Skip to main content

Release notes: SecureAuth CIAM 2.22.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.22.0.

Release Date: July 31, 2024

Highlights

Improved B2B Organization Management

This release introduces significant advancements in B2B Organization Management, focusing on productizing features that address B2B delegated administration and Partner Managed Identity use cases. These improvements include enhanced sub-organization management, better visibility and control over organizational hierarchies, and more prominent access to the delegated admin portal, making it easier for business admins to manage complex organizational structures.

Improved Authentication Security

In the area of authentication security, we have added new MFA capabilities and made substantial improvements to Identity Pools, providing administrators with more control and flexibility in managing multi-factor authentication settings. These enhancements strengthen security and ensure a more robust and secure authentication process across all user interactions.

User Experience and Interface Enhancements

Additionally, this release brings a series of UX/UI improvements aimed at simplifying the admin portal experience. These minor but impactful changes make the product more intuitive and easier to manage, streamlining daily tasks and improving overall usability for administrators.

Breaking changes

[AUT-10839]

Use new b2b users apis in B2B Portal

New fine-grained permissions:

{
  "read_roles": true,
  "manage_user_manager_role": true,
  "get_identity_pool": true,
  "update_identity_pool": true,
  "delete_identity_pool": true,
  "read_identity_pool_users": true,
  "manage_identity_pool_users": true,
  "manage_user_passwords": true,
  "manage_user_otps": true,
  "manage_user_addresses": true,
  "manage_user_identifiers": true,
  "send_user_verification": true,
  "send_user_activation": true,
  "b2b_read_users": true,
  "b2b_manage_users": true,
  "b2b_read_business_metadata": true,
  "b2b_manage_business_metadata": true,
  "b2b_read_admin_metadata": true,
  "b2b_manage_admin_metadata": true
}

Not allowed to create/import users if admin metadata or business metadata contains required fields

[AUT-11028]

Do not enable JIT by default in the created idp when a workspace has workspace pool.

[AUT-11085]

Fix a bug where pairwise subject type was incorrectly applied for the following grant types:

  • jwt bearer

  • token exchange

  • password

  • device

Following this correction, given the absence of user interaction within the specified flow, the public subject type will always be utilized.

[AUT-11353]

Adjust DPoP logic to the newest openid conformance tests, version: 5.1.17.

Change PAR endpoint status code and error from 401 invalid_dpop_proof to 400 invalid_request when both DPoP proof header and dpop_jkt form param are provided but they do not match

  • Change Token endpoint status code from 401 to 400 for invalid_dpop_proof errors.

Major Additions and Changes

B2B Organization Improvements

[AUT-10825] Hierarchy Mode in B2B Organizations Page

A hierarchy mode has been introduced for managing B2B organizations, improving organizational structure visibility and management.

[AUT-11078] Sub-Organizations Management in Business Admin Mode

Business admins can now manage sub-organizations within an organization, including setting top-level organizations as parents and changing parent organizations for descendants.

[AUT-11079] Enhanced Parent Organization Management

Allows for the change of the parent organization for top-level organizations and their descendants. Restrictions have been added to ensure the integrity of organizational hierarchies.

[AUT-11113] Prominent Delegated Admin Portal URL

The URL for the delegated admin portal is now displayed more prominently for easier sharing among customer business admins.

[AUT-10912] Business Metadata Handling in User/Pool APIs

Added support for handling business metadata in user and pool APIs.

New MFA capabilities

[ AUT-10883 ] Identity Pool MFA Management

Enhanced management capabilities for MFA settings in Identity Pools.

Enhancements

[ AUT-11008 ]Configurable IDP Role for Admin Workspace

Admins can now configure IDP roles in the Admin workspace even if Just-In-Time (JIT) provisioning is disabled.

OAuth/OIDC

[AUT-10786] Correlation ID Support in Authorization Flow

Added support for passing a correlation ID as authorization_correlation_id in the OAuth2 authorization flow. All related audit events will now include this ID.

[AUT-11042] Client ID in Software Statement

Allowed the provision of client_id in the software statement during Dynamic Client Registration (DCR).

[AUT-11066] No Implicit OpenID Scope for JWT-Bearer Flow

Removed the implicit issuance of the openid scope for the JWT-bearer flow even if the client has the openid scope.

[AUT-11069] FAPI 2.0 Workspace Updates

Updated FAPI 2.0 workspace to enforce redirect_uri for PAR endpoint, with scope and request object no longer required.

[AUT-10504] OIDC Back-Channel Logout Implementation

Added support for OIDC Back-Channel Logout, improving session management and security.

[AUT-11087] Token Exchange Support for Azure IDP

Added support for token exchange with Azure Identity Providers (IDP).

[AUT-11091] Hide Pairwise Identifier Settings

Hidden pairwise identifier settings when grant types do not include authorization code or implicit.

[AUT-11214] Scope Claim Formats Configuration

Added a configuration to control the formats of scope claims in access tokens. Options include scp_array and scope_space_separated.

Open Banking/Open Data

[AUT-10829] OBBR Payment Rejection Reasons

Set rejection reasons for payments in version 4 of the OBBR specification, providing clearer feedback on payment issues.

[AUT-10921] Extended CDR Amend Audit Event

Extended the CDR amend audit event to include previous arrangements when the feature flag cdr_amend_audit_event_with_previous_arrangement is enabled.

[AUT-11053] Custom Application Creation in FAPI Workspace

Added functionality to create custom applications in the FAPI workspace.

[AUT-11094] Remove CDR Amend Audit Event Flag

Removed the cdr_amend_audit_event_with_previous_arrangement flag.

[AUT-11144] Configure CDR Arrangements Auto Removal

Allowed configuration of automatic removal of CDR arrangements in the Authorization Server settings.

Extensions and Scripts

[AUT-10602] Runtime Version Management for Scripts

Introduced a feature flag scripts_runtime_versions to manage runtime versions for scripts, with enhanced UI for versioning and extensions.

[AUT-10898] Script Usage View and Migration Support

Added a view to show where specific scripts are used and how to migrate scripts to new runtime versions.

[AUT-11082] Extended Token Minting Script Example

Updated token minting script example to demonstrate how to access token request parameters.

Identity Pools

[AUT-10958] Schema Name Migration

Renamed and migrated default metadata and business metadata schema names for consistency.

[AUT-11022] Improved UI for String Arrays in Schema Editor

Enhanced the user interface for editing string arrays in the schema editor.

[AUT-10888] JIT Identifier/Address Mapping

Allowed using subject or IDP subject in JIT identifier/address mapping.

Tenant Management

[AUT-11009] Default User Role Configuration for JIT Users

Enabled configuration of the default user role for JIT-provisioned users in admin workspaces when roles and jit_permissions flags are enabled.

[AUT-11198] Enabled MFA by Default for New Tenants

MFA is now enabled by default for all new tenants.

B2B Organizations

[AUT-11038] Fine-Grained Permissions in B2B Portal

Enforced fine-grained permissions in the B2B portal, improving control over various user actions.

[AUT-11099] New Organization Claim Source Type

Added a new type of claim source for organizations.

[AUT-11254] Breadcrumbs on Sub-organizations View

Added breadcrumbs to the page header with a link to the parent workspace/organization in the Sub-organizations view.

Authorizers and Policies

[AUT-11035] Default Policy for APIs at Authorizer Level

Introduced a default policy at the authorizer level for APIs. Early access feature

[AUT-11093] Default Policy for Authorizer

Allowed configuration of the default policy for authorizers during creation and editing, Early access feature.

Audit Logs

[AUT-11046] New User Identifiers in Audit Logs

Added new user identifiers to audit logs:idp_subject,idp_id,idp_method,user_id, anduser_pool_id.

[AUT-11090] Audit Logs for GitHub Connector Errors

Included details of user-facing errors in audit logs for the GitHub connector, excluding internal errors.

[AUT-11047] Audit Logs by New User Identifiers

Enabled listing of audit logs by the new user identifiers.

APIs

[AUT-11116] Admin API for Token Revocation

Added an admin API to revoke various types of tokens (access, refresh, authorization codes, SSO sessions, scope grants) by subject.

[AUT-11379] Extend tenant configuration APIs to import/export beta feature flags.

The import/export APIs has been extended to include the early access feature flags configuration.

Operations and deployment

[AUT-10954] Cron Job Cleanup

Cleaned up unused cron jobs, resolving warnings related to missing handlers for specific queues.

[AUT-11215] Web Templates Rebranding

Updated web templates to reflect the SecureAuth branding.

Bug Fixes

[AUT-10969] Misleading User Label in Admin Portal

Fixed a misleading "Profile" & "PR" user label in the Admin portal top banner when the email is missing in user info.

[AUT-10992] Audit Events and Webhooks for Organizations

Added missing audit events and webhooks configuration for organization management.

[AUT-11032] IDP Provisioning Page Field Correlation

Ensured that obligatory fields from the pool are strictly correlated with the pool schema on the IDP provisioning page.

[AUT-11041] Schema Mismatch Warning

Added warnings for schema mismatches and allowed changes per user schema in "organization" workspaces.

[AUT-11051] IDP Pool Selection Pagination

Fixed an issue with missing search or pagination mechanisms when selecting pools in tenants with many pools.

[AUT-11052] Admin Workspace Access Fix

Resolved issues with accessing the Admin workspace for Workspace Admins.

[AUT-11061] Pool Selection Issue

Fixed an issue where selecting a pool was not possible if more than one pool existed in a workspace.

[AUT-11071] Member Label Display

Changed "None" to "Member" for tenant roles and granted tenant member roles on IDP creation in admin workspace.

[AUT-11077] Organization Hierarchy Display Issue

Fixed the display issue with the parent workspace node for Business Admins in the B2B portal.

[AUT-11112] User Profile Role Display Issue

Resolved an issue where user roles were sometimes incorrectly displayed as "team_manager" in the B2B Edit User Profile view.

[AUT-11074] Workspace Roles Mismatch

Addressed mismatches between workspace roles displayed in the user table and user details.

[AUT-11012] Empty Tenant Role Column

Fixed the issue with the empty tenant role column when the NONE role is assigned.

[AUT-10743] Role Input Visibility

Hidden or grayed out role input fields when the roles feature is turned off.

[AUT-11076] Admin Role Change Restriction

Prevented logged-in admin users from changing their own tenant role.

[AUT-11122] JIT Provisioning Metadata Mapping

Allowed mapping to business admin managed metadata attributes in JIT provisioning.

[AUT-11237] Issuer URL Calculation for ACS URL

Used issuer_url to calculate ACS and Redirect URLs in Identity Providers.

[AUT-11283] Precise Error for Deleted Users

Fixed an issue to return a more precise error when a user is deleted but attempts to use a refresh token.

[AUT-11315] User Selection in Pool

Resolved the issue preventing auditors from selecting users in the pool.

[AUT-11352] Remove Code Response Type

Removed the code response type from the partners workspace, which only supports client credentials grant type.

[SUP-3692] Debtor Account Override for Recurring Payments

Added the ability to override the debtor account for recurring payments in OBBR.