Safewhere Identify 5.20 release notes
This document summarizes all new features, bug fixes, and breaking changes in version 5.20 for tenants upgrading from earlier versions.
Breaking and high-risk changes
Identify 5.20 introduces significant updates that improve functionality but may affect existing Identify tenants. Thoroughly test in a non-production environment before upgrading your production instance. Key changes include:
HTTP security headers update
When upgrading to version 5.20, ensure your instance uses the latest HTTP security headers. You can apply the default Identify headers during tenant upgrade (for example, click Customize Identify's security settings, then select Use default setting), or complete the upgrade and update the headers afterward.
To update headers after upgrade, use one of the following options:
- Use the Reconfigure action in the Identify Configurator tool. Choose Change security settings, click Customize Identify's security settings, then select Use default setting to apply the latest headers.
- Use the
--identify-security-settings-xml-configurationparameter for the Reconfigure action in Identify CLI to apply the latest headers.
Impact:
- Custom pages, scripts, styles, or embedded resources (such as JSON files) may be blocked until your CSP and related security-header policies are updated. See HTTP security headers for configuration details.
- You can find the latest default security headers here.
Security enhancements
This release includes important security enhancements and hardening measures to further improve the platform's security, reliability, and resilience.
Impact:
Some custom file extensions used in custom themes (such as .json) may be blocked. Contact our team if your custom theme depends on these file types.
Generic OIDC provider - claim format handling for multi-value claims
Previously, when Identify received a multi-value claim from an OIDC provider, it incorrectly issued the claim as a JSON-encoded string.
...
"claim-type": "[\"value1\", \"value2\", \"value3\"]",
...
In this version, Identify correctly issues multi-value claims as a proper JSON array.
...
"claim-type": ["value1", "value2", "value3"],
...
Impact:
Service Providers that expect this claim as a JSON string may need to update their parsing logic to handle a native array.
Userinfo response - claim behavior update
/userinfo.idp now returns name only when the profile scope is requested; otherwise, it falls back to sub.
Impact:
Review clients that previously expected name without requesting profile.
New features and improvements
Security enhancements
This release includes important security enhancements and hardening measures to further improve the security, reliability, and resilience of the platform. We also updated several third-party components as part of our ongoing commitment to maintaining a secure and supported environment.
OAuth 2.0/OIDC improvements
Front-channel and back-channel logout
Identify now supports front-channel and back-channel logout to propagate sign-out across participating applications.
For details, see Front-channel and back-channel logout.
ID token encryption (JWE)
Identify now supports encrypted ID tokens (JWE) for OIDC clients when ID token encryption settings and client keys are configured.
When back-channel logout is configured with encrypted tokens, Identify also sends encrypted logout tokens.
More robust handling of id_token_hint parameter during logout process
Identify now handles malformed id_token_hint values in logout requests more gracefully.
For details, see Enhanced id_token_hint handling (v5.20+).
Custom URI scheme support for native OIDC clients
Native OIDC clients now support custom URI schemes (for example, myapp://callback) in addition to http and https redirect URIs.
For details, see Native OIDC clients.
Improved single logout (SLO) behavior for native OIDC clients
Browser-initiated logout no longer removes tokens issued to native OIDC clients.
This preserves native app sessions and enforces session isolation between browser and native clients. For details, see Native OIDC clients.
Optimize OIDC storage space
OAuth/OIDC storage was optimized by removing used authorization-code entries and minimizing token metadata retention
These changes reduce database footprint by about 50% and improve performance.
Monitoring and diagnostic tool
DiagMon adds or updates commands for tenant-version mismatch detection and custom-column detection in upgrade checks.
For detailed information, see the Diagnostic and monitoring tool documentation.
Restore deleted users
Identify now supports retaining and restoring deleted users from audit logs within a configurable retention period.
For details, see Restore deleted users in Identify.
Other improvements
Windows CSP/KSP provider support
Certificate-based signing, encryption, and decryption now support any Windows key provider that exposes CSP or KSP, including hardware-backed providers such as YubiHSM.
Certificate private keys are now accessed through the standard .NET cryptography APIs instead of legacy key-access methods. This improves compatibility with keys stored by CSP/KSP providers.
We also updated signing and encryption/decryption flows to use the same approach, with better error handling and resource cleanup.
Improved performance when filtering users by claim values
User filtering by claim values now targets only the relevant claim-value table instead of querying both free and discrete tables.
This reduces database overhead and improves performance for claim-based user queries.
REST API: Improved error handling for malformed SCIM filter expressions
SCIM .filter endpoints now return descriptive 400 Bad Request responses when the filter expression is malformed.
A configurable filter-size limit (default 4 KB) is also enforced during parsing.
Note: This is an internal change and does not affect the API contract. Review any custom code that generates filter expressions to ensure they are well-formed and within the configured size limit, to avoid unexpected 400 Bad Request responses.
Case study: Stronger SSO enrollment enforcement
This case study shows how to enforce SSO enrollment so that each user verifies corporate email ownership and enrolls a TOTP authenticator before accessing SSO-enabled systems.
For details, see Stronger SSO enrollment enforcement.
Improved data-import performance in Identify Configurator
The Update connection's data dependencies action now performs about 50% fewer PUT requests, reducing execution time.
Metadata upload - support for EntitiesDescriptor selection
Metadata upload now supports selecting a specific EntityDescriptor from an EntitiesDescriptor metadata document.
Use EntityIdentifierToUseWhenMetadataIsEntitiesDescriptor in UploadMetaDataReference to choose which entityID to import.
Hosted forms update
Updated hosted forms: ForgotPasswordPage and OtpAuthentication.
For details, see PR 55 and PR 61.
Bug fixes
- Fixed: #3579 [IC/CLI] Reduced logged data in installation log.
- Fixed: #6203 [Logging] Deadlock on Serilog sinks causing unexpected HTTP 503.2 errors under concurrent or reentrant initialization.
- Fixed: #5901 [Logging] Hardening logged token data.
- Fixed: #4474 [Logging] SEC event ID 4914 was logged only after the user completed authentication with an OIDC/OAuth client.
- Fixed: #5745 [Logging] Improved logging behavior for userinfo response
- Fixed: #6105 [IdentifyAdmin] Connection input is cleared when navigating to the Claim Pipeline tab or the Second Factor tab of a connection.
- Fixed: #5775 [REST] Error: "An error has occurred" was returned when the
urn:internal:useridclaim in the access token was not a valid GUID value. - Fixed: #6264 [Selfservice] Redirection loop.
- Fixed: #6068 [Runtime] Corrected unexpected exceptions during token issuance or validation when the
Use signing certificate to encrypt data protection keyssetting isFalse. - Fixed: #5740 [Runtime] The refresh token’s creation date changed when invoking token exchange with
grant_type=refresh_token. - Fixed: #6162 [Runtime] Race condition in script compilation caused intermittent missing assembly reference errors after Identify application restart.