounter reset for challenge response tokens
  * Fix confusing DB errors (column exist) during installation
  * Fix email token TLS checkbox saving
  * Fix TOTP testing in Web UI
  * Fix SMS config loading in Web UI


Version 2.7, 2015-10-03

  Features
  * Add support for U2F tokens
  * Add signature to the API JSON response. Thus
    the client can verify the response.

  Enhancements
  * When importing tokens, a realm can be chosen, so that all imported
    tokens are immediately inserted into this realm.
  * The user is able to change his password in the WebUI.
  * The user can assign a token in the WebUI.
  * Avoid the requiring of a PIN for some tokentypes like SSH
  * Migrate to pymysql, the pure python mysql implementation
  * The Audit Log tells if a previous OTP value was used again.

  Fixes
  * Enable login to WebUI with a loginname containing an @ sign.
  * Fix the writing of logfile privacyidea.log

Version 2.6, 2015-09-09

  Features
  * Add OCRA base TiQR token to authenticate by scanning
    a QR code.
  * Add Challenge Response authentication to Web UI
  * Add 4-Eyes token, to enable two man policy. Two tokens
    of two users are needed to authenticate.
  * "Revoke Token" lets you perform special action on token types.
    Tokens can be revoke, meaning they are blocked an can not
    be unblocked anymore.

  Enhancements
  * Add HA information in the documentation.
  * Add OpenVPN documentation.
  * Add challenge response policy, to define if e.g. HOTP or TOTP are
    allowed to be used in challenge response mode.
  * Add hotkeys for easier use of Web Ui.
  * Remove wrong system wide PassOnNoUser and PassOnNoToken.
  * Set default language to "en" in Web UI.

  Fixes
  * Fix LDAP bug #179, which allows authentication with
    wrong password under certain conditions
  * Small fixes in coverage tests
  * Fix username in web UI during enrollment
  * Fix link to privacyIDEA logo in Web UI
  * Fixed bug, that user was not able to resync his own tokens.


Version 2.5, 2015-07-23
  Features
  * Add statistics
  * Add German translation
  * Add PinHandler in case of random PIN used
  * Add automatic documentation of system setup
  * Add ownCloud plugin

  Enhancements
  * Preset Email and SMS of a user when enrolling token
  * Enable LDAP anonymous bind
  * Add Hashalgorithms and digits to QR Code
  * Add support for CentOS 6 and 7

  Fixes
  * Fix registration token
  * Fix mOTP reuse problem

Version 2.4, 2015-06-24

  * Add User Management
  * Add Admin Realms to policies, to allow better policies in bigger setups
  * Add API key, that can be used for accessing /validate/check
  * Load PSKC Token seed files.
  * Add more sophisticated logging. Severe errors via Email
  * WebUI: Registrtion token can be enrolled in WebUI
  * WebUI: The token seed can be displayed in WebUI after generation
  * WebUI: Only the token types that are allowed to be enrolled are displayed
  * WebUI: Login_Mode Policy: Disable access to WebUI for certain users
  * WebUI: Add reload button in Audit view
  * SQLResolver: The Where statement is used in all cases
  * SSH-Token Application: Only fetch keys of the requested user
  * Apache client can work with several hosts on one machine
  * Documentation: Tokentypes and Supported Hardware Tokens
  * Improve RADIUS module
  * WebUI: Fix download of audit log
  * Fix missing access right of user to GET /caconnector


Version 2.3, 2015-05-22

  * Add connector to remote Certificate Authority
  * Add Tokentype "certificate" to manage certificates for users
    Certificates or Certificate Requests can be uploaded.
    Certificate Requests (Keypair) can be generated in the browser.
  * Add Tokentype "registration" for easier enrollment scenarios.
  * Add TokenType "Email" to send OTP via Email.
  * Add "First Steps" to online documentation
  * Add handling of validity period of token
  * Enable download of Audit log as CSV
  * Add Resolver Priority, to handle a duplicate user in a realm
  * Add TYPO3 Plugin to enable OTP with TYPO3
  * Add SCIM Resolver to fetch users from SCIM services
  * Fix Failcounter issue
  * Fix NTLM password check
  * Fix timestep during enrollment

Version 2.2, 2015-04-09

  * pi-manage.py: create resolvers and realms
  * pi-manage.py: manage policies
  * Add LostToken UI
  * Add Offline Application
  * Add PAM authentication module with offline support
  * Add getSerialByOTP. You can determine the Token by providing an OTP value.
  * Add auth_count_max and auth_success_max for each token.
  * Add PIN encryption policy
  * Add API for SAML
  * Add bash script for ssh key fetching
  * Make WebUI logout time configurable via webui policy.
  * Add NTLM authentication to the LDAP resolver.


Version 2.1, 2015-03-10

  * Add Machine-Application framework to support LUKS and SSH
    to manage SSH keys and provide Yubikeys to boot LUKS
    encrypted machines. #100, #10
  * Add Machine Resolvers for hosts and LDAP/AD #96
  * Migrate more policies like SMS policies. #95
  * Restructure WebUI code to ease development #97
  * Fix logout problem of user #92
  * Fix user list for AD (referrals) #99
  * Fix max_token_per_user policy #101


Version 2.0, 2015-02-21

  * Migrate privacyIDEA to Flask Web framework
  * The WebUI was migrated to bootstrap and angularJS
  * The database model was restructered to allow an easier handling and
    programming
  * Use the pi-manage.py tool to migrate old data
  * provide ubuntu packages for privacyidea base package and
    privacyidea-apache2 and privacyidea-nginx
  * provide pi-manage.py tool to manage the installation and create new admins.
  * policies are restructered. Internally the policies now use decorators to
    have a minimum code impact. No all policies are migrated, yet.
  * OCRA token and Email token is not migrated, yet.


Version 1.5.1, 2015-01-12

  * Fix splitting the @-sign to allow users like user@email.com@realm1


Version 1.5, 2014-12-25

  * Fix the postinstall script for not broken repoze.who
  * adapt the dependency for python webob
  * add fix for users in policies.
  * Working on #61
  * Closing #63, allow upper and lower case DN in LDAP resolver
  * Fix the empty result audit search problem
  * Fix the port problem with SQL resolver


Version 1.4, 2014-10-06

  * Add "wrong password" message on login screen
  * Add simplesamlphp module and deb package
  * Add helper dialog to easily setup first realm
  * Add QR enrollment of mOTP token (Token2)
  * Add admin/checkserial policy
  * Add help on logon screen
  * Fixed the session timeout bug in the management UI


Version 1.3.2, 2014-09-22

 * Add uwsgi and nginx configuration
 * Add nginx package
 * Add meta packages to easily install radius dependencies. (#33)
 * Add package for appliance
 * Add appliance style: privacyidea-setup-tui
 * Add privacyidea-otrs and remove the authmodules from the
   core package
 * Add first implementation of Token2 token type
 * Change depend in builddepend
 * Add missing SSL certificate
 * Add missing python-dialog dependency
 * Remove pylons download link, that caused timeout problems.

Version 1.3, 2014-08-18

 * add support for Daplug dongle in keyboard mode
 * Allow login with admin@realm, even with RealmBox.  (#26)
 * inactive tokens will not work with the machine-app
 * Added MachineUser database model
 * PEP8 beautify
 * Add about dialog
 * added recommends for mysql and salt

Version 1.2, 2014-07-15

 * added application for machines like LUKS and SSH
 * send SMS via sipgate
 * add RADIUS support
 * SQL audit janitor
 * improved SMS provider UI
 * added possibility to do basic authentication instead of session auth.

Version 1.1, 2014-06-25

 * Added documentation and in-UI-context-help.:q
 * Fixed the token config to be filled with sensible data, so
   that you do not need to configure ALL token types.
 * Added script to clean up old audit logs.