Skip to main content

Release notes: SecureAuth CIAM 2.23.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.23.0.

Release Date: December 12, 2024

Breaking changes

[ AUT-11427 ]
New claims with scope conditions now require the scopes to exist in the authorization server.

Major additions and changes

[ AUT-11502 ]
Added a new self-service API to revoke tokens, including access tokens, refresh tokens, and SSO sessions linked to the provided access token.

[ AUT-11504 ]
Enhanced workspace configuration to include allowed authentication mechanisms, providing control over which mechanisms users can use when logging in with identity pools. Key updates:

  • Validation: Added to the pool creation and update APIs to ensure that only the allowed authentication mechanisms configured at the workspace level can be used in workspace pools.

  • Tenant-Level Pools: No restrictions; all authentication methods remain available.

  • New Field: Added allowed_authentication_mechanisms in the /v2/self/me API.

[ AUT-11643 ]
Updated Alpine and Go versions for the Rego environment to address security vulnerabilities.

Minor enhancements

[ AUT-11222 ]
API to revoke users tokens in pool

[ AUT-11323 ]
Risk Threshold for SSO

[ AUT-11359 ]
Ability to set tenant role for JITed user

[ AUT-11373 ]
Improved UX in Self Service.

Content reorganized into 3 views: profile, security (with sign-in methods and your devices), privacy (with consent management)

[ AUT-11374 ]
Unified the top bar appearance across the user and admin portals

[ AUT-11383 ]
Enabled passkey setup in the self-service portal

[ AUT-11395 ]
Enhanced error messages for authentication policy execution issues

[ AUT-11403 ]
Added "Try Sign-in with current IDP" button

This is useful when multiple IDPs are configured, allowing you to test the one currently being set up. It also enables testing of IDPs with a hidden flag that cannot be selected on the IDP selector login page.

[ AUT-11406 ]
Improved and standardized the appearance of full-screen dialogs

[ AUT-11420 ]
Updated the system to support "idpconnect.secureauth.com" as the base value.

[ AUT-11426 ]
Add/edit claim modal improvements - scopes input changed to an autocomplete field

[ AUT-11483 ]
Made Authentication Factors v2 available when the acr feature flag is enabled

[ AUT-11491 ]
MFA Friction charts

[ AUT-11498 ]
Exposed System API to fetch OAuth2 clients by ID: GET /client/{cid}

[ AUT-11516 ]
Added  acr_default_values to the client configuration. If the client does not send explicit acr_values to the authorize endpoint, it will request implicit default acr values from the client configuration. This feature is available behind the acr feature flag.

[ AUT-11538 ]
Implemented a new system API to revoke tokens for users in the pool, similar to the functionality provided by the Admin API: https://docs.secureauth.com/ciam-apis/admin.html

[ AUT-11554 ]
Updated default attributes for SAML IDP to use basic attributes: email, first name and last name

[ AUT-11558 ]
Enabled Sign-in and SSO in B2B portal in organization view

[ AUT-11589 ]
Improved user authentication experience in existing SSO session:

If a client requests a max_age that has expired, users are now prompted to log in instead of encountering an error page.

[ AUT-11618 ]
Added a dedicated HTTP client for webhooks with configurable timeouts and retries

[ AUT-11624 ]
Default signing key for new (non-FAPI) workspaces is now rsa instead of ecdsa

[ AUT-11719 ]
Extend token endpoint authz engine policy input with the client certificate metadata, sample policy:

package acp.authz

default allow = false

allow {
input.clientCertificate.subject_attributes["CN"][_] == "cid1.example.com"
}

[ AUT-11720 ]
Added optional "certificate" field to the client create/import API. It accepts base64-encoded PEM certificates and converts them to JWKS

Bug fixes

[ AUT-11337 ]
Resolved issue with users selecting an address for activation messages when multiple addresses exist

[ AUT-11386 ]
Ensured B2B portal updates org metadata using the Update Org Metadata API

[ AUT-11452 ]
Fixed input for DCR scope policies to include software statements and client attributes

[ AUT-11468 ]
Allow 10-second skew time for iat claim in the DPoP Proof JWT

[ AUT-11488 ]
Add a circuit breaker to the webhook handler

[ AUT-11526 ]
Limited JARM warnings and sections to the authorization code grant type and added ID token signing algorithm mismatch warnings

[ AUT-11639 ]
Enabled dynamic redirect URIs for demo applications

[ AUT-11690 ]
Changed the default SAML IDP attributes source from Custom to "SAML Assertion Attribute"