Safewhere Identify 5.8 Release Notes

This document summarizes all new features and bug fixes for version 5.8 as well as breaking changes when being upgraded from previous versions.

New features and improvements

Support Web Authentication (WebAuthn) as a second factor method

We have added support for Web Authentication (WebAuthn) as another second factor method besides Email, SMS, Authenticator, and OS2faktor. The new method offers clients such as Windows Hello, Apple’s Touch ID, and FIDO2 keys as second factor options.
You can refer to this guideline for more detail.

Recovery code

A recovery code is a code that you can use as a backup method for your TOTP Authenticator or WebAuthn devices. If you do not have access to your second factor devices at the time that you need to log in, you can use your recovery code instead.

Implementation-wise, recovery code is not a standalone method, but rather an "extension" of the Authenticator and Web Authentication methods.
When you onboard using the Authenticator or Web Authentication method, Safewhere Identify will generates a recovery code that you must then save somewhere safe before you can finish your login.
Please note that existing users that are using Authenticator will need to offboard and re-onboard to get their recovery codes.

Metadata monitoring performance

When your Safewhere Identify instance has many connections with the metadata monitor feature enabled, Identify needs to loop through all connections and perform metadata checks.
Before, even if the metadata did not have new certificates, Identify would still update a special status flag in the connection data object to mark that it is up to date.
The unfortunate consequence was that every time a connection (or any other core resources such as claim definition and claim transformation) was updated,
Identify would invalidate and reload its cache. If you had e.g. 150 connections, Identify would reload the cache 150 times which would make it unresponsive.
We have reworked how data is stored so that updating the status flag no longer triggers cache reload. In our test environment, we have observed that the average CPU usage is down from 50% to 5%.
Total time for each run has also improved significantly.

The "Metadata monitoring interval" setting has up until now been capped at 60 minutes (if you enter a bigger value, the job still runs every 60 minutes).
To overcome this limitation as well as to give you more flexible scheduling options, we have added a new setting called "Metadata monitoring cron" in system setup.
To ensure backward compatibility, we have kept the "Metadata monitoring interval" setting. When both settings have values, the "Metadata monitoring cron" setting will take precedence.
To use the old "Metadata monitoring interval" setting, you must set a value for it and clear the "Metadata monitoring cron" setting.

Last but not least, we have reduced the number of Hangfire's background threads from 20 to 5 as well as increased the polling interval from 15 seconds to 5 minutes.
We also have reduced timeout for fetching metadata from a url from 100 seconds to 5 seconds.

Identify Configurator

Update new signing cert on Safewhere Admin when using the reconfiguration function with Signing certificate update

For an instance that has the new Safewhere Admin deployed, when you use the Configurator's reconfigure feature to change its signing certificate,
the tool will now also update Safewhere Admin's appsetting.json file to use the new signing certificate.

Identify REST API

Support REST API for WebAuthn

New REST APIs are added that allow users to get a list of their onboarded WebAuthn devices and well as allow administrators to reset WebAuthn devices of users.

  • GET /api/rest/v2/users/webauthns
  • DELETE /api/rest/v2/users/resetwebauthn

Safewhere Admin


We have added two fields to the Edit User screen:

  • "Valid from" field into the user's certificate table. This field also appear on the My profile screen.
  • "Act as service URI" setting.

WS Federation application

When you upload metadata that is not signed to a connection, Identify will set the Secure hash algorithm setting of that connection to SHA256 instead of SHA1.

More features ported from the old Admin interface

We ported some features of the WS Federation application from the old Admin to the new Safewhere Admin interface.

  • "WS Trust" connection: This connection supports WS-Trust which is a WS*- specification and OASIS standard that provides extensions to WS-Security.
  • LDAP identity provider: You can now add/edit/delete LDAP identity providers using Safewhere Admin.

Standardize look & feel for all dialogs

For have updated many dialogs like "Set user password", "Import certificates", and "Import claims" to use the same title format, background color, label font-size and color.

Bug fixes

  • Fixed: #68155 [Identify Audit] Display a general message instead of showing exception when MongoDB service is not running
  • Fixed: #66903 [Identify Configurator] - Export feature should give a warning to user when selecting a folder containing data of the same tenant
  • Fixed: #66905 [Identify Configurator] - Export feature should add tenant ID in front of a resource item name in the exported filename
  • Fixed: #67293 Improvements for replicate tenant - UI and CLI to prevent user from entering incorrect value
  • Fixed: #69920 Error message returns when choosing the LinkedIn provider to log in
  • Fixed: #69824 Error message returns right after finishing authentication on the Google side
  • Fixed: #70247 [IC] the mass upgrade functionality failed when all tenants on the mass upgrade list had the Safewhere Admin deployed
  • Fixed: #69924 Performance issue when enabling metadata monitoring for a large number of Identify Instances
  • Fixed: #70246 [Safewhere Admin] Organization form - Incorrect labels for the password settings
  • Fixed: #70408 [IC] Upgrade - Incorrect user managing application pool for Safewhere Admin when using Windows authentication
  • Fixed: #70463 [Safewhere Admin] The authenticator is not removed after choosing to reset it at My profile page