Safewhere Identify 5.19 Release Notes

This document summarizes all new features and bug fixes for version 5.19 as well as breaking changes when being upgraded from previous versions.

Breaking and high-risk changes

Identify 5.19 introduces significant updates that, while improving functionality, may impact existing Identify tenants. Thorough testing on a non-production environment is strongly advised before upgrading your production instance. Key changes include:

Handling of encoded client_id and client_secret in OAuth's HTTP Basic authentication scheme

Encoding the client_id and client_secret for the HTTP Basic authentication scheme can be tricky, especially when these values contain special characters such as spaces (' ') or colons (':'). As of version 5.19, client_id and client_secret must be encoded according to the guidelines described in this documentation.

If your application already encodes credentials according to the specification, which is the case for most popular client libraries, you should not encounter any issues.

Claim Filter transformation update

When the Claim Filter transformation is executed within the claim pipeline, it now correctly retains the NameClaimType, RoleClaimType, and AuthenticationType from the original ClaimsIdentity. This resolves issue #1340, which incorrectly cloned the ClaimsIdentity without preserving these crucial claim types, leading to a "Value cannot be null" exception.

Move EnableLoadingDataInOneThread from web.config to System Setup

The EnableLoadingDataInOneThread setting has been moved from web.config to System Setup for better configurability and improved cache reload handling. Its default value is now true. When enabled, if the cache has been loaded and some data changes, such as through the REST API or the Admin interface, only one thread will reload the data, while the other threads continue using the existing cache.

Change in Security log event ID

Previously, event ID 4950 was assigned to both the OAuth20 Request Error system log event and the OAuth2 Token Introspection Request security event. To avoid this conflict, the Security log event ID for the OAuth2 Token Introspection Request action has been changed from 4950 to 4953. This update ensures that each event ID is unique and accurately represents the specific action being logged.

Changes in issued claims for the ID token and Access token

• The standard sid claim now replaces the uiId claim for Session ID information.
• The token_usage claim has been removed from both the ID token and Access token.

New features and improvements

OAuth20 improvements

Extend parameter validation for OAuth endpoints

You can now customize the validation of request parameters and the content of JWT tokens for OAuth/OIDC endpoints. For example, you can enforce PKCE as a requirement for authorization requests.

For more details on supported token endpoints, see the following resources:

• Additional rules validation on the token endpoint
• Additional rules validation on the authorization endpoint
• Impact of additional rules validation on the request object.

Support code_challenge and code_challenge_method parameters in a request object

You can now include the code_challenge and code_challenge_method parameters in a request object when sending it via an OAuth authorization request to Identify.

For more details, see this topic.

PKCE Enhancement settings for Generic OIDC provider

Previously, the code verifier was generated using a fixed length. In this release, you can now configure the code verifier settings:

• Code challenge method: Choose between S256 or plain.
• Code verifier length: Specify a length between 43 and 128 characters.

Support POST method for OAuth Authorization endpoint

The OAuth 2.0 Authorization endpoint now supports both GET and POST HTTP methods, providing greater flexibility in authorization requests.

Confirmation for OIDC logout

When an OIDC logout request is received without an id_token_hint parameter, the user will be prompted to confirm whether they want to proceed with the logout. This behavior is required by the RP-Initiated Logout specification. However, you can suppress the confirmation prompt by enabling the Do not prompt the user when logging out without an ID token hint setting.

Identify Configurator

Initial REST API OAuth application for new Identify tenants

When creating a new tenant, you can automatically provision the Identify OAuth2 Token for REST APIs connection, along with an initial refresh token for the admin user. This is enabled by the new --provisionmyrestapikey parameter in the Identify CLI. This feature is especially useful for automating the setup of your Identify tenant.

For more details, see this topic.

Unlocking users with the Reconfigure feature

You can now use the Configurator's Reconfigure feature to unlock user accounts. This is especially useful for unlocking critical accounts, such as the admin user, if they become accidentally locked.

Additionally, resetting a user's password will automatically unlock the account if it is locked.

For more details, see this topic.

PIN code protection for new Identify tenants

You can now set a 6-digit PIN code during tenant creation to prevent unauthorized deletion or reconfiguration. For more details, see this topic.

Safewhere Admin

Enhanced certificate-related performance

Certificate operations are now significantly faster and more efficient:

• Optimized certificate loading: Certificate verification is skipped for REST API calls that do not require validity checks, reducing unnecessary overhead.
• Improved Certificate Selection dialog: Paging and search capabilities have been added to the Certificate Selection dialog, resulting in faster page loads and easier navigation.
• Faster certificate purging: The process for purging expired certificates, regardless of whether they are in use, has been optimized for much quicker execution.

ClientSecretPost authentication method for REST APIs

The Identify OAuth2 Token for REST APIs application now supports the ClientSecretPost authentication method for token exchange, in addition to the existing ClientSecretBasic method.

New features for Generic OIDC Provider

The Generic OIDC Provider connection no longer requires the User information URL setting. This is useful for OIDC providers that do not offer a userinfo endpoint. Additionally, a new Issuer setting has been introduced, which is used to validate the issuer of the token returned by the OIDC provider.

Algorithm setting for token signing

Algorithm setting for token signing

Identify introduces a new setting that allows you to specify the algorithm used by the OAuth/OIDC connection to sign the response token. The default value is RS256. Note that, currently, signing the ID token is independent of the JWS algorithm setting; asymmetric signing is always used.

Claim transformation type name alignment

Claim transformation type names in Identify have been updated to match the terminology used in the documentation for consistency and clarity.

Session hijacking mitigation

To enhance security and protect against session hijacking, Safewhere Admin now includes mitigation measures similar to those in Runtime. When the Enable Session id - User's IP pinning setting is enabled, the login session is pinned to the IP address used at sign-in. If subsequent requests to the Admin interface in the same session originate from a different IP address, those requests will be denied.

Other improvements

Native support for "sw" and "ew" operators to enhance user filter options

In versions prior to 5.19, the "sw" (starts with) and "ew" (ends with) operators were not natively supported for direct SQL query conversion. As a result, the system had to load all data into memory before applying these operators for filtering.

Starting with version 5.19, the "sw" and "ew" operators can now be directly converted into SQL queries. This enhancement avoids the need to load all data into memory, thereby improving performance and efficiency when filtering users.

Support for yyyy-MM-dd and yyyy/MM/dd formats in the loginmetrics endpoint

In addition to the 'dd/MM/yyyy' and 'dd-MM-yyyy' formats, the fromDate and toDate parameters accept date values in the 'yyyy-MM-dd' or 'yyyy/MM/dd' formats.

Disable all log items

To completely disable logging—so that no logs are written for Audit, Security, Billing, Revision, or Analysis, refer to this logging configuration sample.

New log events for Username & Password authentication

To improve monitoring and troubleshooting, new log event events have been added for Username & Password authentication. These logs provide detailed information about password change attempts and authentication failures.

Event ID	Type	Action/Result
6000	Security log	Password change succeeded
6001	Security log	Password change failed
502	Audit log	Username & Password authentication failed

Additionally, the OtpCodeAuthenticationFailed log (event ID: 4414) now records all failed OTP input attempts.

Debug log capture for Microsoft.IdentityModel events

An event listener has been added to Identify Runtime to capture and log events from the Microsoft.IdentityModel and System.IdentityModel namespaces, but only when the SYS log level is set to Verbose. This includes events triggered by features such as IdentityModel's ShowPII.

For more details, see the Security section of this topic.

New hosted forms

The following hosted forms have been added:

• MalformedRequestError
• ConnectionResolutionError
• OpenIdConnectLogoutConfirm

For more details about these changes, see PR 53.

Dependency package upgrades

Identify Admin has been upgraded to .NET 9.0, along with updates to all related NuGet and Node.js packages. These upgrades address security vulnerabilities present in older versions.

Optimized user filtering by Organization ID and Group ID

User filtering has been improved by supporting direct filtering with organization ID and group ID. Previously, filtering by organization or group name could cause performance issues due to excessive SQL subqueries. Now, filters using organization ID and group ID are translated more efficiently, resulting in significantly better query performance.

For filtering syntax details, see this topic.

Bug fixes

• Fixed: #1340 [Runtime] Exception during login (SP → Identity → Azure AD) caused by a claim filter transformation applied to the SP, Azure AD default claim mapping set to "Do not map to standard claim types," and an unregistered Azure AD user in the Identity user list.
• Fixed: #2335 [OAuth] "invalid_client" error occurs when sending a token request using client_secret_basic if the client_id contains special characters.
• Fixed: #1983 [OAuth] Error page displays "Internal server error" when the mandatory redirect_uri parameter is missing.
• Fixed: #772 [OAuth] "invalid_grant" error returns when authorization is pending in device flow.
• Fixed: #2790 [Runtime] User could not switch authentication when Skip SSO and always re-authenticate users was enabled on the service provider.
• Fixed: #131 [IdentifyAdmin] Confirmation dialog appears when opening a dialog in the resource list, then opening and closing a resource within that list.
• Fixed: #262 [IdentifyAdmin] Users can get stuck in an infinite loop on the My Profile page if their roles change while the tenant's Require that roles in access tokens must be a subset of the user's assigned roles setting is enabled.
• Fixed: #2305 [IdentifyAdmin] Select certificate dialog in 2nd signing certificate picks up certificates from local datastore.
• Fixed: #148 [IdentifyAdmin] Confirm dialog does not display in some cases when a resource is updated.
• Fixed: #217 [IdentifyAdmin] Some UIs in IdentifyAdmin are missing org-auth policy.
• Fixed: #597 [IdentifyAdmin] Error message "S.detail is undefined" occurs when switching between tabs after the adminv2 session has expired.
• Fixed: #459 [IdentifyAdmin] User unable to save the application after resolving the error: "Sorry, the connection name must only contain ASCII characters" during application update.
• Fixed: #597 [IdentifyAdmin] JavaScript error occurs when switching between resource lists after the session has expired.
• Fixed: #1409 [IC/CLI] OneAdmin application pool does not start after completing the "Reconfigure security settings" action.
• Fixed: #2357 [IC] Error when setting up claim uniqueness after upgrading from SW 5.12 to SW 5.19 using Azure SQL.
• Fixed: #860 [REST] Error incorrectly stated OpenIdConnectLogoutRedirectUrl is invalid when provisioning an OAuth 2.0 connection without the openIdLogoutRedirectUrl parameter.
• Fixed: #147 [REST] The /rest/v2/users/myprofile endpoint returns a 200 status.
• Fixed: #504 [Logging] Log short token for event ID 8010 when calling the /userinfo.idp endpoint.
• Fixed: #1544 [Logging] Timestamp format in Runtime log is mixed between dd-mm-yyyy and mm/dd/yyyy.
• Fixed: #910 [Logging] The RevisionData is logged as "null" in the REV log during API call: /admin/api/rest/v2/certificates/purgeunusedexpiredcertificates.
• Fixed: #1587 [Logging] The applied claim transformation list in SP is not logged in SYS event ID 147.
• Fixed: #1663 [Logging] WARN log message "Ignore JWT validation because the JWS Algorithm is None" is logged with event ID 0.
• Fixed: #504 [Logging] Event ID 8010 logged redundant data when calling the /userinfo.idp endpoint.