Skip to main content

Release notes: SecureAuth CIAM 2.25.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.25.0.

For platform component version details, see SecureAuth platform dependencies version reference.

Release Date: May 31, 2025

Major additions and changes

[ AUT-12309 ]

Introduced a new advanced server configuration that enables a single audience check in assertion JWTs for private_key_jwt and client_secret_basic authentication methods. This helps mitigate the Audience.Injection vulnerability.

See: https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis.

This flag is enabled by default for new workspaces, except for CDR.

Minor enhancements

[ AUT-11795 ]

Added support for Okta V2 OIDC-based IDP.

[ AUT-11992 ]

Introduced a system API to manage secrets. Updated system APIs to avoid returning encrypted values.

[ AUT-12028 ]

Improved 2FA and Recovery Verification Code views on the login page:

  • Users can select from multiple addresses in the "Use Alternative" view

  • On invalid code entry, users can re-enter the code without returning to the initial OTP view

  • Masked addresses where codes are sent

  • "Use Alternative" is hidden if no other address available

  • Users are notified if the code was not sent and no usable addresses exist

[ AUT-12073 ]

Deprecated self-user Identity APIs:

  • /self/me (GET, POST)

  • /self/change-password Use /v2 versions of those endpoints

Also:

  • Restricted access to the self-user Complete Address Verification Identity API (Hidden behind feature flag. Disabled for new tenants.)

  • Restricted access to the public Confirm Reset Password Identity API (Hidden behind feature flag. Disabled for new tenants.)

[ AUT-12086 ]

Removed enforce_system_admin_workspace_access feature flag.

[ AUT-12098, AUT-12099, AUT-12100, AUT-12101, AUT-12149, AUT-12155 ]

Added new IDP connectors with use_embedded flag, available behind the common_idps feature flag:

  • Apple

  • Facebook (Meta)

  • Google Workspace

  • LinkedIn

  • Microsoft (personal accounts only)

  • X (Twitter)

[ AUT-12171 ]

Enhanced Google Workspace IDP with group retrieval support. Requirements:

  • Service account with admin.directory.groups.readonly scope

  • Admin email address for impersonation

[ AUT-12186 ]

Added client secret support in X (Twitter) IDP.

[ AUT-12193 ]

Added generic-purpose OAuth2 IDP.

[ AUT-12244 ]

Introduced a new server pre-login policy execution point.

Bug fixes

[ AUT-11937 ]

Introduced a new version of /password/verify that returns HTTP 200 on incorrect password and provides detailed verification results. Deprecated the previous Identity System API /password/verify.

[ AUT-12087 ]

Prevented errors during JIT lookup when the correlation identifier is empty.

[ AUT-12102 ]

Now publishes a "create tenant" event when importing new tenants.

[ AUT-12200 ]

Generated new script IDs when an organization is created from a template. Updated script execution points accordingly. Available behind the clone_workspace_scripts_fix feature flag.

In this section: