Safewhere Identify 5.10 Release Notes

This document summarizes all new features and bug fixes for version 5.10 as well as breaking changes when being upgraded from previous versions.

New features and improvements

Minimum password age

The new Minimum password age setting determines the period (in days) that a password must be used before a user can change it. This value must be greater than or equal to 0. You can allow password changes immediately by setting it to 0. The Minimum password age must be less than both Number of days before password must be changed and Number of days before password expiration.

You can read more about the vulnerability that this setting addresses at

New MFA features

Run MFA and policy script when a second Service Provider sends a request

This new improvement aims to solve a limitation of previous versions of Identify. The scenario limitation was:

  • An Identity Provider had configured a second factor with a policy script.
  • A user logged in to Service Provider 1. Identify evaluated the policy script and determined that it could skip the second factor.
  • A user then logged in to Service Provider 2. The limitation encountered was that even though the user needed to do the second factor per the policy script, Identify did not carry out the evaluation and just logged in the user.

The limitation is now fixed. Identify will evaluate policy scripts for every login requests regardless of whether a login session exists or not.

Advanced settings for Web Authentication (WebAuthn)

We have added more advanced settings for the WebAuthn method into the OTP connection. The new settings give you more control on the user enrollment process such as only allowing authenticators that have some specified attestation formats, force or ignore user verification, allow both platform and cross platform authenticators, and whether to require that user presence during enrollment or authentication.

Please refer to this guideline for more details.

Splitting Identify's database files across multiple disks

By default, all Identify's databases are put in the SQL Server's default database folder. If you want to move some of the database files to separate disks because of disk space or I/O issues, you can do that and Safewhere Identify will still work perfectly fine.

Our guideline can show you how to move database files when SQL Server Always On Availability Groups is used or when it is not used.

Identify Configurator

New default algorithm using for signing and encryption

SHA256 is now the default signing algorithm used by the WSFederation protocol connection of the Admin application.

Azure Key Vault Managed HSM support

Identify now has support for Azure Managed HSM, which is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.

A limitation in previous versions is that when you reconfigure an existing instance from Windows Certificate store to Azure Key Vault or when you reconfigure a certificate in Azure Key Vault to a new one, you need to add its public key to the Windows Certificate's LocalMachine\TrustedPeople store. From this version, this step will no longer be needed.

Identify Configurator CLI

In previous versions, we implemented a very powerful feature called Configurator CLI, which is a command-line interface of the familiar Configurator UI. It has been extended with more features:

Identify Configurator improvements

In this version, the Identify Configurator has been extended with a number of improvements:

  • Identify instances' names are sorted alphabetically on the instance dropdown list.
  • The new Admin site is opened when pressing "Click here..." on the result page.
  • One and only one Identify Configurator window can be opened at the same time on Window Server 2016++.
  • Skip deploying the new Admin site when an error happens during instance upgrade as well as show a warning message at the final step about the occurred error.
  • Log more details to easier troubleshoot issues that happen with Identify instances that have bad data.
  • Ensure the data of the previous instance is not reused after finishing an Upgrade/Delete/Reconfigure/Export/Import and starting another one.
  • Disable the Cancel button and X button at the top-right corner of all dialogs of the wizard at the following steps: Execution and Finish.
  • Improve the way the Configurator detects if the new Admin site has been deployed or not for an Identify instance.
  • Implement a delay between retry attempts when the Identify Configurator starts Identify's application pools or warms Identify instances up.
  • Perform granting access to the new Admin site for the admin account before deploying an IIS website for it to detect errors sooner.
  • Optimize performance when provisioning connections and users' data that the new Admin site needs.

Identify REST API

Audit Organization

A new REST API is added to get Audit Organization logs.

New Admin site


A new Reset button on the Users page that allow administrators to remove all user's registered MFA methods (Authenticator, WebAuthn) by clicking the button on the Users page.


New UIs added for Variable name and localizing text resources of Headline/Description

Claim sets

New UIs added for localizing text resources of Headline and Description.


We added some useful enhancements:

  • Search for applications in the whole dataset instead of searching on the current page only.

  • Mouse-hovering on an Identity Provider's name on the Identity providers tab shows a tooltip that contains the most important details about that Identity Provider:

    • Link to open the Identity Provider on a new tab
    • Values of Name, Description, Enabled, Owner Organization, Entity Identifier (SAML/WSFederation) or ClientId (OAuth/OIDC)
    • Second factor connection Name if there is
  • The Use Persistent Pseudonym setting to WSFederation & WS-Trust applications.

Identity Providers

Some new UIs were added in this version:

  • Search for Identity Providers in the whole dataset instead of searching on the current page only.
  • Mouse-hovering on an application's name on the Application tab shows a tooltip that contents the most important details about that application:

    • Link to open the application on a new tab
    • Values of Name, Description, Enabled, Owner Organization, Entity Identifier (SAML/WSFederation) or ClientId (OAuth/OIDC)

Claims transformations

You can now search for claim transformations in the whole dataset instead of searching on the current page only.

Email server

You can now use the "friendly name \" format for the From Address setting of an Email server. As a result, when a user receives an email sent from Identify, the friendly name is displayed in the From field.

Audit logs

Two new Audit log viewers, Audit Organization and Audit incoming assertion, are added to the Logging/Audit Logs tab. You can view them by select the relevant option in Audit logs tab -> Audit log types dropdown list.

System information

The two new pages System information and Help contain some additional information on how to get started such as the most important metadata endpoints, REST API Swagger UI, and guidelines to connect to ADFS.

Other improvements

  • A new setting to enable the performance counter for cryptographic operations on the Settings/System tab.
  • You can now use more than one set of Assurance levels defined. All levels that have the same numeric values but different URI values are considered the same.
  • Revive support for using the Artifact binding to do SLO.

Bug fixes

  • Fixed: #57845 The certificate of a user is lost after updating the user with a duplicate email
  • Fixed: #62951 [OAuth2.0] The authorization server does not respond with an HTTP 401 (Unauthorized) status code when the error code is "invalid_client"
  • Fixed: #63991 [Safewhere Admin] Identify application pool is required to reset after updating the "Enable verbose error to client side" on the Logging tab
  • Fixed: #67620 Cannot search a user when his claim values contain special characters
  • Fixed: #68149 [Attribute Service] Runtime exception thrown when an Attribute Service query returns no user
  • Fixed: #69378 [Safewhere Admin] WSFederation application's consent setting is reset after uploading metadata
  • Fixed: #70048 [Safewhere Admin] The "use" attribute of the KeyDescriptor element is required when importing metadata to Application/Identity provider
  • Fixed: #70410 [Identify configurator] The Idle Time-out setting of a new instance uses the value of a previously upgraded instance
  • Fixed: #72587 Error message about missing relay state is wrong when an upstream Identity Provider uses Artifact binding
  • Fixed: #72932 [Safewhere Admin] JS Error or Warning on Safewhere Admin
  • Fixed: #73123 [Identify configurator] Tenant upgrade is halted when an error happens when upgrading Safewhere Admin
  • Fixed: #73347 [Identify configurator] The application pool is stopped when the domain user's password contains special characters
  • Fixed: #73439 [Identify configurator] Settings of an instance are reused for the next instance
  • Fixed: #73445 [Identify configurator] Instance import - The authentication context class method is not updated if its name exists in imported instance
  • Fixed: #73507 [Edge][Chrome] Placeholder of ClientID and Client secret are wrong
  • Fixed: #73570 [Safewhere Admin] No "Leave?" message shows after user updates the value on the Logging page but does not click the Save button
  • Fixed: #73612 [Identify Configurator & CLI] Should query certificates using thumbprint instead of Subject
  • Fixed: #73655 [REST API] Cannot update WSFED protocol connection with Empty ReceivedSecurityTokenEncryptionCertificate.StoreReference
  • Fixed: #73735 [Identify configurator] The admin password is not fully hidden on Identify log when its value contains ";"
  • Fixed: #73817 [Identify configurator] Instance reconfigure - Safewhere Admin deployment - The adminv2 folder is not removed when the "Deploy Safewhere Admin" action is rollbacked
  • Fixed: #73864 [OAuth2.0] Password grant - the sub parameter's value is not a NameID value when applying the NameID transformation
  • Fixed: #73955 [Identify configurator] The tag \<?xml version="1.0" encoding="UTF-8"?> is missing from the web.config file of an Identify instance when the Identify Configurator creates/upgrades/reconfigures/replicates its instance
  • Fixed: #74043 [SLO] the asynchronouslogout endpoint is called although a SAML request contains an invalid session index
  • Fixed: #74432 [Identify configurator] Instance reconfigure - Safewhere Admin deployment - The adminv2 application is not removed from the Identify site on IIS when the "Deploy Safewhere Admin" action is rollbacked
  • Fixed: #74451 [REST API] User/Observer can change his organization by himself
  • Fixed: #75377 [Safewhere Admin] No error message displays at Profile page when the input password is invalid
  • Fixed: #75389 [MFA] When Service Provider sends a SAML authentication request with POST binding, the error page is displayed after user clicks "this link" on OTP Authentication Failed page to return the selector page.

Breaking changes

When upgrading an Identify instance from a previous version, you may experience the following changes in behavior:

  • When you press "Click here..." on Identify configurator, the new Admin portal site is opened. However, this portal does not support Internet Explorer browser.
  • The hosted form Login With WebAuthn template is changed because of a new behavior of Safari 14 on iOS. It now has a new Login button. If you are using the form, you should back it up, then click "RESET TO DEFAULT" button to view the new template.
  • The hosted form OTP authentication failed template is updated due to a bug fix. If you are using the form, you should back it up, then click "RESET TO DEFAULT" button to view the new template.