9.5 Release Notes

Upgrade Notes

  • A by-product of introducing Proxy SP consents, is that the Consent table requires a significant update. This may increase the execution time of the Database upgrade scripts.  We can provide a DB script that will remove all expired consents, decreasing the duration of the upgrade.
    There is now also a visual indication on the upgrade page that the upgrade is still ongoing, or finished.
  • HTTP/2 will be removed from the installer options as nginx/openresty confirmed, due to issues with http/2, they deactivated it for some ngx api calls.  This is why we see the response "http2 requests not supported yet" when we hit a call to one of these APIs.  We will monitor the issue further on nginx, but until then this will be disabled in the next releases of TB installer.


Certificate Management

Several important additions have been made to certificates, facilitating a more secure handling of the private keys and certificates.

  • Certificates encrypted with a passphrase can now be imported.
  • Certificate Signing Requests (CSR's) can be generated in the IDHub Admin portal and exported. The signed certificates can be imported back into IDHub (TB-4952)
  • All Certificate formats can now be imported (note: this does not include Keystores)

Consents on Proxy SP's

  • IDHub can now enforce user consent when a proxy SP requires user information (TB-5445)
  • Given consents can now be seen and revoked from the API and Self-service portal (TB-5431)

Audit events on Admin changes

  • Added an event type that registers configuration changes made in the Administration portal and via API (TB-5552)
  • Added event type that creates an event when an admin makes changes to a user or password (TB-5805)

Parameter Mapping

  • Added a mechanism that allows the passing of parameter values from SP to IDP (for example, to pass the user's selected language) (TB-5533)

Token Exchange

  • Added support for accepting access tokens of external IDP's and workflow IDP's
  • Added support for a Token Exchange policy workflow, for advanced business logic

Json attribute Type

  • Added support for json attribute types; which are stored in the session, and can be used in workflows (TB-4034)


  • Template changes:
    • Added a user initiated password change template (TB-6123)
    • Reworked the User registration template (TB-5631)
  • TBA Changes:
    • Added ChangePasswordRequest for user to LDAP adapter (TB-6062)
    • Added Server Authentication support for SMTP Adapter (TB-5998)
    • Extended the RADIUS adapter to send optional NASIPAddress
    • Extended the RADIUS adapter to support Called-Station-ID
    • Added "Max header size" to the HTTP adapter (TB-5822)
  • OAuth and OpenID Connect changes:
    • The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST now exactly match the value of the iss (issuer) Claim. (TB-5740)
    • OAuth Service Providers can now also use a signed request object which will be checked against their JWKS  (TB-5985)
    • Added a request_uri and redirect_uri to the OIDC Service (TB-5621)
  • Enabled configuration changes on built-in SP's, which were previously locked (TB-5209)
  • Updated OpenResty to (TB-6130)
  • Reviewed and fixed several instances where input text was unnecessarily sanitized (TB-6190)
  • Added a setting that can enable or disable experimental features (currently this is only "configurations", "servers" and the "new workflow designer") (TB-6067)
  • Added the ability to customize the authentication message in TB 4 Mobile (TB-5969)
  • Added the internal password hashing algorithm Argon2 (TB-5952)
  • Removed the "Access Token TTL" setting from the general settings (TB-5934)
  • It's now possible to give consent to individual Scopes, instead of defaulting to all requested scopes. (TB-5920)
  • Added an index on Principal_pa.value (TB-5714)
  • Updated the default 40x and 50x pages on the gateway (TB-5663)
  • Made it impossible to run a database schema downgrade with Ansible (TB-4865)
  • Added a setting to clear the session on a IDP_WRONG_USER error (TB-6200)
  • Extended the list of default TLS Ciphers for SAML Artifact resolution (TB-6327)
  • Added Custom Request parameters of OAuth requests to the SP Request parameter in workflows (TB-6402)
  • Added an auto-reconnect to REDIS
  • Added a function for TB 4 Mobile OTP check
  • Exposed the Digipass TokenResetRequest in the API
  • The Self-Service API has been updated with regards to consent
  • SAML SP: Redirect Binding now supported with signature validation
  • Digipass challenge response API now uses the mode instead of the application name


  • OpenIDConnect: Fixed an issue where an Access Denied was not returned in case of a "form_post" response mode (TB-5833)
  • Scope is no longer required when refreshing OAuth 2.0 token (TB-6065)
  • Fixed a scrolling issue the TBA script editor (TB-5943)
  • Reduced logging information when using incorrect parameters at login (TB-5691)
  • Fixed an issue in Digipass, where sometimes a blocked token could still be used to authenticate (TB-5960)
  • Fixed an issue in Digipass, where sometimes blocking a user resulted in an exception (TB-5955)
  • Fixed an issue in Digipass, where unlocking could result in an error (TB-6096)
  • Fixed an issue where using the function setSessionVariable resulted in an error (TB-5829)
  • Fixed an issue when the User Threshold setting was too high would result in an error during authentication (TB-5926)
  • Fixed an issue in TB 4 Mobile where OTP codes starting with a 0 would not be accepted (TB-5966)
  • Fixed an issue that prevented mobile tokens from being deleted in the Admin UI (TB-5665)
  • Fixed an issue that could prevent the Kerberos service from starting (TB-6068)
  • Fixed an issue where gateway config variables would not bind to a vhost (TB-5885)
  • Fixed an issue in the Gateway, where the accessing call to authorization server ignores the result of the retry call (TB-6033)
  • Fixed an issue where sometimes the hostname of a proxy location could not be set (TB-5967)
  • Fixed an issue when unlinking a Digipass token with an UL Blob (TB-6089)
  • Fixed an issue where V2 Digipass tokens could not be unlocked via file import (TB-6032)
  • Fixed an issue when SAML Push gave an internal error if the relayState parameter is not in whitelist (TB-6018)
  • You can now return complex cookies from IDP workflows, just like in other workflows  (TB-5977)
  • Fixed an issue where the location parameter was lost in a SAML logout (TB-6203)
  • Fixed an issue in the Application Rules; where underlying rule definitions (eg. Scopes)  were ignored if there were no rules defined (eg. user is authenticated). (TB-5784)
  • Fixed an issue where a default template contained an XSS issue (TB-6072)
  • Fixed an issue that occurred because spaces were allowed in Attribute Set names. Spaces are no longer allowed (TB-6241)
  • Fixed an issue so the authenticationContext parameter is now optional  on the idhubauthenticate endpoint. (TB-6424)
  •  Fixed an issue where OAuth Token Exchange did not accept multiple audience and resource request parameters (TB-6358)

New Workflow Designer

This feature is added as Experimental. To use, please enable "Experimental Features" in the Settings.

The new workflow designer will ultimately replace TBA, but is still considered experimental functionality in this release, and it is not meant for use in Production environments.

  • Overriding properties
    Overriding properties allow to define different values to certain properties when exporting a configuration.
  • Server Management
    Allows the definition of servers which will execute the workflows. Workflows are grouped into configurations, which are in turn exported to servers.
  • Script Editor
    Some extra effort has been put into the usability of the script editor and the validation of the scripts.

Release Candidate 2

After the initial release candidate, a couple of issues were found in the OAuth Token Exchange flow.  

These changes include the handling of multiple audience and resource parameters.  Besides that, we made some improvements to the logic that validates the parameters in the request and which are passed in the resulting access tokens.

These issues required a few changes, which includes database changes and the update of some libraries.

Therefore, when installing Release Candidate 2 on an existing 9.5.0 test version, the full upgrade procedure must be followed.  


  • Fixed an issue where token exchange grant would be denied if there was no consent, even if this scope did not require consent (TB-6511)


  • Fixed an issue where a successful internal IDP authentication could result in a nullpointer exception (TB-6538)
  • Fixed an issue where a digipass call would incorrectly validate the status during an activation call. (TB-6544)
  • Fixed an issue when using SAML Push with an encrypted relayState (TB-6567)


  • Fixed an issue where IDHub could not dynamically determine a SAML Entity ID (TB-6564)
  • Fixed an issue in the gateway where using a cookie with an empty or non-existent session ID caused unexpected behavior (TB-6592)
  • Fixed an issue where user attributes were not added to the token in a token exchange flow (TB-6574)
  • Fixed an issue where the id_token was sent as an array on reponse_type form_post (TB-6606)
  • Fixed an issue in SAML Artifact resolution when 2 IDP's are using the same Artifact binding (TB-6607)
  • Added an option to add a header value to every line in the Tomcat logs for http based actions  (TB-6608)


  • It is now possible to generate SAML metadata with certificates s to be used in the future (TB-6798)
  • Added PBKDF2 to the Encryption Service (TB-6736)
  • Added an auditlog for which SP the incoming request is (TB-6641)

  • Fixed an issue in OpenID where the prompt=none parameter wasn't handled properly (TB-6673)

  • Fixed an issue in Authentication Requests without relaystate, which responded an incorrect relaystate parameter (TB-6650)

  • Fixed an issue in which access tokens with empty multi-value properties were shown as empty array. Now they are ommitted (TB-6593)

  • Fixed an issue with the changing of scope configurations between OAuth and OpenID Connect (TB-6510)

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.