We are proud to announce Topicus KeyHub 25. This release brings a great number of enhancements to integrations with other systems. Also, we've started with the phased rollout of organisational units. This exciting new feature will bring a lot of flexibility in the configuration of Topicus KeyHub for larger organisations. As usual, a number of assorted smaller changes and bug fixes are also included.
Important notice: corrupted vault recovery keys
TKH-2248
An error was discovered in the code responsible for upgrading vaults to newer encryption algorithms. In this process, the recovery key was not correctly updated, making recovery impossible for these vaults. We've corrected the error and the update to Topicus KeyHub 25 will reset all unusable vault recovery keys. These keys will be reconstructed automatically when users login. For vaults that had the recovery key reset, a warning will be displayed on the auditor dashboard until it has been reconstructed.
Provisioning and directories
This releases brings several enhancements to the provisioning and directory implementations. These enhancements will improve the stability and reliability of these integrations.
-
TKH-1675
Directory status and metrics are now available through our OpenMetrics endpoint. -
TKH-1669
The provisioning implementations now use a circuit breaker to prevent cascading failures due to a single broken system. -
TKH-1918
TKH-2419
It is now possible to remove a group from a linked system when the group is not empty. -
TKH-1980
Provisioning now always requires 2FA.
-
TKH-2228
The caching for provisioning was made more robust in case of communication errors with the linked system. -
TKH-2427
Handling and reporting of errors with LDAP servers with a configured failover host, both linked systems and directories, was improved substantially.
OAuth 2.0 and OpenID Connect
We continuously work on the interoperability and security of our OAuth 2.0 and OpenID Connect implementation. This release contains two important changes in this area.
-
TKH-1949
Topicus KeyHub now supports the OAuth 2.0 Form Post Response Mode for authorization requests. We've found that some libraries prefer this mode. This should make integrating with these libraries a lot easier. -
TKH-2112
We've switched to encrypted access tokens. This will prevent leakage of information through these tokens. Keep in mind that tokens are issued with the Topicus KeyHub API as the default audience. If you wish to use tokens for a third-party API, you should request the tokens for that specific resource using a resource indicator. These tokens will not be encrypted and continue to follow the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.
Organisational units
TKH-2394
TKH-2396
This release contains the first steps for entirely new and exiting feature: organisational units. These will allow a Topicus KeyHub installation to be divided into separate parts, with separate groups and accounts. Users will only be able to see those parts of the organisation units they are part of. Topicus KeyHub 25 only contains the very first parts: the ability to create new organisational units. In the upcoming releases we will continue to expand this functionality.
Organisational units
Small improvements
The following smaller improvements and bug fixes were made:
-
TKH-1131
The SAML 2 metadata on applications is now validated and checked for consistency when saving the application. -
TKH-1206
Several tests were added for SSO and OAuth2 flows. -
TKH-1728
A notification is now displayed on the dashboard when the Topicus KeyHub installation has not been updated for a long time. -
TKH-1899
Better feedback is provided to the user when trying to remove a KeyHub Administrator in a cleanup action. -
TKH-2103
Clicking on the logo in the top left corner brings you to the about page. -
TKH-2146
Tests were added for recovery of incorrect settings during a backup recovery. -
TKH-2160
Changing configuration on group nesting or authorization now emits audit records. -
TKH-2178
The syslog configuration was updated to make use of the latest features of rsyslogd. -
TKH-2208
Users can now terminate all sessions with a single click on a button. -
TKH-2236
The tests were updated to Groovy 4. -
TKH-2245
OAuth2 clients can now assign any group for technical administration of newly created applications. -
TKH-2308
The best practice guides were moved to our knowledge base. -
TKH-2323
A notice is now displayed to users logging in on the terminal via SSH. -
TKH-2331
When performing a database recovery, the number of audit records in a database in the past 2 weeks is now also displayed. This gives the administrator more information to pick the correct database as the new primary. -
TKH-2336
A warning is now displayed when performing an offline update of a clustered install to always update one release at a time. -
TKH-2346
Our build environment was updated to VirtualBox 7. -
TKH-2356
The contents of mails, messages and notifications for requests was simplified to reduce the number of translations needed and make the texts more uniform. -
TKH-2357
It is no longer possible to change a global trusted certificate when it is in use. -
TKH-2375
When changing the password, other sessions are now terminated by default. -
TKH-2385
Changes were made to support deployment from the AWS marketplace. -
TKH-2387
Sorting groups on the auditor dashboard on the number of members now works as expected. -
TKH-2388
Nested groups are now displayed in alphabetical order. -
TKH-2393
A new donut was added to the account dashboard to display the status of 2FA for all users. -
TKH-2399
Memory allocation of the appliance can now be configured. -
TKH-2404
An error was fixed when trying to create an internal LDAP using the add button in the top-right corner. -
TKH-2406
An error was fixed when sharing a vault record that was opened from the dashboard. -
TKH-2407
An error was fixed on the dashboard that prevented the usage of the back button in some cases. -
TKH-2410
The appliance manager now uses a much shorter timeout for calls to the KeyHub backend to prevent locking the user interface in some cases. -
TKH-2411
Unparseable user agent strings are no longer reported as hacker. -
TKH-2414
Error handling was improved when trying to use an invalid license. -
TKH-2415
TKH-2422
TKH-2426
Several permission related errors were fixed when working with service accounts. In several cases the required permissions were missing, causing errors when opening pages or performing certain actions. -
TKH-2416
An error was fixed when trying to perform a password reset for a non-existent account. -
TKH-2417
Generation of mails was fixed when no feedback was given. -
TKH-2420
An error was fixed on the token endpoint when trying to use previously invalidated tokens. -
TKH-2421
An error was fixed that could cause invalid group membership signatures for KeyHub Administrators. -
TKH-2423
Password recovery shares are now deleted when a user resets his/her vault. -
TKH-2425
An error was fixed when trying to reinitialize pages, which could happen when using action links as bookmarks. -
TKH-2429
The user feedback on copy actions in the vault was improved significantly. The icon is now toggled to a check mark, without hiding all other fields. -
TKH-2430
Some requests where erroneously accepted automatically when issued by the KeyHub maintenance administrator. -
TKH-2432
The order of configuration roll-out when re-enabling nodes in a cluster was changed to improve reliability. -
TKH-2440
An error on the dashboard for service accounts was fixed when no linked systems existed yet. -
TKH-2441
An error was fixed in the id_token validation that prevented SP initiated logout for legacy subject identifiers.