Release Date: April 2020
Operating system requirements
EZproxy v7.0 is supported under two different operating systems:
The supported versions of these operating systems along with their minimum hardware requirements can be found at Requirements.
Reminder: Ending support for proxy by port due to incompatibility with many websites
OCLC will end support for EZproxy’s proxy by port option on 30 September 2020, due to its incompatibility with many popular e-resource websites. If you are currently running proxy by port, you may continue to do so for the time being. After 30 September 2020, you will need to enable Proxy by Hostname in order to receive support from OCLC. Proxy by hostname will help ensure seamless access for your library’s e-resource subscriptions. For more information, please see migrating to Proxy by Hostname or contact OCLC Support.
Hosted EZproxy customers need not take any action. Stand-alone EZproxy customers will need to migrate to Proxy by Hostname prior to 30 September 2020 in order to assure continued access to OCLC Support. For more information, please see migrating to Proxy by Hostname or contact email@example.com.
SAML auth: Attributes with special characters
Prior to EZproxy version 7.0, SAML auth: attributes with special characters did not require any unique configuration. In v7 auth: urn:x.x.x.x with special characters like colons will require quotes.
If currently using: auth:urn:oid:184.108.40.206.4.1.59220.127.116.11.7
It now needs to use the following format: auth:"urn:oid:18.104.22.168.4.1.5922.214.171.124.7"
SAML Upgrade Notes
Signing of assertions and responses
As was the case with EZproxy 6.6.2, assertion signing may need to updated. Earlier versions of EZproxy would also accept Response documents in which the Response was not signed, the Assertion was signed, and the Assertion was not encrypted. When updating to this release, any site relying on this behavior will need to add the following to their ShibbolethMetadata directive. After configuring this option, libraries may need to toggle options in the response config to find a setting that matches your local needs.
-SignResponse=false -SignAssertion=true -EncryptAssertion=false \
ADFS requires explicit issuer
For some sites that do not want to log specific usernames in their logs, the following configuration changes are required to avoid the encrypted string logging.
ifIssuer = "url"; setlogin:loguser
EZproxy now uses a 64 bit build to improve the user experience
EZproxy has moved to an exclusively 64-bit build. By deprecating the development of 32-bit builds and focusing on 64-bit builds, OCLC can more quickly increase the frequency of future feature development for EZproxy.
Improved security with OpenSSL 1.1.1f
EZproxy v7.0 was built with the most current Long Term Support release of OpenSSL. For a full list of improvements in OpenSSL 1.1.1f, please review the OpenSSL documentation.
More flexible cookie handling to support Chrome 80 changes
In our testing, OCLC confirmed a small number of cases in which external resources failed to load properly on proxied publisher websites using Chrome 80. Changes were made to EZproxy's cookie handling patterns to better account for this behavior.
Option ForceHttpsLogin enabled by default
Libraries were previously given the option to enable ForceHttpsLogin. To increase the security of logins, we have enabled this option by default.
This version resolves an issue with how EZproxy handles the Intrusion API response object. In some cases, this may lead to more security events being reported.
RedirectSafe and SPU Config
Security enhancement was made to block a RedirectSafe url configuration if the user.txt admin user was configured to allow the unsafe redirect.
More product information can be found at http://www.oclc.org/ezproxy.en.html