Skip to main content

Release notes: SecureAuth CIAM 2.28.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.28.0.

For platform component version details, see SecureAuth platform dependencies version reference.

Release Date: June 30, 2026

New features

  • Standalone authorizer management API authorization – The standalone authorizer's management APIs (GET /apis, PUT /apis) now support optional OAuth2 client-credentials authorization. When enabled, callers must present a valid JWT Bearer token, with separate scopes for read (read_gateway_configuration) and write (write_gateway_configuration). [AUT-13149]

  • SCIM custom application API keys – Identity providers can now authenticate to SCIM custom applications using a pre-generated static API key instead of the OAuth 2.0 client credentials flow. [AUT-13385]

  • SCIM custom application admin UI – Added admin views to configure SCIM custom applications and their attribute mappings, complementing the SCIM custom application API keys. [AUT-13194, AUT-13196, AUT-13228]

  • RADIUS authentication (Early Access) – Added support for RADIUS authentication, letting RADIUS clients authenticate users through the platform with multiple identity providers and multi-factor methods including push notification and symbol-to-accept (with out-of-band polling when users respond on their mobile devices). Available in early access behind a feature flag. [AUT-13321]

  • Paginated List IDPs API – Introduced a new List IDPs v2 endpoint with pagination and method filtering (the methods query parameter accepts comma-separated values such as ?methods=static,oidc,azure). The previous List IDPs endpoint is now deprecated. [AUT-13143, AUT-13159]

  • Configurable WebAuthn Relying Party – Added a Passkey Settings section to the identity pool configuration page, allowing administrators to configure the WebAuthn Relying Party ID and Origins. [AUT-13364]

  • Per-pool user limits – Added configurable per-pool limits (default 20, range 1–100) on the number of identifiers, addresses, credentials, and codes a single user can have, preventing unbounded growth. [AUT-13290]

  • OTP rate limiting – Added per-user and per-address rate limiting to OTP-sending endpoints to prevent abuse and brute-force attempts on OTP codes. [AUT-13303, AUT-13367]

  • Workspace statistics – Added counters for the number of clients, services, and IDPs (excluding organizations) in a workspace, surfaced as cards in the admin UI. [AUT-13147, AUT-13201]

  • response_type=none support – Added support for the OIDC response_type=none response type. [AUT-13074]

  • Optional OTP confirmation step – Added the ability to require user confirmation before an OTP is sent, available behind a feature flag. [AUT-13304]

  • Bring your own SMS provider – Added support for connecting third-party SMS providers (Twilio, Vonage, TeleSign) to deliver OTP and notification messages, with configurable fallback ordering and delivery-receipt tracking. Available behind a feature flag. [AUT-13240, AUT-13246, AUT-13247, AUT-13248, AUT-13250, AUT-13401, AUT-13403]

  • Phone providers admin UI – Added a Phone Providers tab in the admin portal to configure providers, choose built-in vs. custom mode, set fallback order, and send per-provider test messages. [AUT-13365, AUT-13601]

  • NATS JetStream event streaming – The platform's event stream can now run on NATS JetStream as an alternative to Redis, providing durable, at-least-once event delivery. Requires deploying a NATS JetStream server, and is enabled per tenant by a feature flag. [AUT-13188]

  • Application quickstart samples – Added in-product quickstart guides with runnable sample apps spanning SPA (React), server-side web (Java/.NET), SAML, and mobile (iOS, Android, React Native), helping developers integrate faster. [AUT-13482, AUT-13537, AUT-13563, AUT-13564, AUT-13565, AUT-13593, AUT-13594]

Improvements

  • Internationalization (Early Access) – Multi-language support is now available for all user-facing authentication and identity pages — login, consent, MFA, registration, password reset, and email/SMS notifications. Administrators can set a default locale, enable a language selector, and author custom translations for 80+ languages via a YAML editor, with automatic browser-language detection and a fallback chain. Ships with built-in English and Spanish translations and per-tenant overrides. [AUT-13215]

  • Organizations generally available – The organizations feature is now generally available and the beta feature flag has been removed. [AUT-13217]

  • Optional 2FA skip when no method is configured – During activation or self-registration, users may now choose not to configure a second factor. Once any 2FA method is configured, it is enforced and can no longer be skipped. [AUT-13214]

  • Smart Passkey rename – Renamed "Usernameless Passkey" to "Smart Passkey" across the admin UI, login screens, and user portal, with an updated icon matching the new design. [AUT-13391]

  • Audit log date-range filtering – Removed live mode from Audit Logs; events are now listed by date range (defaulting to the last 24 hours) with additional presets (last 30 minutes, last hour, last week, last month). Extensions Logs live mode now shows only events from when the editor was opened. [AUT-13200]

  • Richer identity audit events – Identifier and address audit events now include identifier_type (email, mobile, uid, external, federated) and, for addresses, address_type and address_verified. [AUT-13129]

  • Database error visibility – Database error logs now include PostgreSQL error detail in the error chain, improving visibility into constraint violations in production. [AUT-13443]

  • Analytical query indexes – Added indexes on user created_at / updated_at columns to ease running analytical queries. [AUT-13374]

  • Secret masking in policy and script output – Workspace secrets used in rego policies and scripts no longer appear unmasked in audit events, debug logs, or test-endpoint responses, including secrets containing special characters output via JSON.stringify(). [AUT-13280, AUT-13375]

  • User portal accessibility – Fixed accessibility issues in the user portal: improved color contrast for the success Chip to meet WCAG 2 AA, corrected ARIA role violations in the profile menu, and fixed heading order. [AUT-13423]

  • Quick link to allowed authentication methods – Added a quick link to "Allowed Authentication Methods" in the user pool sign-in configuration, so administrators can update workspace-level method permissions without first triggering the mismatch warning. [AUT-13571]

  • Paginated IDP list in admin UI – The admin identity-provider list now uses the paginated List IDPs v2 API, improving performance in workspaces with many IDPs. [AUT-13148]

  • Resilient message delivery – Permanent SMTP and Twilio errors (such as invalid credentials or an invalid phone number) are now detected and the message is dropped after publishing an audit event, instead of being retried indefinitely. [AUT-13188]

  • Cloned workspace scripts – Organization scripts (for example, discovery) are now correctly attached when a workspace is created from a template, instead of reusing stale script IDs. [AUT-13210]

  • Modernized admin UI styling – Removed inline styles across the admin portal and authentication templates, allowing the strict Content-Security-Policy to drop unsafe-inline for stronger XSS protection. [AUT-13602, AUT-13670, AUT-13693]

Bug fixes

  • Standalone authorizer request cancellations – Fixed the standalone authorizer intermittently returning HTTP 499 "request canceled" errors on its management APIs. [AUT-13719]

  • Passkey API field types – Fixed passkey/WebAuthn API specs so generated TypeScript, Go, and Java clients round-trip credentials correctly: byte fields are now described as strings, and a new wire type accepts both base64url and standard base64 on input while always emitting base64url. [AUT-13573]

  • Remember-me after OIDC sign-in – Fixed the remember-me / welcome-back screen not rendering for users who previously signed in with an OIDC IDP in a multi-IDP workspace. [AUT-13572]

  • Smart Passkey alternative method selection – Fixed a flow where, on a discovery-reached login page whose preferred mechanism is a Smart Passkey, cancelling the WebAuthn prompt and choosing another method required two clicks because the first click re-triggered the passkey view. [AUT-13561]

  • IDP cache lookup – Fixed IDP cache lookups using the wrong cache, which could return stale or incorrect IDP data during login flows. [AUT-13535]

  • Stuck Continue button – Fixed a sporadic issue where the Continue/Submit button on login and other authentication pages could remain disabled despite filled-in credentials. [AUT-13522]

  • Password verification for uid identifiers – Fixed verifying a user's password via the system API when the identifier is of type uid. [AUT-13504]

  • Address shown after failed OTP – Fixed the destination address (email or phone) not being displayed on the OTP verification screen after a failed attempt. [AUT-13502]

  • Voice MFA 404 on fresh tenants – Fixed repeated 404 errors when loading workspace authentication methods on fresh tenants without voice MFA configured. [AUT-13471]

  • acr/amr claims after refresh – Fixed acr and amr claims missing from the id_token when using the refresh-token grant after a token-exchange flow. [AUT-13462]

  • User event batch ordering – Fixed unique-constraint violations during batch processing of user events by reordering database operations and reconciling conflicting changes within a batch. [AUT-13445]

  • Opaque tokens in admin API – Fixed admin API endpoints returning 401 when the admin workspace is configured to use opaque (non-JWT) access tokens. [AUT-13408]

  • Pair-new-device button – Fixed the "Next" button on the pair-new-device page always being disabled, which prevented users from proceeding. [AUT-13397]

  • Magic link failure routing – Fixed a failed magic-link authentication always showing the generic OTP screen instead of the correct screen for the enabled OTP method (email or SMS OTP). [AUT-13389]

  • Schema labels for array items – Fixed schema labels for array items not being displayed in the identity pool user form. [AUT-13388]

  • WebAuthn error handling – WebAuthn registration and login finish endpoints now return 400/401 with debug details (and a user-friendly error on login) instead of a 500 when the WebAuthn library reports a protocol error. [AUT-13336, AUT-13310]

  • RAR assignment 404 – Fixed assigning Rich Authorization Request (RAR) types to a client returning a 404 due to a stale cache. [AUT-13305]

  • OTP notification messaging – Improved OTP verification notifications to correctly reflect whether an OTP was sent or the address is undefined, while authentication errors are surfaced by the parent template. [AUT-13304]

  • Patch Tenant with stale feature flags – Fixed the Patch Tenant API failing when a previously removed feature flag still existed in the database. [AUT-13314]

  • Template rendering error page – Fixed a blank 500 page being shown when a template rendering error occurred on theme-customizable backend-rendered pages. [AUT-13227]

  • OIDC IDP error propagation – Fixed OIDC IDP error callbacks not being propagated to the client in workspaces with multiple IDPs configured. [AUT-13171]

  • Dynamic scope audience – Fixed audience not being granted for dynamic scopes. [AUT-13166]

  • Policy execution point overwrite – Fixed policy execution points being silently overwritten when a client configuration contained server-level PEP types; the hub API now validates that PEP types match their entity and returns 422 if mismatched. [AUT-12946]

  • Two-step activation against email scanners – Activation links now show a confirmation page with an "Activate Account" button instead of activating automatically, preventing email security scanners from consuming the activation code. Available behind the TwoStepActivation feature flag. [AUT-13382]