Arculix Core release notes
Release notes for Arculix / eGuardian.
September 8, 2025
This patch release focuses on bug fixes for Google Play Integrity API compatibility and signature counter handling.
API changes
Added new user schema management endpoints:
GET /api/v11/:slug/user_schema- Fetch custom field definitionsPOST /api/v11/:slug/user_schema- Update custom field definitions
Technical improvements
Improved test stability and reliability
Strengthened Android device-integrity checks
Enhanced handling of device re-pairing scenarios
Bug fixes
Security and authentication
Updated Classic Google Play Integrity API token encoding to use URL-safe Base64
Ensures consistent validation between standard and classic integrity checks and improves Android device verification
Reset the signature counter to zero when pairing a mobile device again
Prevents authentication failures after re-pairing or reinstalling the app
Known issues
None reported for this release.
Upgrade notes
This is a patch release with no breaking changes. Follow standard upgrade procedures.
September 3, 2025
This release introduces enhancements to user experience, security, and infrastructure. Highlights include improved UI consistency for federated components, expanded Google Play Integrity support, and new directory configuration capabilities.
New features
Security and authentication
New API for classic integrity token verification
Added endpoint
/api/v10/verify_integrityfor Android devicesSupports Google Play Integrity Classic API for enhanced security
Reduces battery drain with optimized once-daily verification
Signature counter for secure APIs
Added signature counter tracking to prevent device cloning
Introduced organization flag
SIGNATURE_COUNTERfor enabling featureConfigurable maximum gap for counter validation with
signature_counter_max_gapsetting
APN connection stability improvements
Added HTTP/2 PING frames to keep connections alive
Prevents proxy-server timeouts (configurable ping intervals)
Improved push-notification reliability
SSO token endpoint for Desktop flow
New endpoint
/api/idp/v1/auth/tokenfor Desktop SSOGenerates JWT tokens using the tenant’s OIDC provider
SSO with Device Trust feature flag
New feature flag enables SSO sign-in with Device Trust
Allows organizations to control desktop authentication options
Directory and user management
Custom field definitions for organizations
Added
user_schemacolumn to Organization modelSupports JSON-schema-based custom attribute definitions
Enables field encryption and source-directory specification
Directory configuration field mappings
New
mappingscolumn in DirectoryConfiguration tableSupports bidirectional field synchronization
Flexible mapping between external and internal field names
Enhanced directory configuration endpoints
Updated
/api/v11/:slug/directoriesendpointsSupports custom field mappings during directory create and update
User schema management APIs
GET /api/v11/:slug/user_schema- Fetch tenant schemaPOST /api/v11/:slug/user_schema- Update schema definitions
Application management
Application filtering for policies
Filter OAuth applications by type in policy components
Differentiate between CIAM-created and other applications
Application deletion endpoint for CIAM
New endpoint
DELETE /api/ciam/v1/tenants/:tenant_slug/applications/:client_idSupports cleanup of test-generated applications
Requires
workforce:setupscope
Mobile and workstation features
Automated mobile pairing policy
Automatically creates mobile pairing policy for new user enrollment
Improves first-time MFA user experience
Policy can be disabled if needed
Workstation pairing from profile page
New “Pair New Workstation” button in user profile
Real-time pairing status via Faye channel notifications
Supports TOTP seed display for third-party authenticators
Workstation pairing JWT generation
New method
Workstation.invite(user_id)for JWT creationMulti-region support with region attributes
Configurable invitation validity duration
User-interface enhancements
Interactive table rows now display entity details on click for better navigation
Enhanced passkey view with empty state and modal-based creation flow
Standardized modal consistency and visual hierarchy across products
Updated icon system – replaced FontAwesome/Bootstrap with Lucide icons for consistency
Centralized loading indicators and standardized animations across the platform
Bug fixes
Authentication and security
Fixed Passkey modal error display and improved message clarity
Resolved Google Play Integrity API authorization errors and removed Rails caching from Google::CredentialManager
Added
mobile_enable_passkeysflag for mobile app configuration
Infrastructure and performance
Optimized Android push-notification authentication by caching OAuth credentials for Firebase messaging
Fixed duplicate Sidekiq logs when Airbrake enabled
User management
Fixed password operations with Agent Cache for reset and change flows
Improved user-update messages for no-op updates to provide clear feedback
Fixed data event logger field redaction to ensure encrypted fields stay private
System and configuration
Added validation for
smtp_configurable_identifierto prevent invalid recordsFixed organization selector URL conflicts in dropdowns
Resolved migration class-name issues with acronyms for better stability
Improved Device Trust scheme handler error messaging for missing agent cases
Development and architecture
Upgraded to DBFP version 7 for better security and performance
Aligned federated component styles with CIAM design system
Improved policy details page layout and visual hierarchy
Infrastructure updates
Upgraded to Rails 7.1.5.2 to address security vulnerabilities
Improved CockroachDB compatibility and multi-region support
Known issues
None reported for this release.
Upgrade notes
This release includes database migrations for:
Organization.user_schemaDirectoryConfiguration.mappingsDeviceState.signature_counter
Follow standard upgrade procedures and ensure database backups before upgrading.
August 7, 2025
Docker images
eGuardian core and worker
13.14.0
Security enhancements
This release introduces Google Play Integrity enforcement to improve security for Android mobile applications. The feature verifies that Android devices making sensitive API calls meet Google’s integrity standards before granting access.
The Google Play Integrity enforcement feature will be available in the next SecureAuth mobile app release.
Improves device validation to prevent access from tampered or compromised Android devices.
Provides configurable integrity checks for app licensing, app recognition, and device recognition.
Supports monitoring and audit logging of Play Integrity verification events for compliance and troubleshooting.
Administrators can enable or monitor Google Play Integrity enforcement in the organization’s mobile application settings. The setting is located in Organization Settings > SecureAuth Mobile Application. Under Enforce Google Play Integrity tokens on sensitive API calls from Android devices, choose one of the following enforcement modes:
disabled – Play Integrity checks are completely disabled.
monitor – Logs errors and creates audit events when the integrity check fails or when a token is missing, but does not block access. Users can continue using the app normally while administrators monitor these events.
when_available – Enforces the check only when the mobile app sends the token. This mode is ideal for gradual rollout or for supporting older app versions that do not yet include Play Integrity tokens.
required – Returns an error if the token is missing or invalid. Whent he integrity check fails, the system also unpairs the device for maximum security.
New features and enhancements
We’ve expanded our CIAM (Customer Identity and Access Management) integration with new APIs and easier tenant management tools.
Tenant brand synchronization API – Introduced a new API that synchronizes tenant branding between the CIAM dashboard and eGuardian. Changes made in the CIAM dashboard automatically propagate to eGuardian for consistent branding.
Enhanced tenant provisioning – Improved tenant provisioning endpoint with dual OAuth provider support for admin and workspace tokens.
OAuth Application Management API – Added a new API endpoint for CIAM integration that automates the creation and management of OAuth applications in eGuardian, ensuring proper mapping between CIAM and eGuardian applications.
Pre-populated Core Applications – Streamlined tenant setup by automatically populating core applications during provisioning.
Allowed Hosts Management – Improved pre-population of allowed hosts during tenant configuration.
Enhanced workstation pairing messages with improved captions and localization support.
Upgraded passkey registration to the v11 API for improved passkey registration functionality.
Refreshed CIAM user interface with updated Inter fonts, unified color handling, and consistent modal behavior.
Upgraded module federation components for improved cross-platform compatibility.
Resolved passkey component issues in federated environments for more consistent deployment.
Enterprise and integration
The CIAM integration continues to mature with several enterprise-ready enhancements.
Dual OAuth Provider Support – Supports separate OAuth providers for administrator and workspace authentication flows, improving security isolation and multi-tenant flexibility.
Automated Tenant Setup – Simplifies provisioning with pre-configured applications and settings for faster deployment.
Brand Synchronization – Keeps tenant branding synchronized in real time between CIAM dashboard and eGuardian.
OAuth Application Lifecycle Management – Provides comphrensive API support for creating, managing, and updating OAuth applications.
Added detailed event logging for Play Integrity token verification to support auditing and compliance monitoring.
Introduced configurable enforcement modes that allow administrators to fine-tune the level of integrity enforcement based on environment or rollout phase.
Strengthened Android device integrity validation to block tampered or compromised devices from accessing protected APIs.
Bug fixes and stability
Fixed duplicate requests and access token issues when switching between CIAM workspaces.
Resolved a race condition affecting initial device access in CIAM user environments.
Fixed duplicate validation messages in external IdP mappings.
Resolved a critical issue affecting multi-directory configuration handling.
Updated documentation generation Docker containers to use Node 24 for improved performance and security.
Removed deprecated organization statistics functionality.
Improved race condition handling during user and OAuth application creation workflows.
Enhanced handling of the
user_response.enabledsetting for directory configurations.
Added Google service account integration to fetch access tokens where service account authentication is required.
Enhanced Play Integrity configuration to support array-based allowed values in integrity verdicts configuration.
July 24, 2025
Docker images
eGuardian core and worker
13.13.0IdP
2.16.2Eval
1.3.3Faye
2.4.1OIDC
2.2.5
Security enhancements
We updated several important software components across our platform to fix security vulnerabilities:
eGuardian core dependencies – Updated high and critical priority components to keep the platform secure
OIDC dependencies – Improved security for OpenID Connect integration
IdP dependencies – Fixed critical Nokogiri vulnerability that affected SAML functionality
Faye server dependencies – Updated Bayeaux protocol server dependencies
Fixed OAuth token user matching – Fixed a security issue where OAuth tokens could incorrectly match users from different organizations
Enhanced OAuth token authentication – Dashboard APIs now accept OAuth token authentication for better CIAM integration
Platform upgrades & modernization
Ruby 3.4 upgrade – Updated our Ruby runtime across all services (Core, IdP, Code Eval Service)
Rails 8 upgrade – Updated Code Eval Service to the latest Rails framework
CockroachDB upgrade – Upgraded to version 23.2.24 for internal testing and development environment to work better with enterprise environments and customer servers
Alpine 3.22 compatibility – Improved container infrastructure with better certificate handling
OpenAPI schema generation – Better cross-platform compatibility for API documentation
Dependency management – Updated Airbrake and other outdated components for better error tracking
New features & enhancements
Passkey terminology – Changed all user-facing messages to use "Passkey" instead of "WebAuthn" for clearer understanding
Dashboard navigation – Fixed browser back button issues to prevent users from landing on sign-in pages after they're already logged in
Workstation pairing controls – Added feature flag to control workstation pairing visibility in dashboard
Passkey enrollment policies – Improved policy evaluation for passkey enrollment events
CIAM user auto-provisioning – Streamlined user account creation during authentication flows for CIAM integration
Identity pool integration – Better email and mobile phone information population during auto-provisioning
User workstations component – Made workstation management components available for CIAM integration
User devices component – Made device management components available through module federation
Bug fixes & stability
Group loading issues – Fixed problems with loading groups used in existing conditions and access restrictions
Passkey SSO compatibility – Fixed passkey login functionality for SSO applications
OpenTelemetry (OTEL) trace ID formatting – Fixed trace ID format in logs for better debugging
Enhanced error handling – Improved error catching and logging throughout the platform
Stability improvements – Various fixes to make the overall platform more reliable
Enterprise & integration
Tenant management APIs – New endpoints for automated tenant setup and deletion
System user configuration – Streamlined setup for CIAM integration authentication
Enhanced OAuth providers – Improved configuration options for enterprise integrations
June 30, 2025
Core & Worker 13.12.0
The Smart Log On app now works as a Passkey provider, improving secure access options
Passkey metadata is now visible from trusted sources like FIDO MDS and the community
New Passkey settings are available under Organization Settings > Passkey to help manage authentication policies
You can now create policies based on Passkey device type to allow or block authentication attempts
New V11 APIs let you retrieve Passkey metadata
The V11 password API now supports password changes for directories that allow it
Includes multiple security improvements and general bug fixes
SSO 2.16.1
Fixes layout issues during login errors for a smoother sign-in experience
Adds security and stability updates
OIDC 2.2.4
Security enhancements only
June 6, 2025
Added module federation support for dashboard components. Currently supports the directories component.
Introduced new V11 APIs to manage tenant details and domains
Added CORS rules, including support for wildcard subdomains
Enabled support for Unicode characters in password validation rules
Faster role assignments when creating new users
Added caching for schema queries to reduce load times
Enhanced OAuth token support in V11 APIs
Optional OAuth scope enforcement now available via a tenant setting to increase API security
Improved Faye notification reliability across regions
Improved passcode entry experience in the UI
Updated application details screens for better usability
May 15, 2025
Support for array values for audience and scope claims in OAuth tokens
Allow server admins to disable Cockroach DB serial normalization
Improve error messages from LDAP agent
Support username-less passkey login in SSO flows
Allow users to pair a mobile device from the self-service dashboard
Improved audit-log generation and data lookup
Improved invitation/registration endpoint efficiencies
403 when pairing a mobile device or workstation
Display correct user’s WebAuthn credentials in dashboard
Automatically update data encryption keys with the latest key encryption key (scheduled job)
Update dependencies to address security issues
April 24, 2025
Support for password change and password reset with Active Directory
Requires new YAML keys:
LDAPResetPasswordBindUserandLDAPResetPasswordBindPassFor configuration details, see the Optional configuration options table in the Arculix LDAP Agent deployment guide and Connect an Active Directory.
Added Roles/Group creation in the Dashboard
Use Roles to organize users or apply RBAC policies
Improved registration flow for WebAuthn credentials
New landing page in the Dashboard: My Profile
Updated dependencies to address security vulnerabilities
Fixed several APIs to handle usernames not in email format
Improved performance across in several places, especially on the History page in the Dashboard
September 14, 2023
Add Security tab for OIDC client applications in dashboard
Add support for Elliptic Curve keys
Add Composite Directory for multi-directory support
Add support for VDIs
Support Encrypted TOTP Transfer
Allow setting mobile phone number to NULL in V11 API
Allow mobile to send workstations's TOTP seed during pairing
Enable deletion of a tenant
Update Puma gem for Arculix Core to fix security issue
Fix editing the "DEFAULT AUTH DIRECTORY CONFIG" value of a tenant
Fix race condition in ASG client code
September 7, 2023
Added support for AD FS token for OAuth authentication
Added ability to issue temporary access PIN (time-limited and use-limited)
Security updates
July 5, 2023
Performance improvements and bug fixes
May 25, 2023
Added TOTP endpoints to v11 API
IdP-initiated login
Various UI/UX enhancements
Various security and bug fixes
April 7, 2023
Add support for OIDC applications
Additional v11 API functionality
New configuration option to support scanning QR codes with device camera
Option to enforce an 8-digit PIN to unlock the Arculix Mobile app (instead of the default 4-digit PIN)
Support for TLS communication with Postgres, Redis, and Memcached
Performance improvements
Security updates
March 8, 2023
Audit logging when data is changed
Improved configuration options for Symbol Push
Added read-only SCIM support
Filter audit logs by event date
Ensure that pairing link is displayed for devices with wide screens in the invitation email
Overall improvements to validation and error handling
Security updates
December 20, 2022
Symbol Push support in Arculix
Symbol Push support in the Arculix Cloud IdP
Workstation endpoint optimizations
Performance improvements
Fixes for domain editing behavior
Security updates
December 10, 2022
Improved workstation revoke API
Added user profile reset feature
Support for “Create User” API to enable enrollment without a mobile device
Support for Active Directory Federation Services (AD FS)
Security updates
October 3, 2022
Support for enforcing biometric authentication for viewing TOTP codes
Performance improvements
Security updates
Improved rate limit support
August 30, 2022
Rebranded to Arculix. For more information, see Announcement for Acceptto customers.
Fix device-based rate-limit detection
v12.1.0 - August 5, 2022
Framework upgrades to support future improvements
Improved expiration support for invitation QR tokens:
If an end user tries to scan an expired QR invitation token, they will get a message that they cannot use the expired QR code.
Users can still scan the same QR code if they request it again before it expires. Otherwise, it generates a new QR code after it expires.
Updated version of User Authentication API includes the following:
Improvements to authorization of application calls
Added just-in-time (JIT) user creation and enrollment
Supports JIT user enrollment integration only with Active Directory
Security and usability improvements
Address security issues with environment variables
Improved eGuardian handling of clock skew on workstations with Device Trust installed
Fixed issue where a Help Desk user could not switch the Audit Logs view from "User" to "Organization"
Fixed dashboard session issue displaying data from the previous session for another organization (for users with help desk/admin access to multiple organizations)
v12.0.0 - June 29, 2022
Added Role-Based Access Control (RBAC) infrastructure to support fine-grain management of user authorization. This initial rollout provides a Help Desk role for managing users and performing common support tasks. Roles may be granted and revoked using the Object Management API
Support soft deletion of users using the Object Management API
Added dashboard and API support for revoking the ownership of a workstation, allowing the same workstation user and machine to be paired with a different eGuardian user
Enforce a minimum supported version of the It'sMe mobile app to discourage users from using out-of-date releases
Improved random number generation for one-time passwords and verification PINs
Updated various container and application dependencies for the latest security fixes
Fixed issue where double-clicking the WebAuthn button could cause the authentication to fail
Corrected minor timing issues with database cleanup jobs
Adjusted rate limit thresholds to avoid false positives
Reset a user's phone confirmation status when the phone number changes
v11.20.1 - May 20, 2022
Generate QR codes on the backend instead of using data URLs, to support a broader range of mail clients
v11.20.0 - May 16, 2022
Rate limits have been added to protect against abuse scenarios such as sending excessive SMS messages when confirming phone numbers, prompting users with excessive MFA requests, overly frequent API calls, and rapid re-acquisition of OAuth access tokens
Support JPush notifications for Android users in China
Improve validation for secondary email addresses
Fix minor dashboard issue in "click-to-reveal" UI components
Tighten dashboard transactions involving adding organization admins
Improve efficiency of dashboard connectors page by suppressing polling when the page is not being displayed
Minor improvements to It'sMe mobile app integration with respect to pairing and enrollment
Self-generate QR images instead of using Google APIs, to support users in China
v11.19.0 - March 21, 2022
Support custom AD attributes as primary user identifier
Add language support for Korean and Chinese
Improve push notification reliability
User interface to configure per-application SAML IdP certificates
Update dependencies to fix reported upstream vulnerabilities
Ensure all workstation events use the correct organization
Normalize time zone for audit logs
Improve query performance for user last login time
v11.18.0 - February 10, 2022
Add User last login attribute
Add new Risk Analyzer type for Oauth API integrations
Fix code policy examples
Improve support for Enterprise Root CA certificates for on-premise deployments
v11.17.0 - February 2, 2022
On-premise deployment improvements, including support for environments without access to external networks
Support option to disable automatic push notifications for SSO MFA
Add LDAP Agent Status page
Support per-application SAML IdP certificates
Displayed SSO entity ID
Update dependencies to fix reported upstream vulnerabilities
Protect organization settings from inadvertent updating
v11.16.0 - November 12, 2021
Add support for different response types to Integration v2 API
Send continuous auth events to AIML
Workstation condition matcher when there's no workstation assigned to the user
Only send notifications to confirmed phone numbers
Security Updates
Ignore rejected auth methods during continuous auth
SAML Download Button
v11.15.0 - October 27, 2021
Add custom user field feature.
Support dynamic heartbeat timeout per switchboard agent and organization.
v11.14.0 - October 18, 2021
User offboarding API.
Improve the DBFP integration.
Improve the CI/CD reliability.
Improve agent switchboard message handling.
Organization Settings for WebAuthn User Verification.
Idp Settings UI.
Security updates.
Add ACS URL to Response Hosts.
Fix Sidekiq dashboard session configuration.
Fix WebAuthn User Verification Bug.
v11.13.1 - September 13, 2021
Fix identifier for streaming Data Hub logs.
v11.13.0 - September 8, 2021
Add new object management API using OAuth.
Audit logs streaming to Data Hub.
Kerberos core authentication library.
Performance improvements.
Security updates.
Improve user dashboard continuous authentication.
Audit log performance improvements.
Fix Mac Kerberos detection.
v11.12.0 - August 16, 2021
Support Security Key/WebAuthn as an MFA option for SSO logins.
Each organization and application can set custom configuration values for each risk analyzer, including weight, timeout, and whether it is enabled or not.
Performance improvements.
Additional tracking of risk analyzer contributions to the LOA score.
Enforce application permissions for newly enrolled users.
No longer show the score from a risk analyzer when it is not included in the overall LOA score.
v11.11.2 - June 15, 2021
Organization admins can view event types in eGuardian audit logs (used for significant events and policies).
Support for mobile applications to call calculate_loa_score API and pass mobile device specific context data to the risk engine.
Each organization and application can now have its own custom SMTP settings for sending out of band emails for authentications and user notifications.
Ability for organization admins to search and update their users data (Out of band methods, workstations and devices).
Organization admins can now set access permissions per application based on users active directory group membership.
Users who are members of multiple organizations can now choose the organization that their workstation belongs to when pairing a new workstation with their It’sMe app.
If a customer's active directory is unreachable, eGuardian detects failures and stops from reaching out to ADAgent on every request and falls back on cache data if available, the fallback happens only for passwordless logins and group membership policies.
Ignore authentication method risk analyzer in post-auth and continuous-auth when MFA is approved by a policy. Previously the LOA score was distorted from the policy authentication method.
Now the risk engine immediately trusts any data that is MFA approved which results in less friction for end-users; previously it took 24 hours for the risk engine to add the context data to the user's trusted attributes.