Skip to main content

Release notes: SecureAuth CIAM 2.26.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.26.0.

For platform component version details, see SecureAuth platform dependencies version reference.

Release Date: September 30, 2025

New features

Authentication & SSO

  • SAML IdP-initiated SSO – Launch applications directly from your identity provider without requiring a service provider-initiated flow, streamlining access for enterprise users. SAML assertion issued audit events now include idp_initiated (boolean) and service_provider_id (string) fields for better audit trails and debugging. [AUT-12688, AUT-12634]

  • SAML Service Provider Discovery – Automatically discover and route authentication requests to the correct service provider based on domain or entity ID. [AUT-12675]

Agentic AI & Non-Human Identity

  • Agentic AI workspace – Secure and govern AI agents with the same rigor applied to human users. The new workspace template provides identity-driven access control for autonomous agents, including MCP (Model Context Protocol) authentication, fine-grained authorization policies, and comprehensive audit trails. Pre-configured demo environment with Finance Assistant showcases group-based access control for AI-powered applications.

Access Control & Security

  • Client and server pre-login policies – Enforce security requirements and device posture checks before authentication begins, strengthening your Zero Trust architecture. [AUT-12661]

Identity Provider Management

  • Common identity providers – Connect users through seven major social providers (Apple, Facebook, GitHub, Google, LinkedIn, Microsoft, X) with built-in SecureAuth configurations that work out of the box. Support expands to include new enterprise identity providers: Google Workspace, Okta V2, and a generic OAuth 2.0 provider. [AUT-12399]

  • Orchestrated IdP discovery – Use pre and post interaction scripts to dynamically guide users to the right identity provider based on context, domain, or custom logic. [AUT-12330]

Analytics & Risk Intelligence

  • Enhanced authentication dashboard – Monitor authentication activity across all identity provider types with filtering and detailed metrics for better visibility. [AUT-12736]

  • Risk Insights dashboard – Track security threats with dedicated leaked credentials detection, restricted country monitoring, and comprehensive risk event analysis. [AUT-12443]

  • User Activity Analytics – Analyze user behavior with LOA Score Time Plot, Authentication Breakdown, and MFA Friction metrics to optimize security and user experience. [AUT-12374]

  • Geographical login distribution – Visualize authentication attempts by city and country to identify unusual access patterns and potential threats. [AUT-12778]

Application Management

  • Application Topology View redesign – Manage identity sources, client applications, services, and OAuth scope subscriptions within a unified visual interface with enhanced layouts and improved navigation. [AUT-12699]

User Management

  • Bulk credential reset – Force credential reset for all users in an identity pool through the UI for rapid security response. [AUT-12713]

  • Tenant-level identity pools – Create identity pools at the tenant level for centralized user management across multiple workspaces (disabled by default for new tenants). [AUT-12458]

  • User groups as claims – Include user group memberships in tokens and assertions for group-based authorization in applications. [AUT-12434]

Developer Experience

  • IdP debugging and observability – Enhanced debugging capabilities for identity provider integrations with comprehensive logging and audit trails. [AUT-12783, AUT-12784, AUT-12790]

    • Login accepted audit events now include idp_mapping field for quick debugging of attribute mappings
    • Demo app includes "Enable Debug" check box with IdP Try Sign In button always using debug mode
    • Debug mode captures and logs IdP access tokens, ID token payloads, and SAML sanitized responses in Accept IdP audit events
    • IdP mapping input and output values are logged in audit events when debug mode is enabled

  • System workspace management API – List and manage workspaces programmatically with new system-level API. [AUT-12692]

Improvements

SAML & Enterprise SSO

  • SAML Response Binding Configuration – Configure how SAML responses are bound and transmitted to balance security and interoperability. [AUT-12507]
    • strict_compliance - Requires POST, rejects redirect-only SPs (default for new tenants)
    • compatibility_mode - Honors SP metadata, allows violations (default for existing tenants)
    • force_post - Always POSTs, ignores metadata

Authorization & Policy Engine

  • Server pre-login policies for SAML – Server pre-login policies now apply to both OAuth/OIDC and SAML flows for consistent security enforcement. The application URL is now automatically set for the user portal. [AUT-12397]

  • MFA recovery for RAR policies – The built-in consent page supports MFA recovery flows for Rich Authorization Requests. Introspection responses now include granted authorization details. [AUT-12404]

  • Configurable Rego request size limits – Set maximum request size for Rego policy environments to optimize performance and security. [AUT-12419]

  • Enhanced audit events – Audit events now include granted_scopes and idp_mapping fields for improved debugging and compliance reporting. [AUT-12526, AUT-12783]

User Management & Schema

  • Redesigned pool schema editor – Intuitive interface for managing custom user attributes with improved visualization and configuration management. [AUT-12432]

  • Streamlined user management interface – The user view features streamlined navigation tabs and an improved interface for managing user attributes, roles, and group assignments. [AUT-12433]

  • Default schema modernization – New Profile, Business, and Delegated attribute schemas shared across admin and regular workspaces replace deprecated schemas. [AUT-12430]

Compliance & Financial Services

  • CDR Authorization Code Flow enforcement – CDR workspaces now support only Authorization Code Flow. The system blocks dynamic client registration (DCR) requests that use hybrid flow (code id_token response type) for improved security and FAPI 2.0 alignment. The default CDR workspace configuration allows only code response type. [AUT-11978]

  • FAPI 2.0 PAR parameter isolation – FAPI 2.0 workspaces now enforce PAR parameter isolation, ignoring OAuth2 parameters from the authorize endpoint when PAR is used, ensuring compliance with FAPI 2.0 specification requirements. [AUT-12627]

  • CDR DCR encryption controls – Block ID token encryption for dynamic client registration to meet Consumer Data Right security requirements. [AUT-12448]

User Experience

  • Responsive self-service portal – User portal adapts to mobile, tablet, and desktop screens for better accessibility. [AUT-12445]

  • Mobile-optimized OTP input – OTP and TOTP inputs use numeric keyboard mode on mobile devices for easier entry. [AUT-12455]

  • Improved Business Admin Portal – Enhanced visual design and usability for the Business Admin Portal user view. [AUT-12494]

  • Improved user creation modal – The user creation modal features improved layout and styling. [AUT-12355]

Analytics Enhancements

  • OS and browser analytics – Authentication analytics now include operating system and browser distribution graphs. [AUT-12410]

Infrastructure & Security

  • Updated Rego Alpine base – Rego environments use updated Alpine Linux version for improved security and performance. [AUT-12569]

  • CIBA grant type fix – Fixes an issue where the CIBA grant type was repeatedly appended to the list of available grant types on every update of the CIBA settings. [AUT-12489]

Developer Experience

  • Server secret rotation UI – Rotate and revoke server secrets directly in the UI without API calls. [AUT-12298]

  • Keyboard shortcuts for editors – Use Ctrl/Cmd+S to save changes in configuration editors for faster workflows. [AUT-12357]

  • CIBA Developer Mode – Enable developer mode for Client Initiated Backchannel Authentication external services for testing and debugging. [AUT-12488]

  • Social IdPs generally available – Social IdPs with embedded out-of-the-box configuration are now generally available. Common IdP feature flags have been removed. [AUT-12457]

  • Embedded IdPs configuration flag – Server configuration now includes an Embedded IdPs enable flag. [AUT-12516]

Bug fixes

OAuth & Token Management

  • Refresh token scope enforcement – Fixed an issue where refresh tokens could incorrectly grant scopes that weren't originally authorized. The system now consistently validates scopes during token refresh, ensuring renewed access tokens contain only the originally granted scopes. [AUT-12500]

  • mTLS token endpoint with DPoP – Fixed incorrect rejection of requests to the mTLS token endpoint when using DPoP JWT with the htu claim set to that endpoint. [AUT-12711]

Authentication & Logout

  • OIDC logout redirect – Fixed redirect behavior on the OIDC logout confirmation page. When users choose 'No', they are now correctly redirected back to the application. [AUT-12400]

User Management & Identity Pools

  • Identity pool attribute mappings – Fixed default attribute mappings to correctly use user.payload.first_name and user.payload.last_name instead of user.payload.given_name and user.payload.family_name, ensuring proper claim inclusion in ID tokens and user info. [AUT-12787]

  • Default schema metadata – Fixed default schema configuration to correctly use Administrative as metadata and Delegated as business_metadata. [AUT-12605]

APIs & Configuration

  • User portal import API – Fixed the import API with initialize flag to correctly configure app URL and redirect URIs for the User portal, eliminating duplicated tenant and server IDs in paths. [AUT-12529]

  • Workspace export API permissions – Fixed Hub export workspace API to properly support exporting regular workspaces using the manage_regular_workspaces scope. [AUT-12702]

Compliance & Financial Services

  • CDR notification JWT headers – Fixed missing kid (Key ID) claim in CDR data recipient notification JWT headers for proper signature verification. [AUT-12767]

Audit & Monitoring

  • Audit event correlation – Fixed audit event correlation to properly track events across consumer workspaces and organizations within the same authentication flow through improved authorization correlation handling. [AUT-12811]

User Experience

  • Mobile web view zoom – Fixed unwanted zoom behavior when focusing on input fields in mobile web view. [AUT-12372]