Topicus KeyHub 39

We are very proud to announce Topicus KeyHub 39. A major overhaul of our provisioning engine brings great improvements to the predictability of all account provisioning, which is essential for IGA. OAuth2 clients are now scoped to organisational units. Finally, we've released a new SDK for Dart. As always, we also included a great number of smaller improvements and fixes.

Identity Lifecycle Management and Provisioning

In our continuous effort to transform Topicus KeyHub into a full IGA suite, this releases brings many large improvements to access profiles and account provisioning. The most noticeable change for the majority of our existing users is the addition of a whole new chapter in the user manual describing the access profiles.

The gap between access profiles and groups was bridged by adding groups to access profiles, smoothing the request flow for users. Not as visible, but certainly not less important, a lot has changed under the hood related to account provisioning. Many synchronization flows were formalized and made to operate much more reliable. Also, it is now possible to let Topicus KeyHub manage the entire lifecycle of accounts in the source directory, from creation to deletion.

• TKH-1878 Searching on LDAP and Active Directory now uses pagination to support very large data sets.

• TKH-3063 Business rules can now be configured to automatically add users to access profiles and to automatically activate accounts.

• TKH-3108 The code to activate and deactivate service accounts was improved significantly.

• TKH-3133 When displaying an SCIM system, tokens or passwords are no longer shown.

• TKH-3148 Verbose logging for provisioning now includes the name of the method to make it easier to find specific log statements.

• TKH-3154 The manual was updated to include 'Accounts writeable' for Azure source directory provisioning.

• TKH-3155 The group overview on a linked system now shows if provisioning is enabled for groups.

• TKH-3167 A new chapter was added to the manual for access profiles.

• TKH-3175 When removing a linked system, the user now has various options to leave provisioned accounts on the system as-is or remove them as the system is removed from KeyHub.

• TKH-3176 The user interface for deactivating a service account was improved.

• TKH-3177 Removal of a group is no longer allowed when that group is the owner of an access profile.

• TKH-3178 StartTLS on LDAP or Active Directory now correctly checks the expiration of the server certificate.

• TKH-3179 Deactivation of a service account on LDAP no longer gives an error.

• TKH-3180 TKH-3221 TKH-3222 TKH-3229 The entire state management of provisioned accounts was reviewed to make it much more reliable and robust.

• TKH-3181 It is now possible to add groups to access profiles. Users will be invited automatically for these groups when added to the access profile.

• TKH-3197 Fixing provisioned accounts on different types of systems now takes the configured password requirements into account.

• TKH-3202 Source directory provisioning implementations now support deleting accounts.

• TKH-3203 Source directory provisioning on OpenLDAP now emulates disabled accounts by scrambling the password.

• TKH-3204 Users with a business license are no longer provisioned via groups.

• TKH-3205 Writeable accounts on source directory provisioning now requires the Identity Lifecycle Management (ILM) license feature.

• TKH-3248 A regression was fixed that would cause a forced password change when signing in on Entra after a password rotation (delivered in version 39-4).

Organisational units

A major improvement to the organisation units was made: OAuth2 clients are now scoped to the organisational unit boundaries. This works very similar to how accounts are also scoped to organisational units. OAuth2 clients must be explicitly added to an organisational unit to be able to access any data within that unit.

• TKH-2804 TKH-3224 TKH-3240 TKH-3242 OAuth2 clients are now explicitly scoped to one or more organisational units. This works in the same way as for accounts.

• TKH-3121 The group details now also show the organisational units for which the group performs the auditor role.

• TKH-3168 Incorrect filtering on modification requests targeted at KeyHub Administrators could result in the requests not being visible for the admins.

• TKH-3198 OAuth2 clients can now query organisation unit memberships for accounts and clients.

• TKH-3200 The account details page for auditors no longer triggers a permission denied error if the auditor is not allowed to see all group memberships of the account.

SDK for Dart

TKH-3166 In the past 6 months, we've been steadily working together with Microsoft Kiota and Ricardo Boss on a new generation target for the Kiota SDK generator. This combined effort was merged into the mainline Kiota branch last month and released with version 1.22. The resulting SDK for Dart can be found here: https://github.com/topicuskeyhub/sdk-dart

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

• TKH-2928 Displaying permissions granted to OAuth2 clients are now properly filtered using the security constraints of the logged-in user.

• TKH-2951 A post update step that was no longer needed was removed from the KeyHub update process.

• TKH-3002 Various notifications about requests now show details of the concerned objects, such as groups on linked systems

• TKH-3004 Information about the CA is now displayed when editing the cluster wide certificate configuration in the appliance manager.

• TKH-3096 Information about the possible statuses of account directories was added to the manual.

• TKH-3146 The select box for vaults on the vaults page was made substantially bigger on wide screens.

• TKH-3149 ReactJS was upgraded to version 19 in the browser extension.

• TKH-3158 The redirection for OAuth2 clients with custom URL schemes was fixed to no longer add a port number.

• TKH-3159 A clean-up was fixed that would cause PostgreSQL 16 images to be prematurely removed during an upgrade from 12 to 16.

• TKH-3164 The test framework used to test installing operating system updates was improved.

• TKH-3169 Device identifiers for mobile devices that are no longer valid are now cleared to prevent repeated failure logging.

• TKH-3170 An error was fixed when automatically handling a request to reset 2FA.

• TKH-3171 We've substantially reduced the amount of logging generated for blocked resource requests.

• TKH-3172 Invalid redirection URIs could trigger an error, resulting in lots of logging.

• TKH-3174 When running in proxied mode, the correct URL is now displayed on the terminal.

• TKH-3182 A possible error was fixed for calls made by an authenticated OAuth2 client.

• TKH-3183 The rebuilding of group signatures and the creation of a personal vault could run concurrently while updating the same data, causing one of the two to fail.

• TKH-3185 TKH-3186 More tests were added for creating groups, clients and vault records via Terraform.

• TKH-3188 Support for very old license versions was dropped.

• TKH-3189 A test was added to check consistency of enumeration types used in both the REST API and the database.

• TKH-3190 The maintenance admin is now once again allowed to upload a new license.

• TKH-3191 Passwords are no longer shown in plain text as placeholders when editing the cluster configuration in the appliance manager.

• TKH-3192 The REST API now supports generating translations for notifications as part of the response.

• TKH-3193 The WildFly application server was upgraded to version 35.0.0.

• TKH-3194 Improvements were made in the OpenAPI specification with regards to references to VaultHolder.

• TKH-3195 SAML metadata is now correctly refreshed before it expires, even if it expires before our minimum refresh interval is up.

• TKH-3199 ELRepo started using a new GPG key to sign their RPMs. This new key is now accepted by Topicus KeyHub.

• TKH-3201 Improvements were made to the way the current cluster status is checked when performing updates and restoring backups.

• TKH-3206 The dashboard now always shows incoming requests before outgoing requests because the former need action by the user.

• TKH-3207 Quicksearch on the manage access page would not filter correctly on internal directories.

• TKH-3209 The OAuth2 authorize endpoint now supports POST as required by the OIDC specification.

• TKH-3210 TKH-3228 TKH-3236 Performance of several queries was improved substantially. An option to enable verbose performance logging was added.

• TKH-3214 The remove button is no longer visible when creating a new client application.

Visit the Topicus KeyHub Manual

Here you can find the complete manual to the latest version of Topicus KeyHub.