Deployment and Operations

4 mins read

Release Notes: SecureAuth CUSTOMER IDENTITY MANAGEMENT version 2.23.0

This article is a summary of new features and changes in the SecureAuth CUSTOMER IDENTITY MANAGEMENT ( formerly known as Cloudentity ) version 2.23.0.

December 12, 2024

Breaking changes

[ AUT-11427 ] When a new claim is created with a scopes condition, the scopes must exist in the authorization server.

Major additions and changes

[ AUT-11502 ] Add a new self-service API to revoke tokens. This API revokes access, refresh tokens, and SSO sessions associated with the subject in the provided access token.

[ AUT-11504 ] Add allowed authentication mechanisms to the workspace configuration, which can limit the authentication mechanisms used by users logging in with the identity pools. Add validation to pool create/update API & dump to check only allowed authentication mechanisms configured at the workspace level can be used in a workspace pool. Tenant level pool can use all methods. Add new field allowed_authentication_mechanisms to /v2/self/me API.

[ AUT-11643 ] Bump alpine and golang version for rego env to fix security vulnerabilities.

Minor enhancements

[ AUT-11222 ] API to revoke users tokens in pool

[ AUT-11323 ] Risk Threshold for SSO

[ AUT-11359 ] It should be possible to set tenant role for JITed user

[ AUT-11373 ] Improved UX in Self Service. Content reorganized into 3 views: profile, security (with sign-in methods and your devices), privacy (with consent management)

[ AUT-11374 ] Unify the appearance of the user portal top bar with the appearance in admin portal

[ AUT-11383 ] Add possibility to set passkey in self service portal

[ AUT-11395 ] Friendlier message for error executing authentication policy

[ AUT-11403 ] Try Sign-in with current IDP button.

It is useful when there are multiple IDPs configured and we want to test the one that we are currently configuring OR the currently configured IDP has a hidden flag - it can’t be selected on the IDP selector login page.

[ AUT-11406 ] Full screen dialogs look improved, unified across the product

[ AUT-11420 ] Overriding the base value “idpconnect.secureauth.com” to reflect the recent changes.

[ AUT-11426 ] Add/edit claim modal improvements - scopes input changed to an autocomplete field

[ AUT-11483 ] Authentication factors v2 available when acr feature flag is on

[ AUT-11491 ] MFA Friction charts

[ AUT-11498 ] Exposing System API for getting oauth2 client by ID: GET /client/{cid}

[ AUT-11516 ] Add a new field acr_default_values to the client configuration. If the client does not send explicit acr_values to the authorize endpoint, implicit default acr values from the client configuration will be requested. This feature is available behind the acr feature flag.

[ AUT-11538 ] Implement a new system API to revoke tokens for users in the pool, similar to the functionality provided by the admin API: https://cloudentity.com/developers/api/authorization_apis/admin/

[ AUT-11554 ] Change SAML IDP default attributes / mapping to basic attributes: email, first name and last name.

[ AUT-11558 ] Sign-in and SSO in B2B portal in organization view

[ AUT-11589 ] When a user authenticates using an existing SSO session, and the client requests a max_age that has already passed since the user’s last authentication, the user will now be prompted to log in again instead of encountering the error page: “The Authorization Server requires End-User authentication.”

[ AUT-11618 ] Add a dedicated HTTP client for webhooks with different timeouts and retry configuration

[ AUT-11624 ] New workspaces (expect FAPI based) will now use rsa as the default signing key instead of ecdsa.

[ AUT-11719 ] Extend token endpoint authz engine policy input with the client certificate metadata, sample policy:

package acp.authz

default allow = false

allow {
input.clientCertificate.subject_attributes["CN"][_] == "cid1.example.com"
}

[ AUT-11720 ] Add an optional “certificate” field to the create/import client API. This field accepts base64 encoded client certificate in PEM format and automatically converts it to a JWKS.

Bug fixes

[ AUT-11337 ] If user has more than one address display dialog to choose which address to use to send activation message

[ AUT-11386 ] Update org metadata using Update Org Metadata API when updating org metadata in B2B portal

[ AUT-11452 ] Fix input for DCR scope policies. Now software statement and client attributes are available in the policy.

[ AUT-11468 ] Allow 10 seconds skew time for iat claim in the DPoP Proof JWT.

[ AUT-11488 ] Add circuit breaker to the webhook handler

[ AUT-11526 ] Display JARM warning and JARM section only for authorization code grant type

Add Id Token Signing algorithm mismatch warning

[ AUT-11639 ] Use dynamic redirect uris for the demo apps.

[ AUT-11690 ] Change default SAML IDP attributes source type from Custom to “SAML Assertion Attribute”.

Updated: Jan 17, 2025