Safewhere Identify 5.1.1 Release Notes

Safewhere Identify is a new kind of user identification and administration service, providing externalized and seamless authentication and authorization across organizations.

Safewhere Identify allows an organization to handle user identification and administration centrally and externally to all web applications and web services. Safewhere Identify allows you to support basically any kind of authentication due to its modular and open nature and it supports many authentication methods “out of the box”. Apart from built-in methods for authentication such as username and password, it also supports all the popular authentication methods, including:

  • Social logins from Facebook, Google, Twitter, LiveID, OpenID,LinkedIn
  • Two-factor authentication using one time passwords and Device Code authentication
  • Federation protocols including SAML 2.0, WS-Federation, OpenID Connect, and OAuth 2.0
  • Generic Provider that allows you to easily create your own authentication provider.

Among the many other unique properties of Safewhere Identify are its multi-instance architecture that allows you to effectively run many separate federation servers on the same hardware, its ability to handle multiple logins (Multi SSO), and its support of performing intelligent home realm discovery.

This new releases includes a number of incremental improvements as well as several important new features. Read more about these improvements and many others in the following sections.

Safewhere Identify released Sep 18 2018

Fix issues

  • 58115 Password reset case sensitivity: email address validation should be case-insensitive when sending reset password mail
  • 61326 Email address unique value issue: "" and "" must be different when validating

Safewhere Identify released May 21 2018

Authorization for REST API

Identify 5.1.1 Moonlight update has support for authorization for REST API. The consequent of the Authorization system is that existing access and refresh tokens were invalidated. Granting necessary roles for relevant users and generating new tokens are necessary. Please refer to our documentation for Authorization to learn how to do those steps.

Extensive OAuth2 and OpenID Connect support

We continue to extend support for OAuth 2.0 and OpenID Connect with many new flows and features:

  • Resource owner credentials grant.
  • Client credentials grant.
  • OpenID Connect discovery.
  • Beta: device pairing flow.
  • Ability to block resource owner by disabling the related user account.
  • Improve consent page and my consent page.

After evaluating the previous library we used to implement OAuth 2.0 and OpenID Connect, we decided that it is no longer meets our needs because of many issues:

  • It is abandoned now. The author no longer maintains it which means it has no new features, no support for additional flows, and doesn’t work well with latest .Net framework release.
  • We want to gradually improve Identify security and for this version we adopted the new data protection API from Asp.Net core (see below).

As a result, we decided to use a new OAuth 2.0/OpenId Connect framework that has support for more features as well as allowing us to use latest data protection API. The new framework and our new code have much better validation as well as more security measurements which are recommended by the specs. However, one unfortunate consequence is that existing tokens are invalidated because new implementation uses a different encryption method.


With the Moonlight release, we have added support for more REST API:

  • Claim sets.
  • Field configurations.
  • Email servers and email templates.
  • Sending emails out.
  • Revoke My REST API tokens.

Email templates in database

We have moved email templates from flat files into database which means that you now can use Admin UI to edit an email template and changes will persist through all updates.


  • The default password rule is improved to allow all special characters as well as extend the max length to 100 characters.
  • Improvements:
      • Support CSRF token for Username Password login page.
      • Upgrade javascript libraries such as JQuery to latest versions.
      • Obfuscate javascript.
      • Fix an issue in which the error page cannot be shown correctly due to exception happening while rendering it.
      • A setting to hide all endpoints from Runtime page which can please some customers who don’t want to reveal information about them.
  • Identify 5.1.1 Moonlight uses bcrypt as the default password hash algorithm. Existing passwords will still be working just fine.
  • New data protection mechanism

    Previous versions of Identify use MachineKey to protect data such as cookies and viewstates. Recent releases of .Net introduced a new way to protect them which is Data Protection API and Safewhere Identify has adopted this new api in place of the old MachineKey method. While data protection is something happening behind the scene, one obvious benefit to customers is that installing Identify on web farm environment no longer requires setting up MachineKey for each machine.

    Other features

  • A setting to hide all endpoints from Runtime page which can please some customers who don’t want to reveal information about them.
  • Expiration time of reset password links is now configurable.
  • Identify is now also supporting using IP address from the X-Forwarded-For in HTTP message header for ip filtering and logging if value exists.
  • WSFederation plugin can now accept tokens that have recipient attributes.
  • Improve performance for Log viewer.
  • Eliminate dependency to .Net framework 3.5. In other words, .Net framework 3.5 is no longer needed for Identify 5.1.1 Moonlight.
  • Breaking changes

    • OAuth 2.0/OIDC now uses exact comparison for comparing a redirect url of a request with the redirect url which is registered in corresponding Identify’s OAuth 2.0 connection. The exact comparison means that two urls that look the same, one ends with “/” and one doesn’t, are treated as not equal.
    • Response object of get all certificates is changed from Array of Certificates to Safewhere.SCIMModel.PageQueryResult. Array of certificates is stored in resources of Safewhere.SCIMModel.PageQueryResult.
        • Before:
        • After: