Release Notes: SecureAuth 2.22.0

This article is a summary of new features and changes in the SecureAuth CUSTOMER IDENTITY MANAGEMENT (formerly known as SecureAuth) version 2.22.0.

Release Date: July 31, 2024

Highlights

Improved B2B Organization Management: This release introduces significant advancements in B2B Organization Management, focusing on productizing features that address B2B delegated administration and Partner Managed Identity use cases. These improvements include enhanced sub-organization management, better visibility and control over organizational hierarchies, and more prominent access to the delegated admin portal, making it easier for business admins to manage complex organizational structures.
Improved Authentication Security: In the area of authentication security, we have added new MFA capabilities and made substantial improvements to Identity Pools, providing administrators with more control and flexibility in managing multi-factor authentication settings. These enhancements strengthen security and ensure a more robust and secure authentication process across all user interactions.
User Experience and Interface Enhancements: Additionally, this release brings a series of UX/UI improvements aimed at simplifying the admin portal experience. These minor but impactful changes make the product more intuitive and easier to manage, streamlining daily tasks and improving overall usability for administrators.

Breaking changes

[AUT-10839]

Use new b2b users apis in B2B Portal

New fine-grained permissions:

{
  "read_roles": true,
  "manage_user_manager_role": true,
  "get_identity_pool": true,
  "update_identity_pool": true,
  "delete_identity_pool": true,
  "read_identity_pool_users": true,
  "manage_identity_pool_users": true,
  "manage_user_passwords": true,
  "manage_user_otps": true,
  "manage_user_addresses": true,
  "manage_user_identifiers": true,
  "send_user_verification": true,
  "send_user_activation": true,
  "b2b_read_users": true,
  "b2b_manage_users": true,
  "b2b_read_business_metadata": true,
  "b2b_manage_business_metadata": true,
  "b2b_read_admin_metadata": true,
  "b2b_manage_admin_metadata": true
}

Not allowed to create/import users if admin metadata or business metadata contains required fields

[AUT-11028]

Do not enable JIT by default in the created idp when a workspace has workspace pool.

[AUT-11085]

Fix a bug where pairwise subject type was incorrectly applied for the following grant types:

jwt bearer
token exchange
password
device

Following this correction, given the absence of user interaction within the specified flow, the public subject type will always be utilized.

[AUT-11353]

Adjust DPoP logic to the newest openid conformance tests, version: 5.1.17.

Change PAR endpoint status code and error from 401 invalid_dpop_proof to 400 invalid_request when both DPoP proof header and dpop_jkt form param are provided but they do not match

Change Token endpoint status code from 401 to 400 for invalid_dpop_proof errors.

Major Additions and Changes

B2B Organization Improvements

[AUT-10825] Hierarchy Mode in B2B Organizations Page: A hierarchy mode has been introduced for managing B2B organizations, improving organizational structure visibility and management.
[AUT-11078] Sub-Organizations Management in Business Admin Mode: Business admins can now manage sub-organizations within an organization, including setting top-level organizations as parents and changing parent organizations for descendants.
[AUT-11079] Enhanced Parent Organization Management: Allows for the change of the parent organization for top-level organizations and their descendants. Restrictions have been added to ensure the integrity of organizational hierarchies.
[AUT-11113] Prominent Delegated Admin Portal URL: The URL for the delegated admin portal is now displayed more prominently for easier sharing among customer business admins.
[AUT-10912] Business Metadata Handling in User/Pool APIs: Added support for handling business metadata in user and pool APIs.

New MFA capabilities

[ AUT-10883 ] Identity Pool MFA Management: Enhanced management capabilities for MFA settings in Identity Pools.

Enhancements

[ AUT-11008 ]Configurable IDP Role for Admin Workspace: Admins can now configure IDP roles in the Admin workspace even if Just-In-Time (JIT) provisioning is disabled.

OAuth/OIDC

[AUT-10786] Correlation ID Support in Authorization Flow: Added support for passing a correlation ID as authorization_correlation_id in the OAuth2 authorization flow. All related audit events will now include this ID.
[AUT-11042] Client ID in Software Statement: Allowed the provision of client_id in the software statement during Dynamic Client Registration (DCR).
[AUT-11066] No Implicit OpenID Scope for JWT-Bearer Flow: Removed the implicit issuance of the openid scope for the JWT-bearer flow even if the client has the openid scope.
[AUT-11069] FAPI 2.0 Workspace Updates: Updated FAPI 2.0 workspace to enforce redirect_uri for PAR endpoint, with scope and request object no longer required.
[AUT-10504] OIDC Back-Channel Logout Implementation: Added support for OIDC Back-Channel Logout, improving session management and security.
[AUT-11087] Token Exchange Support for Azure IDP: Added support for token exchange with Azure Identity Providers (IDP).
[AUT-11091] Hide Pairwise Identifier Settings: Hidden pairwise identifier settings when grant types do not include authorization code or implicit.
[AUT-11214] Scope Claim Formats Configuration: Added a configuration to control the formats of scope claims in access tokens. Options include scp_array and scope_space_separated.

Open Banking/Open Data

[AUT-10829] OBBR Payment Rejection Reasons: Set rejection reasons for payments in version 4 of the OBBR specification, providing clearer feedback on payment issues.
[AUT-10921] Extended CDR Amend Audit Event: Extended the CDR amend audit event to include previous arrangements when the feature flag cdr_amend_audit_event_with_previous_arrangement is enabled.
[AUT-11053] Custom Application Creation in FAPI Workspace: Added functionality to create custom applications in the FAPI workspace.
[AUT-11094] Remove CDR Amend Audit Event Flag: Removed the cdr_amend_audit_event_with_previous_arrangement flag.
[AUT-11144] Configure CDR Arrangements Auto Removal: Allowed configuration of automatic removal of CDR arrangements in the Authorization Server settings.

Extensions and Scripts

[AUT-10602] Runtime Version Management for Scripts: Introduced a feature flag scripts_runtime_versions to manage runtime versions for scripts, with enhanced UI for versioning and extensions.
[AUT-10898] Script Usage View and Migration Support: Added a view to show where specific scripts are used and how to migrate scripts to new runtime versions.
[AUT-11082] Extended Token Minting Script Example: Updated token minting script example to demonstrate how to access token request parameters.

Identity Pools

[AUT-10958] Schema Name Migration: Renamed and migrated default metadata and business metadata schema names for consistency.
[AUT-11022] Improved UI for String Arrays in Schema Editor: Enhanced the user interface for editing string arrays in the schema editor.
[AUT-10888] JIT Identifier/Address Mapping: Allowed using subject or IDP subject in JIT identifier/address mapping.

Tenant Management

[AUT-11009] Default User Role Configuration for JIT Users: Enabled configuration of the default user role for JIT-provisioned users in admin workspaces when roles and jit_permissions flags are enabled.
[AUT-11198] Enabled MFA by Default for New Tenants: MFA is now enabled by default for all new tenants.

B2B Organizations

[AUT-11038] Fine-Grained Permissions in B2B Portal: Enforced fine-grained permissions in the B2B portal, improving control over various user actions.
[AUT-11099] New Organization Claim Source Type: Added a new type of claim source for organizations.
[AUT-11254] Breadcrumbs on Sub-organizations View: Added breadcrumbs to the page header with a link to the parent workspace/organization in the Sub-organizations view.

Authorizers and Policies

[AUT-11035] Default Policy for APIs at Authorizer Level: Introduced a default policy at the authorizer level for APIs. Early access feature
[AUT-11093] Default Policy for Authorizer: Allowed configuration of the default policy for authorizers during creation and editing, Early access feature.

Audit Logs

[AUT-11046] New User Identifiers in Audit Logs: Added new user identifiers to audit logs:idp_subject,idp_id,idp_method,user_id, anduser_pool_id.
[AUT-11090] Audit Logs for GitHub Connector Errors: Included details of user-facing errors in audit logs for the GitHub connector, excluding internal errors.
[AUT-11047] Audit Logs by New User Identifiers: Enabled listing of audit logs by the new user identifiers.

APIs

[AUT-11116] Admin API for Token Revocation: Added an admin API to revoke various types of tokens (access, refresh, authorization codes, SSO sessions, scope grants) by subject.
[AUT-11379] Extend tenant configuration APIs to import/export beta feature flags.: The import/export APIs has been extended to include the early access feature flags configuration.

Operations and deployment

[AUT-10954] Cron Job Cleanup: Cleaned up unused cron jobs, resolving warnings related to missing handlers for specific queues.
[AUT-11215] Web Templates Rebranding: Updated web templates to reflect the SecureAuth branding.

Bug Fixes

[AUT-10969] Misleading User Label in Admin Portal: Fixed a misleading "Profile" & "PR" user label in the Admin portal top banner when the email is missing in user info.
[AUT-10992] Audit Events and Webhooks for Organizations: Added missing audit events and webhooks configuration for organization management.
[AUT-11032] IDP Provisioning Page Field Correlation: Ensured that obligatory fields from the pool are strictly correlated with the pool schema on the IDP provisioning page.
[AUT-11041] Schema Mismatch Warning: Added warnings for schema mismatches and allowed changes per user schema in "organization" workspaces.
[AUT-11051] IDP Pool Selection Pagination: Fixed an issue with missing search or pagination mechanisms when selecting pools in tenants with many pools.
[AUT-11052] Admin Workspace Access Fix: Resolved issues with accessing the Admin workspace for Workspace Admins.
[AUT-11061] Pool Selection Issue: Fixed an issue where selecting a pool was not possible if more than one pool existed in a workspace.
[AUT-11071] Member Label Display: Changed "None" to "Member" for tenant roles and granted tenant member roles on IDP creation in admin workspace.
[AUT-11077] Organization Hierarchy Display Issue: Fixed the display issue with the parent workspace node for Business Admins in the B2B portal.
[AUT-11112] User Profile Role Display Issue: Resolved an issue where user roles were sometimes incorrectly displayed as "team_manager" in the B2B Edit User Profile view.
[AUT-11074] Workspace Roles Mismatch: Addressed mismatches between workspace roles displayed in the user table and user details.
[AUT-11012] Empty Tenant Role Column: Fixed the issue with the empty tenant role column when the NONE role is assigned.
[AUT-10743] Role Input Visibility: Hidden or grayed out role input fields when the roles feature is turned off.
[AUT-11076] Admin Role Change Restriction: Prevented logged-in admin users from changing their own tenant role.
[AUT-11122] JIT Provisioning Metadata Mapping: Allowed mapping to business admin managed metadata attributes in JIT provisioning.
[AUT-11237] Issuer URL Calculation for ACS URL: Used issuer_url to calculate ACS and Redirect URLs in Identity Providers.
[AUT-11283] Precise Error for Deleted Users: Fixed an issue to return a more precise error when a user is deleted but attempts to use a refresh token.
[AUT-11315] User Selection in Pool: Resolved the issue preventing auditors from selecting users in the pool.
[AUT-11352] Remove Code Response Type: Removed the code response type from the partners workspace, which only supports client credentials grant type.
[SUP-3692] Debtor Account Override for Recurring Payments: Added the ability to override the debtor account for recurring payments in OBBR.

In this section: