When on a mobile, entering OTP will present digits only.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
3.3.0
SAML Application & profile
Moving toward a more application-centric configuration, SAML applications now include extended customisation options. This provides an easier and more flexible way to configure any custom behavior required by a SAML Service Provider (SP). SAML application
For applications with similar requirements, they can be grouped using profiles. SAML profile
Application tag
OIDC RPs, SAML profiles, and SAML applications can now include application tags — one or more labels attached to the authentication state during login. The purpose of application tags is to enable conditional execution based on the application context. n combination with the user context, this provides powerful and flexible conditional handling while simplifying administration.
OIDC improvements
If opaque access tokens are used, the access_token_claims parameter must not be set as mandatory.
The nonce value must always be included in the id_token JWT if it was present in the authentication request.
If the RP sends a nonce, the OP must echo it back in the ID Token.
It must never appear in Access Tokens or UserInfo responses.
access_token_claims is now used exclusively for claims included in JWT-formatted Access Tokens.
A new configuration parameter, userinfo_claims, has been introduced to define the data returned by the UserInfo endpoint when using opaque Access Tokens.
OIDC Relying Parties now support verification of JWTs signed with:
RSA: RS256, RS384, RS512, PS256, PS384, PS512
ECDSA: ES256, ES384, ES512
EdDSA: OKP / Ed25519
Previously, only RS256 and RS512 were supported.
Event log updates
The vast majority of authenticators have been updated to provide clearer and more comprehensive log entries. The ID of the configured authenticator is now included to improve traceability in multi-tenant environments. Logging clarity improvements have also been implemented.
SAML SPBroker – Configurable RequestedAuthnContext Support
SPBroker now supports configurable inclusion of a specific AuthnContextClassRef in the generated AuthnRequest.
Added support for controlling whether the AuthController should execute based on the exec_if condition.This allows more flexible and configurable authentication flow handling.
Selector – Optimised behavior for SSO Sessions with lazy_expiry
Enhanced the selector logic for SSO scenarios where the user has already authenticated and lazy_expiry is enabled.
Previously, when "expiry": "PT1S" was configured, the selector always prompted the user to choose an authentication method again, treating it as a new authentication.
With this update, when used in combination with lazy_expiry, the selector now evaluates whether the previously used method is still among the available options.
If it is, that method is automatically marked as executed (pass-through) without requiring re-authentication.
If it is not available, the user must select a new method (if multiple options exist) or is automatically routed through the only available method.
Broadcom SiteMinder – Updated Direct Integration Handling
Now includes fully updated support for Broadcom SiteMinder (Agent API 12.8 and later).This update improves compatibility, reliability, and performance for environments integrating Fortified ID Access as an Identity Provider with SiteMinder.It enables seamless use of modern authentication methods (BankID, Freja eID, FIDO2, OIDC, SAML 2.0), simplifies migration from legacy components, and strengthens centralised policy and session management.
UI updates
A number of UI improvements for a smoother user experience.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
Bug fixes
ExternalFlow – Corrected Export Value Propagation
Fixed an issue where ExternalFlow could reuse stale export values in generated JWTs, causing previously sent data (e.g., hk_eleg_pnr, givenname, surname) to persist between authentication sessions.
The update ensures that each new authentication sequence correctly includes current export values in the signed JWT sent to external targets such as Forms, without requiring an Access restart.
3.2.2
Support for M2M Flows
We have added support for machine-to-machine (M2M) integrations through the client_credentials flow.
This enables trusted clients to obtain access tokens without end-user involvement, making it easier to support backend services and automated system-to-system communication.
Enhanced validation and error handling when using a keystore in OIDCAuthCodeFlow.
Clearer log messages are now provided for misconfigured keystores. For example, if the configuration contains keystore: "${globals.keystore_oidc}", the login attempt will fail with an explicit error message instead of a generic log entry without cause.
Simplified HttpClient keystore configuration
When HttpClient is configured with a keystore containing only one alias, that alias is now used automatically.
If no private key password is provided, the keystore password will be used by default.
Improved error reporting for invalid authenticator path
Fixed issue where an invalid authenticator path (e.g. ${globals.default_login_suffix}) caused module startup failures with limited diagnostic information.
Log messages now clearly indicate which authenticator caused the error, making it easier to identify and correct misconfiguration without having to manually inspect all authenticators.
Improved Freja eID accessibility compliance
Freja eID integration has been updated to better meet accessibility requirements, ensuring a more inclusive and user-friendly authentication experience.
Correct JSON typing in JsonObjectCreate
Fixed an issue where arrays/objects were stringified. roles now remains a JSON array and act_as remains a JSON object in the output.
Safe interpolation of dynamic fields: unresolved expressions no longer create empty keys/values; such entries are skipped with a clear warning.
Improved diagnostics: logs now include the exact claim path and key when interpolation fails.
Configurable TTL for UserInfo endpoint
Added support for configuring the TTL (time-to-live) of the UserInfo endpoint response.
Previously fixed to 60 seconds; now customizable via configuration.
