This will highlight the most important items. For in depth detail contact Fortified ID.
3.5.0
Freja eID
Animated QR code
Support for animated QR codes has been added to the Freja eID authenticator, following the updated Freja eID specification.
Improved timeout handling
When a Freja eID authentication request times out, the user now stays on the current view and receives a clear error message. Previously the user was immediately redirected to the start page with no feedback. This aligns the behavior with BankID.
SAML
SAMLSPBroker – redirect to failure_location on SAML errors
SAMLSPBroker can now be configured to redirect to a failure_location when a SAML Responder status error is received (for example a canceled request). Previously these errors resulted in a generic 400 Bad Request response.
SAML SP – fixed assertion fall-through on missing nameId
If a nameId cannot be resolved during SAML SP authentication, the flow no longer falls through to the IdP default assertion. Authentication now stops at the SAML SP object and an error is written to the log.
Impersonate
Cancel button
A cancel button is now present in both the Impersonate and Impersonate with search authenticators.
Pipes and valves
ItemCreate – support for JSON array properties
ItemCreate now supports setting properties whose values expand to a JSON array. Previously, achieving this required the extra step of using a separate ItemPropertyAdd valve.
Pipe display name in logs
When a pipe writes to the system log, the display_name of the pipe is now used as the log entry name if one is configured. If no display_name is set the existing behavior is preserved.
Valve default configuration updates
Default configurations have been updated for the following valves to ensure all parameters are visible and consistent in the administration interface:
CreateJwt
HttpDelete
HttpGet
ParseJwt
DnParser
InstantToMsDateTransformer
MsDateToInstantTransformer
GenerateOtp
ValidateOtp
InstantGenerator
Bug fixes
CefEventValve (#568): Fixed a startup error where EventPublisher could not be injected into CefEventValve.
Selector without label (#580): Fixed an issue where a Selector authenticator without a configured display label rendered nothing in the browser with no error.
3.4.0
LDAPSearch
Improved handling of multi-value attributes when omitting requested return attributes or using "*".
Heartbeat improvement
Heartbeat endpoint now can be configured reading a json file. File is read at each get. No caching of data.
OIDC claims generation update
Improved handling of expansion including multi-values.
Improved certificate PEM parsing
Parsing of PEM now can handle certificates without PEM start or end tags.
OIDC Implicit flow authenticator updates
Now aligns with code flow authenticator
Require signed auth requests
Possible to require signed saml auth request per application. Configuration is done on application.
Implicit flow access token update
Can now issue as JWT token
OIDC error handling update
Errors in OIDC authentication is now sent back to calling OP.
Valve default configuration update
A number of valves have new default configuration.
When on a mobile, entering OTP will present digits only.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
3.3.0
SAML Application & profile
Moving toward a more application-centric configuration, SAML applications now include extended customisation options. This provides an easier and more flexible way to configure any custom behavior required by a SAML Service Provider (SP). SAML application
For applications with similar requirements, they can be grouped using profiles. SAML profile
Application tag
OIDC RPs, SAML profiles, and SAML applications can now include application tags — one or more labels attached to the authentication state during login. The purpose of application tags is to enable conditional execution based on the application context. n combination with the user context, this provides powerful and flexible conditional handling while simplifying administration.
OIDC improvements
If opaque access tokens are used, the access_token_claims parameter must not be set as mandatory.
The nonce value must always be included in the id_token JWT if it was present in the authentication request.
If the RP sends a nonce, the OP must echo it back in the ID Token.
It must never appear in Access Tokens or UserInfo responses.
access_token_claims is now used exclusively for claims included in JWT-formatted Access Tokens.
A new configuration parameter, userinfo_claims, has been introduced to define the data returned by the UserInfo endpoint when using opaque Access Tokens.
OIDC Relying Parties now support verification of JWTs signed with:
RSA: RS256, RS384, RS512, PS256, PS384, PS512
ECDSA: ES256, ES384, ES512
EdDSA: OKP / Ed25519
Previously, only RS256 and RS512 were supported.
Event log updates
The vast majority of authenticators have been updated to provide clearer and more comprehensive log entries. The ID of the configured authenticator is now included to improve traceability in multi-tenant environments. Logging clarity improvements have also been implemented.
SAML SPBroker – Configurable RequestedAuthnContext Support
SPBroker now supports configurable inclusion of a specific AuthnContextClassRef in the generated AuthnRequest.
Added support for controlling whether the AuthController should execute based on the exec_if condition.This allows more flexible and configurable authentication flow handling.
Selector – Optimised behavior for SSO Sessions with lazy_expiry
Enhanced the selector logic for SSO scenarios where the user has already authenticated and lazy_expiry is enabled.
Previously, when "expiry": "PT1S" was configured, the selector always prompted the user to choose an authentication method again, treating it as a new authentication.
With this update, when used in combination with lazy_expiry, the selector now evaluates whether the previously used method is still among the available options.
If it is, that method is automatically marked as executed (pass-through) without requiring re-authentication.
If it is not available, the user must select a new method (if multiple options exist) or is automatically routed through the only available method.
Broadcom SiteMinder – Updated Direct Integration Handling
Now includes fully updated support for Broadcom SiteMinder (Agent API 12.8 and later).This update improves compatibility, reliability, and performance for environments integrating Fortified ID Access as an Identity Provider with SiteMinder.It enables seamless use of modern authentication methods (BankID, Freja eID, FIDO2, OIDC, SAML 2.0), simplifies migration from legacy components, and strengthens centralised policy and session management.
UI updates
A number of UI improvements for a smoother user experience.
CVE updates
Updating underlying building blocks, both front and backend, in order to keep CVE risks at a minimum.
Bug fixes
ExternalFlow – Corrected Export Value Propagation
Fixed an issue where ExternalFlow could reuse stale export values in generated JWTs, causing previously sent data (e.g., hk_eleg_pnr, givenname, surname) to persist between authentication sessions.
The update ensures that each new authentication sequence correctly includes current export values in the signed JWT sent to external targets such as Forms, without requiring an Access restart.
3.2.2
Support for M2M Flows
We have added support for machine-to-machine (M2M) integrations through the client_credentials flow.
This enables trusted clients to obtain access tokens without end-user involvement, making it easier to support backend services and automated system-to-system communication.
Enhanced validation and error handling when using a keystore in OIDCAuthCodeFlow.
Clearer log messages are now provided for misconfigured keystores. For example, if the configuration contains keystore: "${globals.keystore_oidc}", the login attempt will fail with an explicit error message instead of a generic log entry without cause.
Simplified HttpClient keystore configuration
When HttpClient is configured with a keystore containing only one alias, that alias is now used automatically.
If no private key password is provided, the keystore password will be used by default.
Improved error reporting for invalid authenticator path
Fixed issue where an invalid authenticator path (e.g. ${globals.default_login_suffix}) caused module startup failures with limited diagnostic information.
Log messages now clearly indicate which authenticator caused the error, making it easier to identify and correct misconfiguration without having to manually inspect all authenticators.
Improved Freja eID accessibility compliance
Freja eID integration has been updated to better meet accessibility requirements, ensuring a more inclusive and user-friendly authentication experience.
Correct JSON typing in JsonObjectCreate
Fixed an issue where arrays/objects were stringified. roles now remains a JSON array and act_as remains a JSON object in the output.
Safe interpolation of dynamic fields: unresolved expressions no longer create empty keys/values; such entries are skipped with a clear warning.
Improved diagnostics: logs now include the exact claim path and key when interpolation fails.
Configurable TTL for UserInfo endpoint
Added support for configuring the TTL (time-to-live) of the UserInfo endpoint response.
Previously fixed to 60 seconds; now customizable via configuration.
