Release notes

Dependency updates

Underlying dependencies have been updated extensively.  Local customizations may be affected.

FIDO2 support

Enrollment of FIDO2 Tokens

New enrolment application allowing for endusers to activate their FIDO2 tokens.

FIDO2 token login

Support for FIDO2 token logins using SAML or internal authentications. Support for OIDC is achieved through  existing brokering. 

Hazelcast upgrade

New version is 4.11. Upgrades will require manual handling in regards to hazelcast configuration.

Overlay for logout template

Logout template now supports overlay pattern

Metadata loading improvement

SAML metadata loading has been improved. When consumed from a URL, data is cached. The cached data is used as fallback if url target is unreachable.

SLO requests using HTTP Get

Incoming SAML single logout requests now supports HTTP GET.

Freja e-ID organization id is now supported

Organization id is supported through new Freja e-ID authenticator and valves.

Simplified UI customizations PocketPass enrollment

Overlay pattern is now supported.

Simplified UI customizations OneTouch enrollment

Overlay pattern is now supported.

WCAG updates for all authenticator templates

Improved functionality in regards to the WCAG (Web Content Accessibility Guidelines).

WCAG updates PSS UI

Improved functionality in regards to the WCAG (Web Content Accessibility Guidelines).

PSS updates

  • UI updates
  • Option to show two password fields for onscreen exact comparison. 

Updates may affect local customizations.

SAML IDP using multiple sign certificates

SAML certificate rollover is supported on the IDP sign certificate.

One Touch quick mode

Allows for user to confirm/reject a One Touch login using Apple Watch or equivalent.
More information here.

CertificateValidatorValve – updated

OCSP request can now be signed.

PDFSignatureStatusValve improved signature verification

Time stamp authority signatures now are validated.

PDFSignatureStatusValve customize trusted CA's

Trust is now based on a custom trust/keystore.

OIDC OP guide updates

token_type=Bearer is now returned by default.

kid claim is now added by default to the header part of the jwt token.

New valve PropertyURLDecoderValve

Allows for url decoding of item properties.

Updated behavior SAMLAnonymousAssignmentAuthenticator

QR is showed instantly. Additional configuration is available. 

Added missing traceid for authenticators

Affects authenticators:

  • SAMLNias
  • SAMLWindowsSSO
  • DefaultInternalAuthenticator

Admin UI presentation of nodes is updated

Only the current node is displayed.

For windows, added default custom options file - customer customizations

Used for customizations not being overwritten at upgrade.

Token imports are now done using a separate tool

Hardware tokens is now imported using the bundled Test Tool.
More information can be found here.

Internal database schema update

Token serial is now required to be unique, to avoid duplicates. For external databases this must be applied manually.
More information here.

New Freja e-ID valves

Allows for authentication or signing through API. Valves are:

  • FrejaEIDAuthRequestValve
  • FrejaEIDAuthStatusValve
  • FrejaEIDSignRequestValve
  • FrejaEIDSignStatusValve

New  SITHS saml authenticator

Allows for authentication using SITHS mobile. 

Authenticator name is SAML2SithsEID.

New valve PDFAValidatorValve

Validates that the PDF document fulfils the PDF/A-1A contract.

HYPR added as a method of authentication

SAML authentication now can be done using HYPR.

New SITHS valves

Allows for authentication through API.

Valves are:

  • SithsEidAuthenticateValve
  • SithsEidCollectAuthenticationStatusValve

SAMLNias update

SAMLNias authenticator now includes user certificate in the pipe request issuing the SAML assertion.

BUG fixes

Fixed bug in OIDC HTTP redirect scenarios

Double URL encoding issue fixed. 

Bug in BankID proxy module when running with old freja authenticator

Linkage error fixed.

Bug in IDPDiscovery authenticator fixed regarding favicon & custom CSS

Follows same pattern as other authenticators regarding custom css and favicon.


Fixed bug when calculating location of signature visualisation.

PIPES, wrong trace id

Wrong trace id was logged. This is now fixed.

Outbound HTTP module custom timeout

Bug when overriding the system timeout fixed.