Forail 2026.07.0 — Release Notes

Release date: 2026-06-24 Based on: Forail 2026.06.0 License: Apache License 2.0


Overview

2026.07.0 is a security-hardening and migration release. It tightens several authentication and audit defaults (some of which are breaking for existing SAML deployments) and introduces a one-shot AWX → Forail importer so teams can migrate off AWX/AAP without rebuilding their configuration by hand.

There are no data-model migrations required for the hardening changes.

Added

AWX → Forail migration importer

A new backend management command migrates configuration from an existing AWX (or AAP) installation via its REST API:

forail-manage import_from_awx \
    --url https://awx.example.com \
    --token "$AWX_TOKEN" \
    --dry-run            # preview; remove to apply

Secrets are not migrated. The AWX API never returns secret credential inputs (it sends $encrypted$), and user passwords are not exported. The importer brings over credential structure and non-secret inputs, creates users with an unusable password, and reports exactly how many secret fields need manual re-entry afterwards. Notification-template secrets are stripped the same way.

RBAC role assignments are migrated where the target framework allows it: user grants and team→object-role grants are applied; organization-member grants to teams (rejected by the access framework) are skipped with a warning rather than aborting the run.

Security hardening

⚠️ Breaking changes — SAML

Two SAML defaults changed. They affect installs that rely on the previous, weaker behavior.

1. Signed assertions + SHA-256 now required by default

SOCIAL_AUTH_SAML_SECURITY_CONFIG now defaults to:

{
  "requestedAuthnContext": false,
  "wantMessagesSigned": true,
  "wantAssertionsSigned": true,
  "rejectUnsolicitedResponsesWithInResponseTo": true,
  "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
  "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
}

Impact: If your IdP sends unsigned responses/assertions, or signs with SHA-1, logins will be rejected after upgrade.

Action: - Preferred: reconfigure your IdP to sign responses and assertions with SHA-256. - Temporary fallback: explicitly set SOCIAL_AUTH_SAML_SECURITY_CONFIG via PATCH /api/v2/settings/saml/ for a legacy IdP (not recommended for production).

⚠️ Setting this replaces the whole dict — it does not merge with the secure defaults. When the setting is unset, Forail's hardened defaults apply; the moment you set it, your value is used verbatim and any key you omit falls back to the weak python-saml/OneLogin default (unsigned assertions, SHA-1). So to relax a single key you must re-specify the full secure dict with only that key changed, e.g. to accept unsigned assertions from one legacy IdP while keeping every other protection:

json { "requestedAuthnContext": false, "wantMessagesSigned": true, "wantAssertionsSigned": false, "rejectUnsolicitedResponsesWithInResponseTo": true, "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256" }

Clearing the setting (back to null) restores the full hardened defaults.

2. SAML role-attribute grants require an explicit value

Granting is_superuser / is_system_auditor from a SAML attribute now requires a non-empty is_superuser_value / is_system_auditor_value.

Impact: A configuration that sets only is_superuser_attr (with no value) previously granted superuser to every user the IdP sent with that attribute. That now fails safe (no grant) and logs a warning.

Action: Set the required attribute value(s) for the flags you intend to grant.

Fixed

Upgrade

This release has no schema migrations. Standard image re-point applies:

helm upgrade forail oci://ghcr.io/forail-platform/forail-helm \
    --version 2026.7.0 -n forail

Before upgrading a SAML deployment, review the Breaking changes — SAML section above and reconfigure your IdP if needed.