Release notes
This will highlight the most important items. For in depth detail contact Fortified ID.
This release, 3.2.2
Support for M2M Flows
We have added support for machine-to-machine (M2M) integrations through the client_credentials flow.
This enables trusted clients to obtain access tokens without end-user involvement, making it easier to support backend services and automated system-to-system communication.
New authenticator, EnrichIdentity
Simplifying identity enrichment.
ExternalFlow authenticator updates
Improved logging
Configurable exports
Conditional execution
Compacted logging
Removed excess trace when logging error
Exposed new JMX endpoints
Possibility to execute a PIPE with custom data.
Possibility to deploy and execute a PIPE with custom data.
This feature is mainly targeting Management Center
LDAPSearch valve improvements
Better multi value handling.
Impersonate updates
Conditional executing
Improved user selection
Improved error messaging
Enhanced validation and error handling when using a keystore in OIDCAuthCodeFlow.
Clearer log messages are now provided for misconfigured keystores. For example, if the configuration contains keystore: "${globals.keystore_oidc}", the login attempt will fail with an explicit error message instead of a generic log entry without cause.
Simplified HttpClient keystore configuration
When HttpClient is configured with a keystore containing only one alias, that alias is now used automatically.
If no private key password is provided, the keystore password will be used by default.
Improved error reporting for invalid authenticator path
Fixed issue where an invalid authenticator path (e.g. ${globals.default_login_suffix}) caused module startup failures with limited diagnostic information.
Log messages now clearly indicate which authenticator caused the error, making it easier to identify and correct misconfiguration without having to manually inspect all authenticators.
Improved Freja eID accessibility compliance
Freja eID integration has been updated to better meet accessibility requirements, ensuring a more inclusive and user-friendly authentication experience.
Correct JSON typing in JsonObjectCreate
Fixed an issue where arrays/objects were stringified. roles now remains a JSON array and act_as remains a JSON object in the output.
Safe interpolation of dynamic fields: unresolved expressions no longer create empty keys/values; such entries are skipped with a clear warning.
Improved diagnostics: logs now include the exact claim path and key when interpolation fails.
Configurable TTL for UserInfo endpoint
Added support for configuring the TTL (time-to-live) of the UserInfo endpoint response.
Previously fixed to 60 seconds; now customizable via configuration.
Ordering support for Selector options
Added support for an order attribute to control how Selector options are presented.
Ensures predictable and meaningful sorting of options instead of relying on default ordering.
3.2.1
Swedish BankID QR code updates
Aligning with revised QR code regulations for better usability and accessibility.
See more on https://www.bankid.com/tillgaenglighet-i-bankid/tillgangliga-qr-koder
3.2.0
LDAP Valve improvements
Handling items in more robust manner. Handles multiple items across all LDAP valves.
Missing log - unsolicited authenticated
Log was missing when doing unsolicited login
Support for new Freja e-d attributes
UNIQUE_PERSONAL_IDENTIFIER and LOA_LEVEL are now supported
UI improvements using Information endpoint module
UI fixes for Windows Edge.
Header white listing case insensitive
When declaring headers to let through to service. Case is now insensitive.
SAML meta data validation
Meta data loaded from URL can be validated using a certificate
New authenticator
ExternalFlow authenticator added
Improved session security
User-Agent is now fingerprinted. See more info at https://docs.fortifiedid.se/common/server/http-listener#http-fingerprinting
OIDC refresh token update
It is now possible for re-usage of refresh tokens. This is default behaviour when interacting with Microsoft Entra ID.
Include improvement
Deeper include structures previously had unexpected behaviour.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
3.1.0
Authenticators with more default values
All authenticators with web UI now has default values for:
overlay_dir
web_root
This reduces configuration. Se authenticator documentation for default values.
New authenticator SSOAuthenticator
SSOAuthenticatorUse for generic SSO login when target not supporting OIDC or SAML 2.0
Default location for http listener
When configured, the HTTP listener can now handle requests to / by redirecting the user agent to a predefined target URL.:
"redirect_url": "/userinfo/generic/"Updated validation rules on incoming SAML assertion when brokering
Updated documentation is found here SAML SP
Source ip behind proxy
Source IP now is actual calling client when behind proxy
Include improvements
@inclunde expressions is now more powerful. More information here File inclusion
Chain authenticator updates
Execution order can now be configured using "order" attribute for each entry in "chain". See more on Chain
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
List of used components and known CVE's is available on request.
3.0.1
Request throttling
Improved handling of request management on request flooding.
Changed product name in CEF
New name is Access
Unsolicited saml logins
SAML idp now can have a default sp configured.
Task authenticator update
Button added for manual app-switch.
Simplified handling of overriding translation in authenticator
By introcucing scopes in translation files all translation/overrdides now can be in one locales file.
Start up order of modules updated
All modules used for enxternal communication now starts in node group "first". Rest is in default.
Bug fixes
Handling multiple OP's now works
Error SSO between protocols fixed
Using FrejaID on same device now returns to same browser tab
3.0.0
New valve - GUIDToString
Valve to create a string format GUID ("b9d663ed-50dc-4260-b37e-147a62caa7f6") from the internal 16 byte binary representation used by AD / EntraID.
New valve - Base64Converter
Converts a base 64 value to another representation
SithsWithQr updates
Changed default behaviour, assuming using card reader instead of mobile app.
Improvement saml metadata loading
In previous version broken cash data stops server.
Set custom HTTP security headers
CSP, HSTS,XFO can now be set manually.
Improvement information endpoint module
logout now is attached to installation allowing for overriding logout look and feel.
AD binary attributes are now supported
UI updates
A number of UI improvements for a smoother user experience.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
Bug fixes
#268 errors are not sent back to calling SAML IDP