Deployment and Operations

4 mins read

Release Notes: Cloudentity Product 2.24.0

This article is a summary of new features and changes in the SecureAuth CUSTOMER IDENTITY MANAGEMENT ( formerly known as Cloudentity ) version 2.24.0.

March 31, 2025

Major Additions and Changes

[AUT-11791] Add a new None (PKCE) Authentication Method for the generic OIDC IDP and explicit flag Use PKCE if Client Secret and Private Key JWT authentication methods are used.

[AUT-11830] Introduce a new feature flag, enforce_system_admin_workspace_access, which restricts reading and modifying system/admin workspace entities via admin APIs unless admin_workspace_access or system_workspace_access feature flag is enabled.

There are a few APIs for which “admin” workspace enforcement is not enabled:

  • Get workspace
  • Create, get, update, delete, and list IDPs

Additionally, modify list workspaces and list servers admin APIs to exclude system/admin workspaces if the enforce_system_admin_workspace_access flag is enabled but admin_workspace_access or system_workspace_access are not.

Minor Enhancements

[AUT-11518] When a new workspace is created and the acr feature flag is enabled, a sample ACRs with policies will be created, replacing old NIST policies. These sample ACRs are intentionally disabled to avoid being advertised in the well-known configuration, but they can easily be enabled if someone wants to test them. The policies associated with the sample ACRs use a new authentication factor validator to enforce any factor and any two factors.

[AUT-11608] If max_age=0 is requested in the authorize flow, it will force user authentication similar to prompt=login.

[AUT-11727] Exclude DCR scopes or authorization details if the policy fails, rather than rejecting the entire DCR request.

[AUT-11734] Add client timeout to the root CLI.

[AUT-11767] Extend root APIs with the ability to set licenses for tenants.

[AUT-11768] Add tenant metadata to the authz engine input.

[AUT-11815] Add system APIs for client’s secrets management.

[AUT-11818] Expose Verify Authentication Code (System) API and extend Inspect OTP to return code type.

[AUT-11828] Add new, more granular system scopes: manage_system_workspace, manage_admin_workspace, and manage_regular_workspaces. These can be used for hub workspace management APIs as an alternative to the manage_configuration scope.

[AUT-11833] Use certificates as a list and deprecate the single certificate in the create/import client API. Enhance the create/import client API to support multiple certificates in the “certificate” field, separated by a new line. The value of the “certificate” field must be base64 encoded.

[AUT-11839] Add an option to initialize admin/system workspaces in the import configuration API.

[AUT-11932] Extend JIT with a new pre provisioning mode. In this mode, the user is expected to already exist in the pool and won’t be provisioned automatically, contrary to the existing auto mode. Additionally, extend all JIT-related audit events to contain provisioning mode and pre-provisioning settings. The new mode can be used with one of the authentication flow control settings, which defines what should happen if the user does not exist in the pool:

  • “deny” (default) - The user will get an access denied page, and a new audit event, jit_denied, will be emitted.
  • “allow” - The user will be logged in with IDP.

[AUT-11934] Changes related do the acr feature flag:

  • Do not issue default Acr: “0” / “1” if the acr feature flag is on.
  • Store only custom Acr in the SSO session if the acr feature flag is enabled.

[AUT-11956] Propagate more client details when rendering templates so customers can use them in custom themes.

[AUT-11961] Extend the Enforce ACRs flag from the server advanced configuration to check if a client is requesting acr_values in the authorize flow. Previously, this flag only validated acr_values from the request objects in the open banking workspaces. If no acr_values are specified explicitly or implicitly via client default ACRs, the authorization flow will fail with an invalid request error. This change is applied only when the ACR feature flag is enabled.

Additionally, update OpenBanking UK and KSA to stop enforcing ACR values, as they are no longer valid.

[AUT-11983] Test cases – happy paths – were added for all endpoints created for the groups epic.

[AUT-11991] Add an option to disable user self-reset credential flows during authentication with Identity Pools. This is configurable in Identity Pool settings.

[AUT-11998] If the acr feature flag is enabled and acr is set via the Custom Login Page or IDP Post Authentication Script, the ACR policy will be evaluated if it is configured in the server.

[AUT-12034] If the acr feature flag is enabled, the following workspaces: CDR, OpenBanking UK, OpenBanking BR, KSA will have predefined ACRs created in the server with policies that check if the ACR passed via the Custom Login Page or IDP Post Authentication Script is valid. Additionally, mark acr_values from the server’s advanced settings as deprecated – the new ACR functionality should be used instead.

Bug Fixes

[AUT-11784] Introduce mobile/desktop mode switch in the theme preview, which allows you to see how the template will look like based on the selected device.

[AUT-11863] Fix pre-token minting grant_type attribute during the refresh_token grant. Before this fix, it was reported as the original grant that we were trying to refresh.

[AUT-11981] Added circuit breaker to the SMTP client.

Updated: Mar 28, 2025