Release date: 2024-11-29
Main new features
End-to-end ECC support
In Germany, the Federal office of Information Security (BSI) advises to use a minimum of 3000 bits key length for RSA keys from the beginning of 2023. However, the longer keys have some drawbacks, for example, it will take longer time to generate and use more space on the cards. An alternative is to use Elliptic Curve (ECC) keys instead.
Previous versions of Identity Manager supported elliptic curve cryptography for some middleware programs and some Certificate Authorities (CAs).
Identity Manager 5.0.0 supports key archival of ECC keys with Certificate Manager and support of ECC keys with Nexus Personal Desktop Client. This feature will help existing customers benefit from ECC keys without changing their general setup.
Entra connector
Microsoft Entra is widely used to hold employee master data. Identity Manager needs to synchronize with employee master data so that it always has the latest information on the employees data set and send the latest information about corresponding cards and certificates.
Identity Manager currently supports various HR systems and LDAP directories to synchronize. With the new connector, an Identity Manager setup will be possible in an environment where Microsoft Entra holds employee master data. The connection is established via SCIM datapools and the new Entra connector.
Searching and sorting is limited to the functionality provided by the Microsoft Graph API, see https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http#user-properties. The performance is limited by the throttling that Entra applies, see https://learn.microsoft.com/en-us/graph/throttling.
For more information, see Set up Microsoft Entra connector.
Responsive self-service portal
Smart ID Self-Service (Smart ID Self-Service) is the interface of Identity Manager that end-users interact with. It is a web portal used by all the persons whose identity is managed and has a large number and range of users.
Here are example use cases that can benefit from the improved responsiveness in the Self-Service portal:
Access Smart ID Self-Service on mobile phone whenever that is more convenient
Organizations where users have Chromebooks as their primary device
A truly responsive design also helps visually impaired people that use large zoom factors.
The responsive design enables mobile use cases around Physical ID where action is needed on site.
New BPMN engine
Identity Manager includes a workflow engine where the processes around card and credential’s management are custom built. This makes Identity Manager more flexible.
As Activiti 5 is no longer supported, the BPMN engine has been switched to Flowable. The new engine improves performance and parallelization and provides new possibilities to be explored, for example, forms editing and process monitoring. Editing processes will be simplified with the new Nexus Process Modeler that can be used as a separate application as well as from inside Identity Manager Admin.
Flowable is available as an open source version and as a commercial version called “Flowable work”. There is a community ensuring further development of the product.
Configurations made for Activiti can be run with the new Flowable engine to ensure upgrading. The migration is done automatically, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.
Flowable is a fork of Activiti and it is BPMN 2.0 compliant.
Bootstrapping validation
Smart ID Identity Manager is a security application based on public key infrastructure. It uses keys and certificates to encrypt secrets managed within the application, to sign the object history to make it audit proof, and other key related use cases. All these keys and certificates need to be created and moved to the right places - a procedure known as bootstrapping. As it is crucial for the security of the application that secure keys are used, a validation of the bootstrapping has been introduced. Demo-keys are no longer delivered with the software. This increases the effort in setting up demo and test systems but protects productive systems from accidently using publicly known keys.
To help first-time bootstrapping and get instructions for changing compromised keys and certificates later, see Bootstrapping the sign and encrypt engine.
Removed features and changes in delivery
Support for encodings of USB tokens via Card SDK is discontinued
The support for encodings of USB tokens via Card SDK is discontinued.
A workaround for the Java bug https://bugs.openjdk.org/browse/JDK-8026326 (implemented in CRED-13615) was removed, as it is incompatible with Java 17 and above and thus prevents moving forward with support for newer Java versions. This bug causes errors in the reader detection once the last remaining reader has been removed or disabled and it, or another reader, is added or connected again during the lifetime of the Java process. In this case the smartcard service is restarted, which Java fails to handle gracefully.
USB tokens integrate the PKI chip and the reader in one device, so they tend to be affected by this issue, unlike PKI encoding on smart cards, where the reader remains connected. PKI encoding of USB tokens can be handled by Smart ID Desktop App instead.
For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1.
Support for some CardOS related encodings has been removed
Support for OsVersionField and PackageInformationField has been removed from encoding descriptions. This feature was specific to CardOS smart cards. APDU commands can be used to get the same result.
For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1
Deprecation of Service Task "Cert: Update Certificate State from CRL"
The service task "Cert: Update Certificate State from CRL" (delegate expression) ${updateCertificateStateFromCRLTask}
is no longer recommended to be used as severe performance problems are likely to happen. Instead, it is recommended to push CRLs from the CA.
For Certificate Manager and Identity Manager the procedure is described here: Push CRL from Certificate Manager to Identity Manager
Configuration files excluded from the Smart ID package
The configuration files SmartID-xxx-configuration.zip are no longer delivered with the Smart ID package. These configuration files were the basis of the Smart ID Workforce module. They are replaced by the Smart ID Workforce use cases, available as separate package from the Nexus download portal.
Smart ID Workforce use cases for Identity Manager 5.0.1 are not yet available.
Open source libraries delivered with Smart ID package
A list of open source libraries used with Smart ID Identity Manager is delivered with Identity Manager on the Nexus support portal as the file SmartID-xxx-open-source.zip.
SmartAct-Migration tool
The SmartAct-Migration tool is not delivered with the Smart ID package anymore. Contact Nexus support if you need this.
Nexus Activiti Designer replaced by Nexus Process Modeler
Nexus Activiti Designer will not be delivered with Smart ID from this release onwards. It can still be used with Smart ID Identity Manager, but recent features are not supported. It is recommended to try Nexus Process Modeler instead.
Replacement of the quick search feature in Smart ID Self-Service
In Smart ID Self-Service, lists of Persons, Cards, Mobile IDs or other objects can be displayed by corresponding top level menu entries. The basis of these lists were search configurations that are set up in Smart ID Identity Manager Admin. There used to be a quick search and filter bar on top of each list. This has been replaced by a filter panel reflecting the underlying search configuration. The filter panel allows a more explicit filtering and understanding of the displayed results.
Detailed description of features
Features
Jira ticket number | Description |
---|---|
CRED-12528 | The bootstrapping procedure, that is, the creation and placement of keys needed in Smart ID Identity Manager for different purposes, has been made more secure. For more information, see Sign and encrypt engine in Identity Manager and Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1. |
CRED-13624 | The business process engine included in Smart ID Identity Manager has been switched from Activiti to Flowable. For more information, see Cleanup Flowable process history in Identity Manager and Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1. |
CRED-13706 | The support for encodings of USB Tokens via Card SDK is discontinued. PKI encoding of USB tokens can now be handled by Smart ID Desktop App. For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1. Read more in the Removed features and changes in delivery section above. |
CRED-15871 | A connector is now available to allow user synchronization between Smart ID Identity Manager and Microsoft Entra. Read more in the Main new features section above. For more information, see Set up Microsoft Entra connector. |
CRED-15873 | Improved responsiveness in Smart ID Self-Service. The Self-Service is now usable on small screens like mobile phones or with large zoom. Read more in the Main new features section above. |
CRED-15893 | A validation of the expression will be done in Identity Manager Admin when adding a Kerberos 5 Principal Name value in a certificate configuration. |
CRED-16320 | When showing a list of objects in a form, it is now possible to add checkboxes for selection to the list and to work with the selected entries. |
CRED-16749 | The performance of the cleaning of the ObjectHistory has been improved. |
CRED-16776 | Support for key archival and recovery of ECC keys with Certificate Manager has been added. This requires Certificate Manager version 8.10 or later. |
CRED-16798 | Added a rate limit filter to the Tomcat configuration in docker to prevent DoS attacks. Individual adjustments are possible. For more information, see Harden Tomcat. |
CRED-16972 | In Self-Service, interactive elements are now labeled with their role so that screen readers can recognize them. |
CRED-17366 | Support for OsVersionField and PackageInformationField has been removed from encoding descriptions. Read more in the Removed features and changes in delivery section above. For more information, see Upgrade Smart ID Identity Manager from 23.10.9 to 5.0.1. |
CRED-18099 | If there are many buttons on a form in a process, a primary button can now be defined. See Configure display of buttons in Identity Manager for more information. |
CRED-18951 | When configuring SAML in Smart ID Identity Manager, request signing and verification settings now default to true if not specified in the metadata file. See Enable two-factor authentication to Identity Manager clients via SAML federation for more information. |
CRED-19161 | In order to avoid ZIP bomb attacks, the compression ratio is checked when uploading zip files. The allowed compression ratio can now be configured. See List of Identity Manager system propertiesfor more information. |
Corrected bugs
Jira ticket number | Description |
---|---|
CRED-16398 | Previously in Identity Manager Admin, when editing a process with the BPMN editor, there was no reminder to save when leaving the tab. This has been fixed. |
CRED-17721 | On card encodings for card selection, an additional check of the ICCSN has been introduced to improve security. See Reader/card selection and information in Identity Manager for more information. |
CRED-18101 | Updating certificate state from CRLs would sometimes not find certain certificates due to upper lower case differences in the serial number. This has been fixed. |