Identity Server 2025.2 Release Notes
Release highlights
This release focuses on introduction of the following new features and improvements:
Refresh Token Expiration
Within SSO 9.8 as part of this release (IDS 2025.2) we are adding the ability to manage Refresh Token expiration. The configuration is possible via both Management UI or via API and creates an expiration policy. It’s important to be aware that the policy can determine all token lifetimes from either the token creation time OR the tokens last used time. Documentation is found at Refresh Token Expiration - SSO. We would encourage you to review the documentation, but if there are remaining questions please open a Support ticket.
Default HTTP Header Security Filters
We continually strive to improve all aspects of the Identity Platform. While many customers may already have configured HTTP Header Security filters on their own outside of SSO and CustomerID, we are now including the option to apply three recommended filters for each application. As one, no sniff, is not impactful for any environemnt, this has been set to default on for all IDS 2025.2 installations. The other two, strict transport and max age, are found within HTTP strict transport security (HSTS) and might impact current implementations. Therefore the HSTS settings are defaulted to off (false) within the configuration, but we recommend testing these with on, or true, settings during your release testing of IDS 2025.2
Details for this environment improvement can be found on Security headers configuration - SSO and Security headers configuration - CustomerID.
Note: In our next release, IDS 2026.1, these HTTP Header Security Filters will be active, set to true, as default.
General Observations and Improvements
While removing several CVEs during the creation of SSO 9.5 as part of IDS 2024.2, we inadvertently missed an issue which impacts high volume environments. Updating the third party components used in SSO caused the over-use of threads and thread pools within SSO. For very large environments this would be experienced as high CPU utilisation of the SSO server, memory exhaustion or total environment outage. This has been corrected within this current release of SSO. Additionally, we are releasing SSO 9.5.2 and SSO 9.6.1 patches which correct the threadpool exhaustion otherwise seen in SSO 9.5.1 and SSO 9.6.0
User Enumeration
Additionally, we would like to recommend reviewing the following statement concerning Login timing, this is better known as User Enumeration. Over time there have been a number of questions concerning Identity Platform applications permitting potential attackers to determine real user names versus non-existent users, which would assist the attacker in determining a user account to potentially phish or brute force attack the users password. Best practice manages this potential risk vector at the proxy or firewall, not within the individual application. Please see the information page over User Enumeration.
SSO Modules update
Please ensure you review the updated System Recommendations page and are aware of the 3rd Party License page.
IDS 2026.1
Looking towards the first release in 2026, we would like to highlight system wide changes that will take place. Noting that all API and UI functions will remain unchanged.
Identity Platform will be updated from java 11 to java 21
SSO will undergo a major version update, to SSO 10.x.x and use tomcat 10.x.x as its webserver
CustomerID will undergo a major version update, to CustomerID 7.x.x and use Spring Boot in place of Wildfly.
HTTP Security headers, see above, will be active as default.
Contents
- 1 Release highlights
- 2 Change log
- 2.1 SSO 9.8.2 + CertAP 9.8.2
- 2.2 SSO 9.8.1 + CertAP 9.8.1
- 2.3 SSO 9.8.0
- 2.3.1 New Features
- 2.3.2 Improvements
- 2.3.3 Corrections
- 2.4 CustomerID 6.7.0
- 2.4.1 New Features
- 2.4.2 Improvements
- 2.4.3 Corrections
- 2.5 Identity Platform Modules
- 3 Deviations
- 3.1 SSO
- 3.2 CustomerID
Change log
SSO 9.8.2 + CertAP 9.8.2
IDS-5540 - during the development of SSO 9.8.0 unexpected SessionStore keys were left unmanaged. For very large deployments this will result in system overuse and eventual crash. These unmanaged SessionStore keys have been fully managed and systems using SSO and Redis should utalize this SSO patch.
Also included in this patch is an update to Tomcat. Tomcat is now 9.0.118. No other changes have been made to SSO.
SSO 9.8.1 + CertAP 9.8.1
IDS-5390 - a deviation was discovered when using SSO 9.8.0 and CertAP 9.8.0 with specific configuration found within pki-policy concerning the handling of altSecurityIdentities due to updated handling of jdk classes. It resulted in errored CertAP assertions that are immediately visible in logging. If you have not experienced any issues using SSO 9.8.0 and CertAP 9.8.0 then your environment is unlikely to be impacted. Corrective releases for both SSO and CertAP are being made available during week 7.
SSO 9.8.0
New Features
IDS-5130 - Refresh Token expiration - SSO. As detailed at the top of this release notes page.
Improvements
IDS-5094, IDS-5114, IDS-5115 and IDS-5127 - Within the Management UI, it has been observed that non-alphanumeric characters (unicode) would cause breakage for Authorisations Tab, User names in Mappings tab and User Impersonated By table. These have been corrected, but you may observe other errors in Management UI, see SSO deviation IDS-5314, when using non-alphanumeric characters. If these are needed, please open a Service Desk ticket so we can prioritise their correction.
IDS-5266 - Due to increased security and compliance from web browsers, the use of Suomi.fi as an authenticator has required modification to SSO logout to manage SAML single logout. With SSO 9.8, the SAML SLO will continue to function, as previously notified, as of IDS 2025.1, Ubisecure no longer supports SAML SP for ASP.NET . The SAML SP for ASP.NET module is coded on a version of .net that is no longer maintained by Microsoft. It will continue to function and support integrations to SSO 9.8. If you are utilising this module on older Identity Platform versions and wish to upgrade the .NET in your environment, please contact Support for a suggested solution.
IDS-5214 - Within MobileID, there is an improvement to audit log the nonce parameter
IDS-5096 - When using CertAP the default integration would cause a WARN log entry if the URL was not configured correctly in SAMLEndpointNotFoundException. This has been improved to be an INFO log entry.
Corrections
IDS-2478 - This was believed to be a bug, upon investigation there is no reliable way for SSO to ensure an alternate message is offered depending on authentication cancellation type; user error, user access denied or user cancelled. If there is a termination of authentication from any relaying party, for any reason, the user will see “access denied”. While not helpful for the end user, this information should assist any support desk in determining if the user has locked their account or does not have permission to access a specific service. This ticket will continue appear on Known Issues for future reference.
IDS-1499 - There was a known issue where SSO will return http 401, rather than http 400 when token introspection without an authentication header or when invalid credentials are present. This has been corrected, a http 400 is now returned, per specification standard.
IDS-3730 - There was a known issue where using “Force Reauthentication” configuration for an application that uses refresh tokens, the refresh tokens are immediately invalidated. The feature for managing Refresh Tokens has been released in SSO 9.8, please see above for the improvement details.
IDS-4965 - When using SMS POST requests, there was an error which permitted no password to be set, which would still encrypt and show a saved password, but not function. This has been corrected.
IDS-1893 - This was corrected within IDS 2025.1, but overlooked in the Release Notes development and publication. It was a prior deviation where there was a known issue if you use OpenID authentication, a user cannot access SAML or Ubilogin web applications. This has been resolved as of SSO 9.6 and included in the release notes of SSO 9.8.
CustomerID 6.7.0
New Features
Improvements
IDS-5239 - With CustomerID API, we have made a number of improvements to ensure that user removal calls clear the user record in both Postgres as well as OpenLDAP.
Corrections
IDS-2683 - There was a known issue where CID REST API's 2.0 and 2.1 do not locate organisations with URL encoded characters in their names. This has been corrected.
IDS-5048 - The step to streamline user creation was not working correctly. Specifically, when ui.createuser.roleadd.enabled = false is set in eidm2 properties, select roles step is still visible in createuser workflow. This has been corrected, no select roles step is visible if the configuration is set to false.
IDS-5057 - There was a known issue where a user invitation can be used after its expiry date, if an invited user creates their account after the expiry (example: expire.pendinguser = 2d) then their account will not be created correctly and will need to be manually removed before a new invitation and account can be created. This has been corrected.
IDS-5117 - Similar to IDS-5057, if a user registration expires during the user comlpeting their registration (for example expire.pendinguser is set to a short interval 10 to 15 minutes), this would cause user elements to be removed from PostgreSQL while they remain in LDAP - this error has been corrected.
We will continue to investigate user creation issues, see CID deviation IDS-5191, for upcoming releases
Identity Platform Modules
CertAP (Certificate Authentication Provider) - CertAP has been updated to align with SSO 9.8. Please see the CertAP change log for details. If this module is is used within your operational environment, we would encourage you to request and test its function. If there are any errors observed, please open a Service Desk ticket including log file demonstrating the error along with the current configuration where CertAP is in use.
IDS-1030 - there was a known issue utalising CertAP within a windows environment, running the CertAP step.cmd would post errors of missing linux tags. This has been resolved.
SAML SP for Java - SAML SP for Java is available for use with SSO 9.8. If this module is is used within your operational environment, we would encourage you to request and test its function.
Metadata Updater - Metadata Updater is available for use with SSO 9.8. If this module is is used within your operational environment, we would encourage you to request and test its function.
Swedish BankID - IDS-4987 IDS-4856 and general testing
As a reminder, as noted in IDS 2025.1 SAML SP for ASP.NET installation guide - SSO while this adapter can continued to be utilised, Ubisecure no longer supports SAMP SP for ASP.NET module. If you are utilising this module on older Identity Platform versions and wish to upgrade the .NET in your environment, please contact Support for a suggested solution.
Please review the change log if you are upgrading your system from a prior version to IDS 2025.2: Identity Platform
Deviations
The following deviations are found within Identity Platform and are expected to be corrected over time. For a listing of known issues found on Identity Platform please see: Considerations, limitations and known issues
SSO
Ticket number | External description |
|---|---|
IDS-561 | There is a known issue where SSO does not check the mappingURL value when creating or editing an inboundDirectoryMappings when using the SSO REST API. Directory Mappings are possible to be created, but then not opened or edited. |
IDS-1629 | There is a known issue resulting in unclear error messages. When a user is configured without a phone number and SMS OTP method is added to their profile result in one of two error messages. If the SMS OTP is the only authentication method enabled, the message will be “The user account is disabled”. If there are other authentication methods enabled, the message will be “Access to the requested resource is denied”. |
IDS-1648 | This is a known issue that only is only present with password2. User is presented with a popup "Update: Invalid account Status" if one of the previous three passwords are used when asked to update their password. There is no known work around. |
IDS-1662 | The use of the following special characters when making any search will result in an internal sever error 500 and a stack trace. Symbols: + = # ; , < > Work around, administrators should not use the special symbols when naming users or searching for users. |
IDS-2090 | There is a known issue where the SSO management UI will not filter results correctly if the filter expression is short, contains incorrect filter expressions and there are Scandinavian characters included. |
IDS-2244 | There is a known issue when using special characters within SSO management API in persistentID name mapping that may result in incorrect side or policy id values being returned. Recommended work around, do not use special characters, like “=” “,” “#” in site and policy mapping names. |
IDS-2260 | There is a known installation issue when using SSO Password reset. Using the installation instructions for password reset tool requires an administrator to run tomcat update. This occasionally results in an empty context.xml file being created which causes SSO to fail when being restarted. Workaround, repeat the run tomcat update step which will create a correct .xml file and SSO will restart. |
IDS-2790 | There is a known issue with sending in invalid formatted request to introspection endpoint returns stack trace including server version number. This can be mitigated by following our Security considerations for using reverse proxy and customising error pages with HAProxy Security considerations for production environments - SSO |
IDS-3092 | There is a known issue where Administrators are unable to alter password encoding through the SSO management UI. There is no known UI work around. |
IDS-3625 | There is a known issue where an ERROR 500 message with stack-trace is shown in the browser if there is no valid encryption key available in SSO. Mitigation use reverse proxy to catch all 500 error with user friendly information Security considerations for production environments - SSO |
IDS-3665 | There is a known issue where the authorisation endpoint may become corrupted if a URL contains "%20" in URL encoded format. |
IDS-3971 | There is a known issue which results in a non-impacting stack trace being logged when updating metadata using ManagedScheudledExecutorService for SAML 2 AP. There is no known work around to this non-impacting log event. |
IDS-4202 | There is a known issue where attributes forwarded from an external authentication method are not available after the access token has been refreshed. No known work around is available at this time. |
IDS-4644 | There is a known issue where the use of special characters within a users name, like “)” for example “Bud)”, will break the user mapping view. Work around, do not permit special characters within user names. |
IDS-4669 | There is a known issue where the status refresh does not update entryTtl for dynamic session objects. There is no known work around at this time. |
IDS-4733 | There is a known issue within SSO which could permit XML expansion from an external entity. Additionally, there is a known issue within SSO which could allow for header injection. Both items will be corrected in an upcoming patch, SSO 9.4.1. |
IDS-4967 | There is a known issue where SSO may leave IO Streams in an improperly closed state which results in a diag log warning when SSO server is shut down as the LDAP Connection thread could not be shut down. |
IDS-5031 | There is a known issue within TOTP as nextFactor for OIDC which will result in user access denied if the user has not selected an OIDC method of authentication first. The work around is to instruct users to select existing ODIC authentication first, with TOTP as MFA. |
IDS-5314 | There is a known issue where it is not possible to create an authentication method with unicode characters in the name. |
CustomerID
Ticket number | Description |
|---|---|
IDS-1373 | There is a known issue in CustomerID when a new user is created in a non-virtual organisation, the invitation can contain a role when no role has been approved for that user. |
IDS-1509 | There is a known issue where a new user being invited to a virtual organisation the CustomerID administrator cannot approve the user; an internal server error occurs. |
IDS-1706 | There is a known issue with null values (DbAssignable.set and DbAssignable.isNull) which may result in NullPointer exceptions when using REST calls. This impacts Roles, Mandates and Invitations. |
IDS-2312 | There is a known issue in approval view where changing technical name of an organization to include Scandinavian letters doesn't work. |
IDS-2703 | There is a known issue where a role name with different case can be created which results in one LDAP entry and two SQL entries. |
IDS-2816 | There is a known issue which will create an unhandeled exception if the users SMTP server cannot be resolved. This issue will cause a database collision issue which may prevent the same email address from being used, as it already exists within the database but not in a fully created form. |
IDS-2876 | There is a known issue if user is rejected from UI error is logged "Error when trying to get approval request with ID: null". A stack trace is logged. This stack trace can be safely ignored. |
IDS-2934 | There is a known issue in CustomerID within Mandates, where no renotify email is sent to new user to register using mandate invitation. Admin user sends mandate from Admin UI to new user that is not registered to the system. Email is sent correctly, but no renotify is sent to register to the system.Mandate expires correctly also and email is sent that mandate was expired. |
IDS-2941 | There is a known issue where a NPE will occur if an administrator is viewing an ORG2PER mandate from the CustomerID management UI. |
IDS-3058 | There is a known issue where in change password application of CustomerID where the return URL is missing a forward slash (returns "https:/" not "https://") resulting in failed redirect if the cancel button would be enabled. |
IDS-3765 | There is an issue with JDK 11.0.15 that prevents Wildfly from working |
IDS-5191 | There is a known issue where a user entry remains in LDAP in a broken state when the a user invitation expires after the user registration has started. |
IDS-5278 | There is a known issue if user status is locked, because of entering incorrect authentication details multiple times, CID UI shows user account status locked. However, REST API does now show status as locked. It still shows the status as enabled. |
|
|