Skip to main content

Release notes: SecureAuth CIAM 2.25.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.25.0.

Release Date: May 31, 2025

Major additions and changes

[ AUT-12309 ]

Introduced a new advanced server configuration that enables a single audience check in assertion JWTs for private_key_jwt and client_secret_basic authentication methods. This helps mitigate the Audience.Injection vulnerability.

See: https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis.

This flag is enabled by default for new workspaces, except for CDR.

Minor enhancements

[ AUT-11795 ]

Added support for Okta V2 OIDC-based IDP.

[ AUT-11992 ]

Introduced a system API to manage secrets. Updated system APIs to avoid returning encrypted values.

[ AUT-12028 ]

Improved 2FA and Recovery Verification Code views on the login page:

  • Users can select from multiple addresses in the "Use Alternative" view

  • On invalid code entry, users can re-enter the code without returning to the initial OTP view

  • Masked addresses where codes are sent

  • "Use Alternative" is hidden if no other address available

  • Users are notified if the code was not sent and no usable addresses exist

[ AUT-12073 ]

Deprecated self-user Identity APIs:

  • /self/me (GET, POST)

  • /self/change-password Use /v2 versions of those endpoints

Also:

  • Restricted access to the self-user Complete Address Verification Identity API (Hidden behind feature flag. Disabled for new tenants.)

  • Restricted access to the public Confirm Reset Password Identity API (Hidden behind feature flag. Disabled for new tenants.)

[ AUT-12086 ]

Removed enforce_system_admin_workspace_access feature flag.

[ AUT-12098, AUT-12099, AUT-12100, AUT-12101, AUT-12149, AUT-12155 ]

Added new IDP connectors with use_embedded flag, available behind the common_idps feature flag:

  • Apple

  • Facebook (Meta)

  • Google Workspace

  • LinkedIn

  • Microsoft (personal accounts only)

  • X (Twitter)

[ AUT-12171 ]

Enhanced Google Workspace IDP with group retrieval support. Requirements:

  • Service account with admin.directory.groups.readonly scope

  • Admin email address for impersonation

[ AUT-12186 ]

Added client secret support in X (Twitter) IDP.

[ AUT-12193 ]

Added generic-purpose OAuth2 IDP.

[ AUT-12244 ]

Introduced a new server pre-login policy execution point.

Bug fixes

[ AUT-11937 ]

Introduced a new version of /password/verify that returns HTTP 200 on incorrect password and provides detailed verification results. Deprecated the previous Identity System API /password/verify.

[ AUT-12087 ]

Prevented errors during JIT lookup when the correlation identifier is empty.

[ AUT-12102 ]

Now publishes a "create tenant" event when importing new tenants.

[ AUT-12200 ]

Generated new script IDs when an organization is created from a template. Updated script execution points accordingly. Available behind the clone_workspace_scripts_fix feature flag.

In this section: