Safewhere Identify 5.20 REST API release notes
This document summarizes all changes made to Identify REST API in version 5.20.
Breaking changes
Default value of the OAuth connection's PerformSessionStatusNotification
This value is always True to allow OIDC clients to perform session status checks. With the addition of front-channel and back-channel logout, the default value of PerformSessionStatusNotification has changed as follows:
- If either a front-channel or back-channel logout URI is present, the default value of
PerformSessionStatusNotificationisFalse. - Otherwise, the default value is
True.
The default value for post_logout_redirect_uri
The default value for post_logout_redirect_uri is "https://client.example.com/loggedout". When the parameter is specified, its value is always validated, regardless of whether it is null or empty.
Connection endpoint
OAuth/OIDC application
Error messages now use correct field names for OAuth/OIDC applications when required parameters are missing or invalid.
| Before | Current |
|---|---|
| OpenIdConnectLogoutRedirectUrl is invalid. | openIdLogoutRedirectUrl is invalid. |
| ClientId is invalid. | clientId is invalid. |
| ClientSecret is invalid. | clientSecret is invalid. |
| ApplicationName is invalid. | appName is invalid. |
| ApplicationAudience is invalid. | appAudience is invalid. |
| SymmetricSigningKey is invalid. | symmetricSigningKey is invalid. |
| RedirectUris is invalid. | redirectUris is invalid. |
| SectorIdentifierUri is invalid. | sectorIdentifierUri is invalid. |
| AppLogoUrl is invalid. | appLogoUrl is invalid. |
The OAuth Identity Provider configuration model includes some new attributes:
- idTokenSigningAlgorithm
- idTokenKeyTransportAlgorithm
- idTokenEncryptionMethod
- frontChannelLogoutUri
- backChannelLogoutUri
{
...,
"configurations": [
{
...,
"idTokenSigningAlgorithm": "RS256",
"idTokenKeyTransportAlgorithm": "",
"idTokenEncryptionMethod": "",
"frontChannelLogoutUri": "",
"backChannelLogoutUri": "",
...
}
],
...
}
Affected operations:
GET /api/rest/v2/connections,POST /api/rest/v2/connections,PUT /api/rest/v2/connections,GET /api/rest/v2/connections/.filter,GET /api/rest/v2/connections/{connectionName}.Behaviors:
| Name | Data type | Require? | Default value | Description |
|---|---|---|---|---|
| idTokenSigningAlgorithm | string | ⬜️ | RS256 | This setting specifies the algorithm used to sign the ID token, which is a JSON Web Token (JWT). Supported algorithms include RS256, RS384, RS512, PS256, PS384 and PS512. Default value is RS256. |
| idTokenKeyTransportAlgorithm | string | ⬜️ | Empty | This setting indicates the algorithm used to encrypt the key used in the ID token encryption. Supported algorithms include RSA-OAEP, RSA-OAEP-256, A128KW, A192KW, and A256KW. |
| idTokenEncryptionMethod | string | ⬜️ | Empty | This setting defines the method used to encrypt the ID token. It specifies how the token's payload is encrypted to ensure confidentiality. Supported algorithms include A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM. |
| frontChannelLogoutUri | string | ⬜️ | Empty | This is the URL to which the user's browser is redirected when a logout is initiated. It's part of the Front-Channel Logout mechanism, must be an absolute URI. Note that the wildcard domain is not allowed. |
| backChannelLogoutUri | string | ⬜️ | Empty | This URL is used in the Back-Channel Logout mechanism. When a logout is initiated, the identity provider sends an HTTP POST request to this URL to notify the application that the user's session should be terminated. It must be an absolute URI. Note that the wildcard domain is not allowed. |
Upload metadata
Added support for one additional property in UploadMetaDataReference: EntityIdentifierToUseWhenMetadataIsEntitiesDescriptor.
{
...,
"uploadMetaDataReference": {
...,
"entityIdentifierToUseWhenMetadataIsEntitiesDescriptor": "",
...
},
...
}
Affected operations:
POST /api/rest/v2/connections,PUT /api/rest/v2/connectionswhen theuploadMetaDataReferenceobject is included in the request body.Behaviors:
| Name | Data type | Require? | Default value | Description |
|---|---|---|---|---|
| entityIdentifierToUseWhenMetadataIsEntitiesDescriptor | string | ⬜️ | Empty | Specifies the entityID to use when the uploaded metadata is an EntitiesDescriptor containing multiple EntityDescriptor entries. This allows the system to locate and select the correct EntityDescriptor based on the provided entityID. |
Audit logs endpoints
Support new endpoint to retrieve retained audit users
New GET /api/rest/v2/auditlogs/auditretainedusers endpoint with these parameters: fromDate, toDate, searchData, pageIndex, pageSize, sortBy, and sortOrder.
- Affected operation:
GET /api/rest/v2/auditlogs/auditretainedusers. - Required role(s):
MonitorObserver. - Supported parameters:
| Name | Data type | Require? | Default value | Description |
|---|---|---|---|---|
| fromDate | string | ⬜️ | Empty | Used to filter data from a starting date. Format: dd/MM/yyyy HH:mmZ. |
| toDate | string | ⬜️ | Empty | Used to filter data up to an ending date. Format: dd/MM/yyyy HH:mmZ. |
| searchData | string | ⬜️ | Empty | Used to filter data by username. |
| pageIndex | number | ⬜️ | 1 | Index of the page that contains returned objects. If pageIndex is 0 or invalid, it is set to 1. |
| pageSize | number | ⬜️ | 1000 | Number of objects returned per page. If pageSize is 0 or invalid, it is set to 1000. Maximum value is 5000. If pageSize > 5000, it is set to 5000. |
| sortBy | string | ⬜️ | utcdate | Used to sort the returned objects. Supported value is utcdate. If sortBy is blank or invalid, the default value utcdate is used. |
| sortOrder | string | ⬜️ | Ascending | Sort order of returned objects: Ascending or Descending. If Descending is specified, results are sorted in descending order; otherwise, ascending order is used. |
New user model for the GET /api/rest/v2/auditlogs/auditretainedusers endpoint.
- Affected operation:
GET /api/rest/v2/auditlogs/auditretainedusers.
{
"totalResults": 2,
"pageIndex": 1,
"pageSize": 20,
"sortBy": "utcTimestamp",
"sortOrder": "Ascending",
"resources": [{
"auditEventId": "18328",
"entityId": "1bbd101d-a6cd-4d70-ab5d-67d7da214460",
"enabled": true,
"username": "user01",
"author": "admin",
"claims": [{
"claimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"value": "user01"
}
],
"eventType": "RetainedUser",
"utcTimestamp": "23/06/2026 09:47:36",
"id": "2115",
"externalId": null,
"meta": null,
"name": null,
"description": null,
"endpoint": null,
"schema": "urn:scim:schemas:core:2.0:",
"schemaExtensions": null,
"schemaExtensionsDetail": null
}, {
"auditEventId": "18331",
"entityId": "cb86f3a4-a591-48b7-87cd-db96e9bd1eb7",
"enabled": true,
"username": "user02",
"author": "admin",
"claims": [{
"claimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"value": "user02"
}, {
"claimType": "urn:identify:rest-api:role",
"value": "Observer"
}
],
"eventType": "RetainedUser",
"utcTimestamp": "23/06/2026 09:52:00",
"id": "2117",
"externalId": null,
"meta": null,
"name": null,
"description": null,
"endpoint": null,
"schema": "urn:scim:schemas:core:2.0:",
"schemaExtensions": null,
"schemaExtensionsDetail": null
}
]
}
Behaviors:
Name Data type Description utcTimestamp string The datetime in UTC that the user has been retained eventType string Its value is always RetainedUserentityId string The user's ID enabled boolean If true, the user is enabled; if false, the user is disabled active boolean Indicates whether the user is active username string The user's username author string The user responsible for retaining this user claims object The user's claims information
User endpoint
Restore deleted user
Restores a previously deleted user from audit logs along with their associated data and second-factor authentication settings.
New POST /api/rest/v2/restoredeleteduser endpoint.
- Affected operation:
POST /api/rest/v2/restoredeleteduser. - Required role(s):
UserContributor. - Supported parameters:
| Name | Data type | Require? | Default value | Description |
|---|---|---|---|---|
| userId | string | ✅ | Empty | The ID of a user to restore. |
URL sample:
POST /api/rest/v2/restoredeleteduser?userId=43db1d50-b365-48d7-a466-20b0f13e914f