Topicus KeyHub 40

We are very proud to announce Topicus KeyHub 40. This release brings an improved search engine, a redesign of the group-on-system pages and the possibility to add applications to access profiles. As always, we also included a great number of smaller improvements and fixes.

Important notice

Please check if the IDP signing-certificate used by KeyHub isn't expired before upgrading to version 40. A KeyHub administrator can check if the certificate is expired by:

• Opening their dashboard; a notification will be displayed if it is expired.

• Or opening settings via the main menu; the IDP signing-certificate details are displayed roughly halfway down the opened page.

If the IDP signing-certificate is expired, a new one must be generated via the appliance manager. Please refer to this chapter of the manual for more information.

Improved search functionality

TKH-1530 A major improvement has been made to the search engine used when searching for groups or vault records. The search engine now also checks for combinations of your inputted terms, instead of only showing results that match the exact order of your search terms.

This is especially helpful if a user doesn't remember or know the entire name of a vault record, but does know parts of it.

Prior to this improvement, the vault record as shown in the example above would not show up in the results if your search terms were What example or What a example.
Whereas now the vault record will be included in the results as long as the result contains all your search terms in the same property, as demonstrated in the above example with the search terms an ample hat.

Application access via access profiles

TKH-3212 Applications can now be added to access profiles, providing access to all active accounts linked to the access profile.
This makes it possible to grant a large group of accounts access to an SSO application, without having to create and maintain a large group within KeyHub.

Redesign of the Group-on-System page

TKH-3219 Whilst designing and implementing the access profile page, we took a moment to reflect on how some of our other pages are displaying their information.
We realized that many other pages would benefit from the design used on the access profile page.

We started with the group-on-system pages in particular, as it spreads its details over various subpages accessible through the submenu at the top.

Old design on the left, new design on the right.

With the new design, users opening a group-on-system will now land on an overview page displaying all the information that was previously scattered over multiple pages.
This new page also prevents any accidental modifications, by requiring the user to click on 'edit' first.

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

• TKH-2963 Implemented an automated test for the complete creation and activation flow of IGA-accounts.

• TKH-2988 We've improved how we handle deletes via the SCIM endpoint.

• TKH-3001 It's now possible to set a default value for 'can request groups'-attribute through access profiles.

• TKH-3136 Requests approved by a content admin and forwarded to the object's owner now show the original requester as well as the forwarding content admin.

• TKH-3213 An access profile's overview page now includes information about the accounts' status in the profile.

• TKH-3216 Improved the automated testing of our terraform provider based on a use case provided by one of our customers.

• TKH-3217 Reduced the diskspace used when updating docker images during offline updates.

• TKH-3223 Account attributes are now recalculated whenever a source attribute is modified.

• TKH-3225 Overview tables no longer overlap with the main menu.

• TKH-3226 System-to-system clients can no longer create groups on OU's they don't have access to.

• TKH-3227 The generated audit record when removing the auditor group of an OU now correctly states the group was removed.

• TKH-3230 HEAD-requests on the OAuth2 endpoint now correctly receive an 405 - method not allowed.

• TKH-3231 Client applications are no longer able to create a group-on-system owned by, or linked to, a group outside the relevant OU subtree.

• TKH-3232 Fixed a grammatical error in the e-mail subject for 'create group-on-system' mails.

• TKH-3233 It's once again possible to scroll back up in a dropdown menu.

• TKH-3235 The pop-up opened when adding a KeyHub Administrator incorrectly stated that the vault recovery key was required.

• TKH-3238 Refreshing the appliance manager page after KeyHub restarts should no longer lead to an error due to an improperly-initialized OAuth connection.

• TKH-3243 Starting an OIDC flow without the required 'openid' scope now results in an HTTP 403 Forbidden, instead of a 500 Internal Server Error.

• TKH-3245 TKH-3246 A user removing themself from the group during an audit now gets redirected to their "My Groups" page after saving the audit, instead of ending on their dashboard with an error.

• TKH-3247 When transferring a client to a new technical administrator, the client secret is now moved to the vault of the new technical administrator.

• TKH-3249 Made 'share' the default action when sharing a vault record.

• TKH-3250 Search results now get replaced instead of appended during bulk removal of accounts.

• TKH-3256 The 'last audit' date shown on the auditor dashboard now shows the date on which the audit was submitted, instead of when it was created.

• TKH-3257 Pressing cancel when viewing group audit details as auditor now returns you to the group details page for auditors, instead of the regular group details page.

• TKH-3259 TKH-3260 TKH-3261 Several minor improvements have been made to the VM to further harden it.

• TKH-3262 We now properly validate the length of a request's reason attribute.

• TKH-3263 The KeyHub browser extension can now be managed via managed browser policies, including automatically linking it to the correct KeyHub installation.

• TKH-3264 Certain keys are generated if not yet available to avoid errors when rotating a client secret.

• TKH-3269 During the creation of a new service account on an LDAP, the UID is now always set before the account is provisioned on the system.

• TKH-3271 The owner of a group-on-system now can revoke the access of a service account to the group-on-system.

• TKH-3273 Added missing permissions for the owner of an OU. The OU's owning group can now see all clients which can potentially be linked to its OU.

• TKH-3274 KeyHub users looking at the details of a group-on-system now see 'hidden elements'-label for entities they are not allowed to read.

• TKH-3275 TKH-3279 To avoid expiry, IDP signing-certificates are now automatically renewed if not renewed by an administrator.

• TKH-3276 The dashboard is now able to show multiple expiry notifications for KeyHub-related certificates without errors.

• TKH-3281 Auditors should once again be able to inspect every account linked to an OU they are auditor for. We fixed a corner case related to the inspected account sharing a group with the inspecting auditor on an OU the auditor was not the auditor for.

• TKH-3289 A mismatch in HTTP client library versions was fixed that resulted in errors when sending notifications to Android phones in version 40-2.

Visit the Topicus KeyHub Manual

Here you can find the complete manual to the latest version of Topicus KeyHub.