July 31, 2024
Highlights
Improved B2B Organization Management
This release introduces significant advancements in B2B Organization Management, focusing on productizing features that address B2B delegated administration and Partner Managed Identity use cases. These improvements include enhanced sub-organization management, better visibility and control over organizational hierarchies, and more prominent access to the delegated admin portal, making it easier for business admins to manage complex organizational structures.
Improved Authentication Security
In the area of authentication security, we have added new MFA capabilities and made substantial improvements to Identity Pools, providing administrators with more control and flexibility in managing multi-factor authentication settings. These enhancements strengthen security and ensure a more robust and secure authentication process across all user interactions.
User Experience and Interface Enhancements
Additionally, this release brings a series of UX/UI improvements aimed at simplifying the admin portal experience. These minor but impactful changes make the product more intuitive and easier to manage, streamlining daily tasks and improving overall usability for administrators.
Breaking changes
[ AUT-10839 ] Use new b2b users apis in B2B Portal
New fine-grained permissions:
{
"read_roles": true,
"manage_user_manager_role": true,
"get_identity_pool": true,
"update_identity_pool": true,
"delete_identity_pool": true,
"read_identity_pool_users": true,
"manage_identity_pool_users": true,
"manage_user_passwords": true,
"manage_user_otps": true,
"manage_user_addresses": true,
"manage_user_identifiers": true,
"send_user_verification": true,
"send_user_activation": true,
"b2b_read_users": true,
"b2b_manage_users": true,
"b2b_read_business_metadata": true,
"b2b_manage_business_metadata": true,
"b2b_read_admin_metadata": true,
"b2b_manage_admin_metadata": true
}
Not allowed to create/import users if admin metadata or business metadata contains required fields
[ AUT-11028 ] Do not enable JIT by default in the created idp when a workspace has workspace pool
[ AUT-11085 ] Fix a bug where pairwise subject type was incorrectly applied for the following grant types:
- jwt bearer
- token exchange
- password
- device
Following this correction, given the absence of user interaction within the specified flow, the public subject type will always be utilized.
[ AUT-11353 ] Adjust DPoP logic to the newest openid conformance tests, version: 5.1.17
Change PAR endpoint status code and error from 401 invalid_dpop_proof to 400 invalid_request when both DPoP proof header and dpop_jkt form param are provided but they do not match
- Change Token endpoint status code from 401 to 400 for invalid_dpop_proof errors.
Major Additions and Changes
B2B Organization Improvements
[ AUT-10825 ] Hierarchy Mode in B2B Organizations Page
A hierarchy mode has been introduced for managing B2B organizations, improving organizational structure visibility and management.
[ AUT-11078 ] Sub-Organizations Management in Business Admin Mode
Business admins can now manage sub-organizations within an organization, including setting top-level organizations as parents and changing parent organizations for descendants.
[ AUT-11079 ] Enhanced Parent Organization Management
Allows for the change of the parent organization for top-level organizations and their descendants. Restrictions have been added to ensure the integrity of organizational hierarchies.
[ AUT-11113 ] Prominent Delegated Admin Portal URL
The URL for the delegated admin portal is now displayed more prominently for easier sharing among customer business admins.
[ AUT-10912 ] Business Metadata Handling in User/Pool APIs
Added support for handling business metadata in user and pool APIs.
New MFA capabilities
[ AUT-10883 ] Identity Pool MFA Management
Enhanced management capabilities for MFA settings in Identity Pools.
Enhancements
[ AUT-11008 ] Configurable IDP Role for Admin Workspace
Admins can now configure IDP roles in the Admin workspace even if Just-In-Time (JIT) provisioning is disabled.
OAuth/OIDC
[ AUT-10786 ] Correlation ID Support in Authorization Flow
Added support for passing a correlation ID as authorization_correlation_id
in the OAuth2 authorization flow. All related audit events will now include this ID.
[ AUT-11042 ] Client ID in Software Statement
Allowed the provision of client_id
in the software statement during Dynamic Client Registration (DCR).
[ AUT-11066 ] No Implicit OpenID Scope for JWT-Bearer Flow
Removed the implicit issuance of the openid
scope for the JWT-bearer flow even if the client has the openid
scope.
[ AUT-11069 ] FAPI 2.0 Workspace Updates
Updated FAPI 2.0 workspace to enforce redirect_uri
for PAR endpoint, with scope
and request object no longer required.
[ AUT-10504 ] OIDC Back-Channel Logout Implementation
Added support for OIDC Back-Channel Logout, improving session management and security.
[ AUT-11087 ] Token Exchange Support for Azure IDP
Added support for token exchange with Azure Identity Providers (IDP).
[ AUT-11091 ] Hide Pairwise Identifier Settings
Hidden pairwise identifier settings when grant types do not include authorization code or implicit.
[ AUT-11214 ] Scope Claim Formats Configuration
Added a configuration to control the formats of scope claims in access tokens. Options include scp_array
and scope_space_separated
.
Open Banking/Open Data
[ AUT-10829 ] OBBR Payment Rejection Reasons
Set rejection reasons for payments in version 4 of the OBBR specification, providing clearer feedback on payment issues.
[ AUT-10921 ] Extended CDR Amend Audit Event
Extended the CDR amend audit event to include previous arrangements when the feature flag cdr_amend_audit_event_with_previous_arrangement
is enabled.
[ AUT-11053 ] Custom Application Creation in FAPI Workspace
Added functionality to create custom applications in the FAPI workspace.
[ AUT-11094 ] Remove CDR Amend Audit Event Flag
Removed the cdr_amend_audit_event_with_previous_arrangement
flag.
[ AUT-11144 ] Configure CDR Arrangements Auto Removal
Allowed configuration of automatic removal of CDR arrangements in the Authorization Server settings.
Extensions and Scripts
[ AUT-10602 ] Runtime Version Management for Scripts
Introduced a feature flag scripts_runtime_versions
to manage runtime versions for scripts, with enhanced UI for versioning and extensions.
[ AUT-10898 ] Script Usage View and Migration Support
Added a view to show where specific scripts are used and how to migrate scripts to new runtime versions.
[ AUT-11082 ] Extended Token Minting Script Example
Updated token minting script example to demonstrate how to access token request parameters.
Identity Pools
[ AUT-10958 ] Schema Name Migration
Renamed and migrated default metadata and business metadata schema names for consistency.
[ AUT-11022 ] Improved UI for String Arrays in Schema Editor
Enhanced the user interface for editing string arrays in the schema editor.
[ AUT-10888 ] JIT Identifier/Address Mapping
Allowed using subject or IDP subject in JIT identifier/address mapping.
Tenant Management
[ AUT-11009 ] Default User Role Configuration for JIT Users
Enabled configuration of the default user role for JIT-provisioned users in admin workspaces when roles
and jit_permissions
flags are enabled.
[ AUT-11198 ] Enabled MFA by Default for New Tenants
MFA is now enabled by default for all new tenants.
B2B Organizations
[ AUT-11038 ] Fine-Grained Permissions in B2B Portal
Enforced fine-grained permissions in the B2B portal, improving control over various user actions.
[ AUT-11099 ] New Organization Claim Source Type
Added a new type of claim source for organizations.
[ AUT-11254 ] Breadcrumbs on Sub-organizations View
Added breadcrumbs to the page header with a link to the parent workspace/organization in the Sub-organizations view.
Authorizers and Policies
[ AUT-11035 ] Default Policy for APIs at Authorizer Level
Introduced a default policy at the authorizer level for APIs. Early access feature
[ AUT-11093 ] Default Policy for Authorizer
Allowed configuration of the default policy for authorizers during creation and editing, Early access feature.
Audit Logs
[ AUT-11046 ] New User Identifiers in Audit Logs
Added new user identifiers to audit logs: idp_subject
, idp_id
, idp_method
, user_id
, and user_pool_id
.
[ AUT-11090 ] Audit Logs for GitHub Connector Errors
Included details of user-facing errors in audit logs for the GitHub connector, excluding internal errors.
[ AUT-11047 ] Audit Logs by New User Identifiers
Enabled listing of audit logs by the new user identifiers.
APIs
[ AUT-11116 ] Admin API for Token Revocation
Added an admin API to revoke various types of tokens (access, refresh, authorization codes, SSO sessions, scope grants) by subject.
[ AUT-11379 ] Extend tenant configuration APIs to import/export beta feature flags.
The import/export APIs has been extended to include the early access feature flags configuration.
Operations and deployment
[ AUT-10954 ] Cron Job Cleanup
Cleaned up unused cron jobs, resolving warnings related to missing handlers for specific queues.
[ AUT-11215 ] Web Templates Rebranding
Updated web templates to reflect the SecureAuth branding.
Bug Fixes
[ AUT-10969 ] Misleading User Label in Admin Portal
Fixed a misleading “Profile” & “PR” user label in the Admin portal top banner when the email is missing in user info.
[ AUT-10992 ] Audit Events and Webhooks for Organizations
Added missing audit events and webhooks configuration for organization management.
[ AUT-11032 ] IDP Provisioning Page Field Correlation
Ensured that obligatory fields from the pool are strictly correlated with the pool schema on the IDP provisioning page.
[ AUT-11041 ] Schema Mismatch Warning
Added warnings for schema mismatches and allowed changes per user schema in “organization” workspaces.
[ AUT-11051 ] IDP Pool Selection Pagination
Fixed an issue with missing search or pagination mechanisms when selecting pools in tenants with many pools.
[ AUT-11052 ] Admin Workspace Access Fix
Resolved issues with accessing the Admin workspace for Workspace Admins.
[ AUT-11061 ] Pool Selection Issue
Fixed an issue where selecting a pool was not possible if more than one pool existed in a workspace.
[ AUT-11071 ] Member Label Display
Changed “None” to “Member” for tenant roles and granted tenant member roles on IDP creation in admin workspace.
[ AUT-11077 ] Organization Hierarchy Display Issue
Fixed the display issue with the parent workspace node for Business Admins in the B2B portal.
[ AUT-11112 ] User Profile Role Display Issue
Resolved an issue where user roles were sometimes incorrectly displayed as “team_manager” in the B2B Edit User Profile view.
[ AUT-11074 ] Workspace Roles Mismatch
Addressed mismatches between workspace roles displayed in the user table and user details.
[ AUT-11012 ] Empty Tenant Role Column
Fixed the issue with the empty tenant role column when the NONE role is assigned.
[ AUT-10743 ] Role Input Visibility
Hidden or grayed out role input fields when the roles feature is turned off.
[ AUT-11076 ] Admin Role Change Restriction
Prevented logged-in admin users from changing their own tenant role.
[ AUT-11122 ] JIT Provisioning Metadata Mapping
Allowed mapping to business admin managed metadata attributes in JIT provisioning.
[ AUT-11237 ] Issuer URL Calculation for ACS URL
Used issuer_url
to calculate ACS and Redirect URLs in Identity Providers.
[ AUT-11283 ] Precise Error for Deleted Users
Fixed an issue to return a more precise error when a user is deleted but attempts to use a refresh token.
[ AUT-11315 ] User Selection in Pool
Resolved the issue preventing auditors from selecting users in the pool.
[ AUT-11352 ] Remove Code Response Type
Removed the code response type from the partners workspace, which only supports client credentials grant type.
[ SUP-3692 ] Debtor Account Override for Recurring Payments
Added the ability to override the debtor account for recurring payments in OBBR.