DEVOPS-738

Added instance ID in Docker config for self-service

It is now possible to set the instance id (used to differentiate the applications when running multiple instances) for the Self-Service via the docker-compose environment variable. Set properties for Smart ID Self-Service.

DEVOPS-468

Improved standard password issuing process

So far the standard process in the Identity Manager Base package was that every new employee gets automatically username/password for self-service sent per email and printed as PDF during user activation. Now the standard process has been adjusted so that is easier to choose if optionally either PDF or mail is used to issue the username/password. See Enter person data manually - Digital ID.

DEVOPS-599

Supporting ObjectGUID attribute in LDAP

It is now possible to use the ObjectGUID attribute - or in general attributes in binary format - in LDAP as a datapool field or in an export configuration in Identity Manager. This means that the GUID can now be used as a unique identifier for import/export, especially in large AD forests when no other uid is available.

DEVOPS-588

Improved password complexity

The default settings in the standard Identity Manager packages for generating passwords have been updated. The password complexity has been increased (16 digits, number, upper case character and special character) in order to increase security.

DEVOPS-485

French translations

Added some missing French translations in the standard workflow packages for Identity Manager.

DEVOPS-445

Added tenant id in docker config for self-service

It is now possible to set the tenant id for the self-service via the docker-compose environment variable.See Set properties for Smart ID Self-Service

CRED-10588

Return certificate chain with QuoVadis PKI

The QuoVadis PKI connector did not return the certificate chain (root, issuing CA) as part of the certificate requests. In some use cases it is required to write also the whole chain on smart cards or to deliver the chain in soft tokens. This functionality has been added now as well to the QuoVadis connector. See Cert QuoVadis PKI - Standard service tasks in Identity Manager.

CRED-10649

Added certificate chain parameter to soft-token task

The soft-token service task got an additional parameter to decide if the whole certificate chain will be added to the Pkcs#12 soft-token or not. Before, the chain was always added, and this is still the default behavior. But with the new parameter, customers can deactivate the chain, so that only the end user certificate will be added to the Pkcs#12. See "Cert: PGP Soft Token" in Standard service tasks in Identity Manager.

CRED-10575

Obsolete JSPs removed

Removed obsolete .jsp sub pages for PDF printing in the form designer. These sub pages are leftovers from the former java-based clients and do no longer work on the HTML5 clients in Identity Manager. 

CRED-10541

Standard service task cleanup

The standard service tasks have been aligned with the new Smart ID naming conventions (e.g. changed terms like Personal X, HAG etc. to the new names). This does not affect the functionality, also no change in the configuration is needed because of the name changes.

Also the deprecated "generateAndArchivePasswordAccordingPasswordPolicyTask" and the old soft token task "executeSoftTokenRequestAndRecovery" are removed with 21.04. Customers, that are still using these tasks have to switch to the successor tasks. See Smart ID Messaging - Standard service tasks in Identity Manager.

CRED-10617

Improved error handing for BPMN rollback

When the BPMN process engine does a rollback due to an error during execution of a process task, the default behavior is that the BPMN engine does infinite retries every 5 min, if the error is not caught properly in the BPMN design, e.g. via ErrorBoundaryEvents. To prevent endless retries, when the error is not handled in the BPMN design, the implementation limits now to 3 retires max.

CRED-8882

Updated SAML algorithms

Specifically the hash algorithm is updated to SHA-256 now.

CRED-10473

Extended filter capabilities in multi-level search

When searching through multiple levels in a coreObject hierarchy, in general the filters can be applied on both - the source and the target data pool. There was one limitation so far on that - when using the same data pool as source and as target, the filters could only be set on the source so far. With 21.04, this has been improved, now we can also apply filters on both - source and target - even if both is the same data pool.

CRED-10600

New revocation service task

Added new service task for certificate revocation that can fetch states also dynamically from the process map, e.g. for easier automated revocation via APIs. See "Cert: Revoke Certificate" in  Standard service tasks in Identity Manager. 

CRED-9538

Allow BatchSync to modify data in data source

The BatchSync functionality in Identity Manager had so far a limitation when using the same data pool as source and target. Use case e.g. if mass card blocking is done, the search will read on the same source that is used later on for writing in the blocking process. In that case, when processing a large amount of records, BatchSync did not process all records in the first run but needed multiple iterations (due to an internal paging). This has been improved with Smart ID 21.04 - BatchSync will process now all records in one run for all use cases.

CRED-10400

History migration from SmartACT/ProACT

The migration tool to move from the old (EOL products) SmartACT/ ProACT has been extended, now also SmartACT/ ProACT history tables can be migrated into the IDM ObjectHistory.

CRED-9117

"start/stop/execute" for BatchSync

User experience has been improved for BatchSync. So far the only way how to execute the Batch Jobs was the cron expression in the configuration. Now it is possible to start/stop the scheduled jobs and also execute them immediately in the Admin panel in Identity Manager Operator. See Identity Manager Operator and Set up scheduled jobs in Identity Manager.

CRED-10089

Domain registration for QuoVadis PKI

With this release a new standard service task has been added to Identity Manager to do domain registration when using QuoVadis PKI.  Use case is: when customer wants to issue TLS certificates for a new domain, the registration of the new hostname can now be done directly via workflows in Identity Manager instead of going through the QuoVadis Portal.

See Cert QuoVadis PKI - Standard service tasks in Identity Manager

CRED-10552

Enabling/disabling authentication methods in Identity Manager

As part of the redesign of the Identity Manager Operator login screen, we also added the possibility to enable/disable dedicated authentication methods (such as username/password, SAML SSO or certificate based login). A corresponding configuration was added to the Admin Panel in Identity Manager Operator to do that configuration. This means that e.g. username/password can be deactivated to enforce strong authentication.

The separate configuration of authentication methods for Smart ID Self-Service remains, so that authentication methods can be differentiated for Identity Manager Operator and Self-Service. See Identity Manager Operator.

CRED-9115

Connect to PKI service providers via Proxy

For our connectors in Identity Manager to PKI service providers (D-Trust and QuoVadis) we have now introduced the possibility to set up an HTTP proxy. Customers that have no direct access to Internet from the application server can now route the traffic to the PKI service providers via a web proxy. See Integrate Identity Manager with D-Trust connector and Integrate Identity Manager with QuoVadis connector.

CRED-10498

Added Eject parameter to Card Encoding via Card SDK

From Smart ID 21.04 on, it is possible to control the eject behavior in of card printers, when printing and encoding cards via Identity Manager and Card SDK. In previous versions, when doing integrated encoding in the card printer, by default the card was ejected when card personalization was finished. In some cases, a second encoding process is required (after a round-trip to Identity Manager for execution of additional business logic). For that purpose, an additional parameter was introduced in the encoding files to decide if the card should remain in the printer or if it should be ejected.

See Structure of an encoding description in Identity Manager.

CRED-10528

Performance improvement in CM Connector

The implementation of the CM Connector has been improved in Identity Manager in order to improve performance, specifically request throughput, in high load scenarios. The new implementation (based on the CM Toolkit) will reuse an established TLS session again for subsequent requests.

CRED-10648

Delete objects via SCIM

With this release we added the possibility to delete also objects in a SCIM service. The standard "delete Object" BPNM process task can now be used also on a SCIM data pool. When executing that task on SCIM, the system will trigger deleting the selected record in the foreign SCIM resource. See Set up process in Identity Manager.

CRED-10142

SAML Logout in Identity Manager Operator and Self-Service

With Smart ID 21.04 we are introducing a session logout for Identity Manager Operator and Self-Service. This means that users that authenticate via SAML can now logout also with the ordinary logout button. Please note that this is just an ordinary invalidation of user session in Identity Manager and not a SAML SLO. The SAML ticket still remains valid after logout in Identity Manager or Self-Service. See Identity Manager Operator.

CRED-10204

Improved REST Process API

The Process REST API was extended to make querying data at a given user-task more reliable:

• added a new optional parameter the process "start" command (backwards-compatible)

• added two additional commands

Interaction with existing clients will behave as before. Client changes are required to take advantage of the new features. See Identity Manager Process REST API for details.

Setting certificate validity dates now also supports the lexical xsd:dateTime format (see https://www.w3.org/TR/xmlschema-2/#dateTime).
Using this (with timezone, ideally UTC) is recommended over the legacy format "yyyy-MM-dd HH:mm:ss", which depends on the server's local timezone.

IDC-1723

Support added for Interflex IF-6040 PACS connector

Interflex IF-6040 PACS connector from Interflex Datensysteme GmbH (Allegion Group) is supported for all standard use cases in Smart ID Physical Access. See Set up integration with Interflex IF-6040.

IDC-1765

Docker Compose updates

Environment variables are now used for setting and reading configuration settings instead of app.config.

DA-100

Added ability to search user groups

Added ability to search user groups instead of having dropdown at multiple places so that groups can be searched and added even if there are more than 1000 AD groups.

DA-141

Local users can be added as delegated administrator

Added ability to add local users as delegated administrator under Delegated Management. This works both for Digital Access Admin and XPIs.

DA-143

Ericom client has been removed

Removed EricomClient / Access now references from Digital Access Admin under Resources. This will only be removed from the default standard resources and not the ones specifically added by users. Resources added by users will have to be manually removed.

DA-164

Upgraded to Guacamole version 1.3.0

Added option to url encode for guacamole web resource.

DA-166

Added support for TLS version 1.3.0

Added support for TLS version 1.3.0. Removed the support for SSL v2 and v3. Removed weak ciphers for TLS v1.0, 1.1. Disabled weak ciphers by default for TLS v1.2.

Known bug: User certificate authentication method fails when TLS1.3 is enabled. The work around is to disable TLS1.3. The fix for the same will be included in the later DA releases that will be communicated once released.

DA-397

Added Docker Swarm orchestration

Added Docker Swarm orchestration for Digital Access deployment in virtual appliance. Read more here: Deploy Digital Access component. From version 6.0.5 onward, there will be only the command line way to upgrade Digital Access versions (both Online and Offline upgrade). Removed the v-apps and admin GUI upgrade options. More details can be found in the upgrade instructions document for different setups, see here Upgrade Digital Access component.

Also, upgrade to 6.0.5 and above will remove the existing orchestrator and replace it with industry adopted standard docker-swarm.

CRED-10785

Fixed setting password in EST registration service task.

CRED-10769

Fixed handling empty files that are mapped to encrypted fields in CSV import.

CRED-10678

Fixed translations of coreObject state, template name and change state reason in Self-Service.

CRED-10571

Fixed escaping of special characters (such as "/") in DN of an LDAP string.

CRED-10566

When changing a field value in Self-Service to "blank", the value was not removed from the BPMN process map, therefore the previous value was applied again. This has been fixed.

CRED-10463

It could happen, if a check box is selected as default value in the form designer, that the value is not shown correctly in the form when using the form during runtime. this is fixed now.

CRED-10485

Fixed a client side memory leak, when doing smart card production via the java PKI encoding client in combination CardOS API.

CRED-10563

Avoid NullPointerException if a configured certificate template is not found during card encoding.