9.5 Release Notes

Upgrade Notes

  • A by-product of introducing Proxy SP consents, is that the Consent table requires a significant update. This may increase the execution time of the Database upgrade scripts.  We can provide a DB script that will remove all expired consents, decreasing the duration of the upgrade.
    There is now also a visual indication on the upgrade page that the upgrade is still ongoing, or finished.
  • HTTP/2 will be removed from the installer options as nginx/openresty confirmed, due to issues with http/2, they deactivated it for some ngx api calls.  This is why we see the response "http2 requests not supported yet" when we hit a call to one of these APIs.  We will monitor the issue further on nginx, but until then this will be disabled in the next releases of TB installer.


Certificate Management

Several important additions have been made to certificates, facilitating a more secure handling of the private keys and certificates.

  • Certificates encrypted with a passphrase can now be imported.
  • Certificate Signing Requests (CSR's) can be generated in the IDHub Admin portal and exported. The signed certificates can be imported back into IDHub (TB-4952)
  • All Certificate formats can now be imported (note: this does not include Keystores)

Consents on Proxy SP's

  • IDHub can now enforce user consent when a proxy SP requires user information (TB-5445)
  • Given consents can now be seen and revoked from the API and Self-service portal (TB-5431)

Audit events on Admin changes

  • Added an event type that registers configuration changes made in the Administration portal and via API (TB-5552)
  • Added event type that creates an event when an admin makes changes to a user or password (TB-5805)

Parameter Mapping

  • Added a mechanism that allows the passing of parameter values from SP to IDP (for example, to pass the user's selected language) (TB-5533)

Token Exchange

  • Added support for accepting access tokens of external IDP's and workflow IDP's
  • Added support for a Token Exchange policy workflow, for advanced business logic

Json attribute Type

  • Added support for json attribute types; which are stored in the session, and can be used in workflows (TB-4034)


  • Template changes:
    • Added a user initiated password change template (TB-6123)
    • Reworked the User registration template (TB-5631)
  • TBA Changes:
    • Added ChangePasswordRequest for user to LDAP adapter (TB-6062)
    • Added Server Authentication support for SMTP Adapter (TB-5998)
    • Extended the RADIUS adapter to send optional NASIPAddress
    • Extended the RADIUS adapter to support Called-Station-ID
    • Added "Max header size" to the HTTP adapter (TB-5822)
  • OAuth and OpenID Connect changes:
    • The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST now exactly match the value of the iss (issuer) Claim. (TB-5740)
    • OAuth Service Providers can now also use a signed request object which will be checked against their JWKS  (TB-5985)
    • Added a request_uri and redirect_uri to the OIDC Service (TB-5621)
  • Enabled configuration changes on built-in SP's, which were previously locked (TB-5209)
  • Updated OpenResty to (TB-6130)
  • Reviewed and fixed several instances where input text was unnecessarily sanitized (TB-6190)
  • Added a setting that can enable or disable experimental features (currently this is only "configurations", "servers" and the "new workflow designer") (TB-6067)
  • Added the ability to customize the authentication message in TB 4 Mobile (TB-5969)
  • Added the internal password hashing algorithm Argon2 (TB-5952)
  • Removed the "Access Token TTL" setting from the general settings (TB-5934)
  • It's now possible to give consent to individual Scopes, instead of defaulting to all requested scopes. (TB-5920)
  • Added an index on Principal_pa.value (TB-5714)
  • Updated the default 40x and 50x pages on the gateway (TB-5663)
  • Made it impossible to run a database schema downgrade with Ansible (TB-4865)
  • Added a setting to clear the session on a IDP_WRONG_USER error (TB-6200)
  • Extended the list of default TLS Ciphers for SAML Artifact resolution (TB-6327)
  • Added Custom Request parameters of OAuth requests to the SP Request parameter in workflows (TB-6402)
  • Added an auto-reconnect to REDIS
  • Added a function for TB 4 Mobile OTP check
  • Exposed the Digipass TokenResetRequest in the API
  • The Self-Service API has been updated with regards to consent
  • SAML SP: Redirect Binding now supported with signature validation
  • Digipass challenge response API now uses the mode instead of the application name


  • OpenIDConnect: Fixed an issue where an Access Denied was not returned in case of a "form_post" response mode (TB-5833)
  • Scope is no longer required when refreshing OAuth 2.0 token (TB-6065)
  • Fixed a scrolling issue the TBA script editor (TB-5943)
  • Reduced logging information when using incorrect parameters at login (TB-5691)
  • Fixed an issue in Digipass, where sometimes a blocked token could still be used to authenticate (TB-5960)
  • Fixed an issue in Digipass, where sometimes blocking a user resulted in an exception (TB-5955)
  • Fixed an issue in Digipass, where unlocking could result in an error (TB-6096)
  • Fixed an issue where using the function setSessionVariable resulted in an error (TB-5829)
  • Fixed an issue when the User Threshold setting was too high would result in an error during authentication (TB-5926)
  • Fixed an issue in TB 4 Mobile where OTP codes starting with a 0 would not be accepted (TB-5966)
  • Fixed an issue that prevented mobile tokens from being deleted in the Admin UI (TB-5665)
  • Fixed an issue that could prevent the Kerberos service from starting (TB-6068)
  • Fixed an issue where gateway config variables would not bind to a vhost (TB-5885)
  • Fixed an issue in the Gateway, where the accessing call to authorization server ignores the result of the retry call (TB-6033)
  • Fixed an issue where sometimes the hostname of a proxy location could not be set (TB-5967)
  • Fixed an issue when unlinking a Digipass token with an UL Blob (TB-6089)
  • Fixed an issue where V2 Digipass tokens could not be unlocked via file import (TB-6032)
  • Fixed an issue when SAML Push gave an internal error if the relayState parameter is not in whitelist (TB-6018)
  • You can now return complex cookies from IDP workflows, just like in other workflows  (TB-5977)
  • Fixed an issue where the location parameter was lost in a SAML logout (TB-6203)
  • Fixed an issue in the Application Rules; where underlying rule definitions (eg. Scopes)  were ignored if there were no rules defined (eg. user is authenticated). (TB-5784)
  • Fixed an issue where a default template contained an XSS issue (TB-6072)
  • Fixed an issue that occurred because spaces were allowed in Attribute Set names. Spaces are no longer allowed (TB-6241)
  • Fixed an issue so the authenticationContext parameter is now optional  on the idhubauthenticate endpoint. (TB-6424)
  •  Fixed an issue where OAuth Token Exchange did not accept multiple audience and resource request parameters (TB-6358)

New Workflow Designer

This feature is added as Experimental. To use, please enable "Experimental Features" in the Settings.

The new workflow designer will ultimately replace TBA, but is still considered experimental functionality in this release, and it is not meant for use in Production environments.

  • Overriding properties
    Overriding properties allow to define different values to certain properties when exporting a configuration.
  • Server Management
    Allows the definition of servers which will execute the workflows. Workflows are grouped into configurations, which are in turn exported to servers.
  • Script Editor
    Some extra effort has been put into the usability of the script editor and the validation of the scripts.

Release Candidate 2

After the initial release candidate, a couple of issues were found in the OAuth Token Exchange flow.  

These changes include the handling of multiple audience and resource parameters.  Besides that, we made some improvements to the logic that validates the parameters in the request and which are passed in the resulting access tokens.

These issues required a few changes, which includes database changes and the update of some libraries.

Therefore, when installing Release Candidate 2 on an existing 9.5.0 test version, the full upgrade procedure must be followed.  


  • Fixed an issue where token exchange grant would be denied if there was no consent, even if this scope did not require consent (TB-6511)


  • Fixed an issue where a successful internal IDP authentication could result in a nullpointer exception (TB-6538)
  • Fixed an issue where a digipass call would incorrectly validate the status during an activation call. (TB-6544)
  • Fixed an issue when using SAML Push with an encrypted relayState (TB-6567)


  • Fixed an issue where IDHub could not dynamically determine a SAML Entity ID (TB-6564)
  • Fixed an issue in the gateway where using a cookie with an empty or non-existent session ID caused unexpected behavior (TB-6592)
  • Fixed an issue where user attributes were not added to the token in a token exchange flow (TB-6574)
  • Fixed an issue where the id_token was sent as an array on reponse_type form_post (TB-6606)
  • Fixed an issue in SAML Artifact resolution when 2 IDP's are using the same Artifact binding (TB-6607)
  • Added an option to add a header value to every line in the Tomcat logs for http based actions  (TB-6608)


  • It is now possible to generate SAML metadata with certificates s to be used in the future (TB-6798)
  • Added PBKDF2 to the Encryption Service (TB-6736)
  • Added an auditlog for which SP the incoming request is (TB-6641)

  • Fixed an issue in OpenID where the prompt=none parameter wasn't handled properly (TB-6673)

  • Fixed an issue in Authentication Requests without relaystate, which responded an incorrect relaystate parameter (TB-6650)

  • Fixed an issue in which access tokens with empty multi-value properties were shown as empty array. Now they are ommitted (TB-6593)

  • Fixed an issue with the changing of scope configurations between OAuth and OpenID Connect (TB-6510)


To resolve an issue with OAuth Refresh tokens, we had to expand the column size of a table.

If you have already performed the upgrade to 9.5 this will not be executed automatically, so we recommend executing this statement on the database to keep the schemas identical.

  • Support for Oauth requests without a scope (TB-6584)
  • Fixed some issues that occurred while passing language parameters to certain email templates (TB-6959)
  • Fixed issue with a double CORS header on the userinfo endpoint (TB-6857)
  • Fixed an issue where no mail was sent after a user initiated password change (TB-6812)
  • Fixed a legacy issue where old passwords were stored without the hash (TB-6553)
  • Better handling of CORS settings for OAuth public clients to avoid a potential vulnerability in case of misconfiguration  (TB-6811 and TB-7020)
  • Fixed an issue that could occur when using a refresh token in the Token Exchange flow (TB-6905 and TB-6945)
  • Updated some incorrect translations in the Dutch version of the Self-Service page (TB-6962)
  • Fixed an issue that prevented optional attributes to be added to the user registration template (TB-6980)
  • Fixed a legacy issue that prevented a full export of the user list (TB-6983)
  • Improved the user feedback messages on the 'lost password' template (TB-7019)
  • Resolved a backchannel issue in the OpenIDConnect Password Grant (TB-7045)
  • Resolved a SAML Response validation error when no attributes are defined on the SP (TB-6960)


  • Signed OAuth Requests will now include the acr_values claim (TB-7058)
  • Read-only attributes are now no longer displayed on the Registration page (TB-6575)
  • Fixed an issue when cookies without content were presented (TB-6587)
  • Fixed an issue that could occur when saving data on the Self-Service Page (TB-6964)
  • Fixed an issue that could trigger an empty "consent required" page (TB-7050)
  • Fixed an issue that could occur when using basic authentication in combination with Kerberos (TB-7191)
  • Fixed an issue where an authorization request could be incorrectly interpreted as an AJAX request (TB-7145)
  • Fixed an issue that impacted existing sessions containing an IDP that was removed from IDHub (TB-7165)


  • Added support for numerical attribute types in Tokens (TB-7249)
  • Fixed an issue that occurred during OAuth client creation (TB-7119)


  • Fixed an issue that occured when consuming the oauth token endpoint (introduced in 9.5.6) (TB-7255)
  • Fixed a breaking change in the oidcservice (introduced in 9.5.6) (TB-7259)


  • The token exchange policy workflow is now able to set user attributes (TB-7370)
  • Fixed an issue where the entityId was not available in the logout flow (TB-7237)
  • The samesite cookie flag can now be configured in the IDHub settings (TB-7167)
  • Improved the upgrade scripts for v9.4 to v9.5 (TB-7123)
  • Improved the stability when exporting a workflow configuration under load (TB-5981)


  • TB-7502    Error when saving OAuth IDP with an encrypted request object
  • TB-7571    NPE when starting Trustbuilder Core
  • TB-7572    Mail client TLS1.2 support added
  • TB-7597   OAuth token exchange logging improved
  • TB-7633    Token introspection URL field on OAuth IDP was missing
  • TB-7662    A token introspection request with an expired token could result in an HTTP status 400
  • TB-7717    HTTP adapter: method PATCH support added
  • TB-7737    Token exchange throws an error when the resource parameter contains a URL with query parameters
  • TB-7741    SAML Authn request with empty (but set) relaystate runs into an error


  • TB-7840 9.5x-only - Add the nonce parameter to the OIDC authorize request
  • TB-7744 Last authenticated timestamp is not updated on user creation
  • TB-7745 Improve performance for queries that query for a single principal
Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.