Versions Compared

Old Version 3

changes.mady.by.user Ylva Andersson

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Release date: 2024-11-29

Excerpt
nameIDM_5.0

Main new features
Anchor
Main-new-features
Main-new-features

End-to-end ECC support 

In Germany, the Federal office of Information Security (BSI) advises to use a minimum of 3000 bits key length for RSA keys from the beginning of 2023. However, the longer keys have some drawbacks, for example, it will take longer time to generate and use more space on the cards. An alternative is to use Elliptic Curve (ECC) keys instead. 

Previous versions of Identity Manager supported elliptic curve cryptography for some middleware programs and some Certificate Authorities (CAs).  

Identity Manager 5.0.0 supports key archival of ECC keys with Certificate Manager and support of ECC keys with Nexus Personal Desktop Client. This feature will help existing customers benefit from ECC keys without changing their general setup. 

Entra connector 

Microsoft Entra is widely used to hold employee master data. Identity Manager needs to synchronize with employee master data so that it always has the latest information on the employees data set and send the latest information about corresponding cards and certificates. 

Identity Manager currently supports various HR systems and LDAP directories to synchronize. With the new connector, an Identity Manager setup will be possible in an environment where Microsoft Entra holds employee master data. The connection is established via SCIM datapools and the new Entra connector.

Searching and sorting is limited to the functionality provided by the Microsoft Graph API, see https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http#user-properties. The performance is limited by the throttling that Entra applies, see https://learn.microsoft.com/en-us/graph/throttling

For more information, see Set up Microsoft Entra connector.

Responsive self-service portal

Smart ID Self-Service (Smart ID Self-Service) is the interface of Identity Manager that end-users interact with. It is a web portal used by all the persons whose identity is managed and has a large number and range of users.

Here are example use cases that can benefit from the improved responsiveness in the Self-Service portal:

  • Access Smart ID Self-Service on mobile phone whenever that is more convenient

  • Organizations where users have Chromebooks as their primary device

  • A truly responsive design also helps visually impaired people that use large zoom factors.

  • The responsive design enables mobile use cases around Physical ID where action is needed on site.

New BPMN engine 

Identity Manager includes a workflow engine where the processes around card and credential’s management are custom built. This makes Identity Manager more flexible. 

As Activiti 5 is no longer supported, the BPMN engine has been switched to Flowable. The new engine improves performance and parallelization and provides new possibilities to be explored, for example, forms editing and process monitoring. Editing processes will be simplified with the new Nexus Process Modeler that can be used as a separate application as well as from inside Identity Manager Admin. 

Flowable is available as an open source version and as a commercial version called “Flowable work”. There is a community ensuring further development of the product. 

Configurations made for Activiti can be run with the new Flowable engine to ensure upgrading. The migration is done automatically, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

Flowable is a fork of Activiti and it is BPMN 2.0 compliant.  

Bootstrapping validation 

Smart ID Identity Manager is a security application based on public key infrastructure. It uses keys and certificates to encrypt secrets managed within the application, to sign the object history to make it audit proof, and other key related use cases. All these keys and certificates need to be created and moved to the right places - a procedure known as bootstrapping. As it is crucial for the security of the application that secure keys are used, a validation of the bootstrapping has been introduced. Demo-keys are no longer delivered with the software. This increases the effort in setting up demo and test systems but protects productive systems from accidently using publicly known keys.

To help first-time bootstrapping and get instructions for changing compromised keys and certificates later, see Bootstrapping the sign and encrypt engine.

Removed features and changes in delivery
Anchor
Removed-features-and-changes-in-delivery
Removed-features-and-changes-in-delivery
 

Support for encodings of USB tokens via Card SDK is discontinued 

The support for encodings of USB tokens via Card SDK is discontinued.

A workaround for the Java bug https://bugs.openjdk.org/browse/JDK-8026326 (implemented in CRED-13615) was removed, as it is incompatible with Java 17 and above and thus prevents moving forward with support for newer Java versions. This bug causes errors in the reader detection once the last remaining reader has been removed or disabled and it, or another reader, is added or connected again during the lifetime of the Java process. In this case the smartcard service is restarted, which Java fails to handle gracefully.

USB tokens integrate the PKI chip and the reader in one device, so they tend to be affected by this issue, unlike PKI encoding on smart cards, where the reader remains connected. PKI encoding of USB tokens can be handled by Smart ID Desktop App instead.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

Support for some CardOS related encodings has been removed 

Support for OsVersionField and PackageInformationField has been removed from encoding descriptions. This feature was specific to CardOS smart cards. APDU commands can be used to get the same result.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1

Deprecation of Service Task "Cert: Update Certificate State from CRL"

The service task "Cert: Update Certificate State from CRL" (delegate expression) ${updateCertificateStateFromCRLTask}is no longer recommended to be used as severe performance problems are likely to happen. Instead, it is recommended to push CRLs from the CA.

For Certificate Manager and Identity Manager the procedure is described here: Push CRL from Certificate Manager to Identity Manager

Configuration files excluded from the Smart ID package 

The configuration files SmartID-xxx-configuration.zip are no longer delivered with the Smart ID package. These configuration files were the basis of the Smart ID Workforce module. They are replaced by the

...

Smart ID Workforce use cases, available as separate package from the Nexus download portal.

Smart ID Workforce use cases for Identity Manager 5.0.1 are not yet available. 

Open source libraries delivered with Smart ID package

A list of open source libraries used with Smart ID Identity Manager is delivered with Identity Manager on the Nexus support portal as the file SmartID-xxx-open-source.zip.

SmartAct-Migration tool

The SmartAct-Migration tool is not delivered with the Smart ID package anymore. Contact Nexus support if you need this.

Nexus Activiti Designer replaced by Nexus Process Modeler

Nexus Activiti Designer will not be delivered with Smart ID from this release onwards. It can still be used with Smart ID Identity Manager, but recent features are not supported. It is recommended to try Nexus Process Modeler instead.

Replacement of the quick search feature in Smart ID Self-Service

In Smart ID Self-Service, lists of Persons, Cards, Mobile IDs or other objects can be displayed by corresponding top level menu entries. The basis of these lists were search configurations that are set up in Smart ID Identity Manager Admin. There used to be a quick search and filter bar on top of each list. This has been replaced by a filter panel reflecting the underlying search configuration. The filter panel allows a more explicit filtering and understanding of the displayed results.

Detailed description of features

Excerpt
nameIDM_5.0

Features

Jira ticket number

Description

CRED-12528

The bootstrapping procedure, that is, the creation and placement of keys needed in Smart ID Identity Manager for different purposes, has been made more secure.

For more information, see Sign and encrypt engine in Identity Manager and Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

CRED-13624

The business process engine included in Smart ID Identity Manager has been switched from Activiti to Flowable.

For more information, see Cleanup Flowable process history in Identity Manager and Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

CRED-13706

The support for encodings of USB Tokens via Card SDK is discontinued. PKI encoding of USB tokens can now be handled by Smart ID Desktop App.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1. Read more in the Removed features and changes in delivery section above.

CRED-15871

A connector is now available to allow user synchronization between Smart ID Identity Manager and Microsoft Entra. Read more in the Main new features section above.

For more information, see Set up Microsoft Entra connector.

CRED-15873

Improved responsiveness in Smart ID Self-Service. The Self-Service is now usable on small screens like mobile phones or with large zoom.

Read more in the Main new features section above.

CRED-15893

A validation of the expression will be done in Identity Manager Admin when adding a Kerberos 5 Principal Name value in a certificate configuration.

CRED-16320

When showing a list of objects in a form, it is now possible to add checkboxes for selection to the list and to work with the selected entries.

CRED-16749

The performance of the cleaning of the ObjectHistory has been improved.

CRED-16776

Support for key archival and recovery of ECC keys with Certificate Manager has been added.

This requires Certificate Manager version 8.10 or later.

CRED-16798

Added a rate limit filter to the Tomcat configuration in docker to prevent DoS attacks. Individual adjustments are possible.

For more information, see Harden Tomcat.

CRED-16972

In Self-Service, interactive elements are now labeled with their role so that screen readers can recognize them.

CRED-17366

Support for OsVersionField and PackageInformationField has been removed from encoding descriptions. Read more in the Removed features and changes in delivery section above.

For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.

CRED-18099

If there are many buttons on a form in a process, a primary button can now be defined. See Configure display of buttons in Identity Manager for more information.

CRED-18951

When configuring SAML in Smart ID Identity Manager, request signing and verification settings now default to true if not specified in the metadata file. See Enable two-factor authentication to Identity Manager clients via SAML federation for more information.

CRED-19161

In order to avoid ZIP bomb attacks, the compression ratio is checked when uploading zip files. The allowed compression ratio can now be configured. See List of Identity Manager system properties for more information.

Corrected bugs 

Jira ticket number

Description

CRED-16398

Previously in Identity Manager Admin, when editing a process with the BPMN editor, there was no reminder to save when leaving the tab. This has been fixed.

CRED-17721

On card encodings for card selection, an additional check of the ICCSN has been introduced to improve security. See Reader/card selection and information in Identity Manager for more information.

CRED-18101

Updating certificate state from CRLs would sometimes not find certain certificates due to upper lower case differences in the serial number. This has been fixed.

...