Release notes
This will highlight the most important items. For in depth detail contact Fortified ID.
This release, 3.3.0
SAML Application & profile
Moving toward a more application-centric configuration, SAML applications now include extended customisation options. This provides an easier and more flexible way to configure any custom behavior required by a SAML Service Provider (SP). SAML application
For applications with similar requirements, they can be grouped using profiles. SAML profile
Application tag
OIDC RPs, SAML profiles, and SAML applications can now include application tags — one or more labels attached to the authentication state during login. The purpose of application tags is to enable conditional execution based on the application context. n combination with the user context, this provides powerful and flexible conditional handling while simplifying administration.
OIDC improvements
If opaque access tokens are used, the access_token_claims parameter must not be set as mandatory.
The nonce value must always be included in the id_token JWT if it was present in the authentication request.
If the RP sends a nonce, the OP must echo it back in the ID Token.
It must never appear in Access Tokens or UserInfo responses.
access_token_claims is now used exclusively for claims included in JWT-formatted Access Tokens.
A new configuration parameter, userinfo_claims, has been introduced to define the data returned by the UserInfo endpoint when using opaque Access Tokens.
OIDC Relying Parties now support verification of JWTs signed with:
RSA: RS256, RS384, RS512, PS256, PS384, PS512
ECDSA: ES256, ES384, ES512
EdDSA: OKP / Ed25519
Previously, only RS256 and RS512 were supported.
Event log updates
The vast majority of authenticators have been updated to provide clearer and more comprehensive log entries. The ID of the configured authenticator is now included to improve traceability in multi-tenant environments. Logging clarity improvements have also been implemented.
SAML SPBroker – Configurable RequestedAuthnContext Support
SPBroker now supports configurable inclusion of a specific AuthnContextClassRef in the generated AuthnRequest.
"requested_authn_context": "http://schemas.microsoft.com/claims/multipleauthn"
AuthController – Conditional Execution Support
Added support for controlling whether the AuthController should execute based on the exec_if condition.This allows more flexible and configurable authentication flow handling.
Selector – Optimised behavior for SSO Sessions with lazy_expiry
Enhanced the selector logic for SSO scenarios where the user has already authenticated and lazy_expiry is enabled.
Previously, when "expiry": "PT1S" was configured, the selector always prompted the user to choose an authentication method again, treating it as a new authentication.
With this update, when used in combination with lazy_expiry, the selector now evaluates whether the previously used method is still among the available options.
If it is, that method is automatically marked as executed (pass-through) without requiring re-authentication.
If it is not available, the user must select a new method (if multiple options exist) or is automatically routed through the only available method.
Broadcom SiteMinder – Updated Direct Integration Handling
Now includes fully updated support for Broadcom SiteMinder (Agent API 12.8 and later).This update improves compatibility, reliability, and performance for environments integrating Fortified ID Access as an Identity Provider with SiteMinder.It enables seamless use of modern authentication methods (BankID, Freja eID, FIDO2, OIDC, SAML 2.0), simplifies migration from legacy components, and strengthens centralised policy and session management.
UI updates
A number of UI improvements for a smoother user experience.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
Bug fixes
ExternalFlow – Corrected Export Value Propagation
Fixed an issue where ExternalFlow could reuse stale export values in generated JWTs, causing previously sent data (e.g., hk_eleg_pnr, givenname, surname) to persist between authentication sessions.
The update ensures that each new authentication sequence correctly includes current export values in the signed JWT sent to external targets such as Forms, without requiring an Access restart.
3.2.2
Support for M2M Flows
We have added support for machine-to-machine (M2M) integrations through the client_credentials flow.
This enables trusted clients to obtain access tokens without end-user involvement, making it easier to support backend services and automated system-to-system communication.
New authenticator, EnrichIdentity
Simplifying identity enrichment.
ExternalFlow authenticator updates
Improved logging
Configurable exports
Conditional execution
Compacted logging
Removed excess trace when logging error
Exposed new JMX endpoints
Possibility to execute a PIPE with custom data.
Possibility to deploy and execute a PIPE with custom data.
This feature is mainly targeting Management Center
LDAPSearch valve improvements
Better multi value handling.
Impersonate updates
Conditional executing
Improved user selection
Improved error messaging
Enhanced validation and error handling when using a keystore in OIDCAuthCodeFlow.
Clearer log messages are now provided for misconfigured keystores. For example, if the configuration contains keystore: "${globals.keystore_oidc}", the login attempt will fail with an explicit error message instead of a generic log entry without cause.
Simplified HttpClient keystore configuration
When HttpClient is configured with a keystore containing only one alias, that alias is now used automatically.
If no private key password is provided, the keystore password will be used by default.
Improved error reporting for invalid authenticator path
Fixed issue where an invalid authenticator path (e.g. ${globals.default_login_suffix}) caused module startup failures with limited diagnostic information.
Log messages now clearly indicate which authenticator caused the error, making it easier to identify and correct misconfiguration without having to manually inspect all authenticators.
Improved Freja eID accessibility compliance
Freja eID integration has been updated to better meet accessibility requirements, ensuring a more inclusive and user-friendly authentication experience.
Correct JSON typing in JsonObjectCreate
Fixed an issue where arrays/objects were stringified. roles now remains a JSON array and act_as remains a JSON object in the output.
Safe interpolation of dynamic fields: unresolved expressions no longer create empty keys/values; such entries are skipped with a clear warning.
Improved diagnostics: logs now include the exact claim path and key when interpolation fails.
Configurable TTL for UserInfo endpoint
Added support for configuring the TTL (time-to-live) of the UserInfo endpoint response.
Previously fixed to 60 seconds; now customizable via configuration.
Ordering support for Selector options
Added support for an order attribute to control how Selector options are presented.
Ensures predictable and meaningful sorting of options instead of relying on default ordering.
3.2.1
Swedish BankID QR code updates
Aligning with revised QR code regulations for better usability and accessibility.
See more on https://www.bankid.com/tillgaenglighet-i-bankid/tillgangliga-qr-koder
3.2.0
LDAP Valve improvements
Handling items in more robust manner. Handles multiple items across all LDAP valves.
Missing log - unsolicited authenticated
Log was missing when doing unsolicited login
Support for new Freja e-d attributes
UNIQUE_PERSONAL_IDENTIFIER and LOA_LEVEL are now supported
UI improvements using Information endpoint module
UI fixes for Windows Edge.
Header white listing case insensitive
When declaring headers to let through to service. Case is now insensitive.
SAML meta data validation
Meta data loaded from URL can be validated using a certificate
New authenticator
ExternalFlow authenticator added
Improved session security
User-Agent is now fingerprinted. See more info at https://docs.fortifiedid.se/common/server/http-listener#http-fingerprinting
OIDC refresh token update
It is now possible for re-usage of refresh tokens. This is default behaviour when interacting with Microsoft Entra ID.
Include improvement
Deeper include structures previously had unexpected behaviour.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
3.1.0
Authenticators with more default values
All authenticators with web UI now has default values for:
overlay_dir
web_root
This reduces configuration. Se authenticator documentation for default values.
New authenticator SSOAuthenticator
SSOAuthenticatorUse for generic SSO login when target not supporting OIDC or SAML 2.0
Default location for http listener
When configured, the HTTP listener can now handle requests to / by redirecting the user agent to a predefined target URL.:
"redirect_url": "/userinfo/generic/"Updated validation rules on incoming SAML assertion when brokering
Updated documentation is found here SAML Broker
Source ip behind proxy
Source IP now is actual calling client when behind proxy
Include improvements
@inclunde expressions is now more powerful. More information here File inclusion
Chain authenticator updates
Execution order can now be configured using "order" attribute for each entry in "chain". See more on Chain
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
List of used components and known CVE's is available on request.
3.0.1
Request throttling
Improved handling of request management on request flooding.
Changed product name in CEF
New name is Access
Unsolicited saml logins
SAML idp now can have a default sp configured.
Task authenticator update
Button added for manual app-switch.
Simplified handling of overriding translation in authenticator
By introcucing scopes in translation files all translation/overrdides now can be in one locales file.
Start up order of modules updated
All modules used for enxternal communication now starts in node group "first". Rest is in default.
Bug fixes
Handling multiple OP's now works
Error SSO between protocols fixed
Using FrejaID on same device now returns to same browser tab
3.0.0
New valve - GUIDToString
Valve to create a string format GUID ("b9d663ed-50dc-4260-b37e-147a62caa7f6") from the internal 16 byte binary representation used by AD / EntraID.
New valve - Base64Converter
Converts a base 64 value to another representation
SithsWithQr updates
Changed default behaviour, assuming using card reader instead of mobile app.
Improvement saml metadata loading
In previous version broken cash data stops server.
Set custom HTTP security headers
CSP, HSTS,XFO can now be set manually.
Improvement information endpoint module
logout now is attached to installation allowing for overriding logout look and feel.
AD binary attributes are now supported
UI updates
A number of UI improvements for a smoother user experience.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
Bug fixes
#268 errors are not sent back to calling SAML IDP