Skip to main content

4.6.3

Features and improvements

Google Applications

  • WinHTTP usage

    Updated connectors that use WinHTTP calls to log both the HTTP method and the URL, so it is clearer which API calls are being made during troubleshooting.

  • Security cleanup on account changes

    Updated the Google Apps connector to support clearing app‑specific passwords, backup verification codes, third‑party tokens and disabling two‑step verification as part of the reset, disable, delete and update operations. This helps ensure sessions and related credentials are cleaned up when an account is changed or deactivated.

  • Group create operation

    Enabled and fixed the Google Applications connector’s groupcreate operation so that creating groups on Google Apps targets now works as documented.

  • Roles with empty descriptions

    Fixed the list‑groups‑as‑roles operation so that roles with empty descriptions no longer cause the connector to crash.

SAP Server (Netweaver 7.5+)

  • CUA user systems

    Updated the SAP Server (Netweaver 7.5+) connector to comment out reading the ZMT_USER_SYSTEMS_READ function for CUA systems, improving stability for those environments.

  • Local roles and profiles

    Added the LOCACTIVITYGROUPS and LOCPROFILES table lookups and their account attributes so the SAP Server (Netweaver 7.5+) connector supports SAP / CUA systems that use local ACTIVITYGROUPS and PROFILES.

  • Memory usage

    Ensured that RfcDestroyFunction is always called when using the SAP connector, reducing memory usage during large account listings, especially when account‑attribute listing is enabled.

Salesforce

  • Support has been added for version 65.0 of the Salesforce SOAP API.

Palo Alto Networks firewall with PAN‑OS (SSH) (agtpanos)

  • Updated the Palo Alto Networks firewall with PAN‑OS (SSH) connector so that auto‑discovery (listing objects) and password reset operations function reliably during onboarding.

Okta connector (agtokta)

  • Timestamp logging

    Updated the Okta time conversion helper to return an empty string when the Okta time value is empty, eliminating “not a valid format []” notice messages when Okta timestamp fields (such as last login) are missing.

Linux / Unix SSH (unixssh.py)

  • Account names with dots

    Updated the unixssh.py script for the Python‑based connectors to allow a dot/period (.) in user/account IDs, matching what modern Linux distributions permit.

Active Directory (agtaddn)

  • Expired password/account handling

    Reintroduced support for the AD_VERIFY_EXPIRED_PW and AD_VERIFY_EXPIRED_ACCT registry options so you can control whether expired passwords and expired accounts are treated as login failures.

  • Updated Active Directory (agtaddn) computer attribute listing to exclude msDS-RevealedUsers and msDS-AuthenticatedToAccountList, as these lengthy multi-valued attributes exceed the discovery queue size limit.

Azure Active Directory (agtazure)

  • Better handling of new users.

    Updated the Azure AD connector to tolerate Microsoft Graph’s eventual consistency when creating users. After a successful user create, the connector now uses the object ID for follow‑up checks and applies targeted retry logic to PATCH operations, so attribute updates that happen immediately after creation no longer fail due to transient “resource does not exist” responses.

Exchange (agtexg2k7)

  • Updated the Exchange 2007+ Server connector (agtexg2k7) to add the longid for the agent output for the create operation and for when users already exist.

  • Exchange connector now supports OAuth 2.0 authentication for Exchange Online (list operations only; on-premises Exchange continues to use Basic Authentication).

PowerShell (agtps)

  • Logging level

    Updated the PowerShell connector so that variable conversion messages are logged at Debug level instead of Info, reducing noise in normal logs.

Resolved issues

DUO authentication (agtduo)

  • Fixed an issue in the DUO Authentication connector where challenge‑response authentication could intermittently crash when a user had no DUO authentication methods configured.

Okta (agtokta)

  • Notice log spam from empty timestamps

    Eliminated repeated “not a valid format []” notices when Okta timestamp fields are missing.

  • Okta Verify OTP with multiple devices

    Modified the Okta connector to show a single challenge‑response option for the Okta Verify OTP method. The single option now accepts OTP codes from multiple registered Okta Verify factors (for example Okta Verify and Google Authenticator), avoiding confusion when several OTP factors exist for the same user.

  • Fixed an issue with the Okta connector (agtokta) to ensure that when methods from the "Authentication methods order" target address configuration are not configured that the matching Okta methods are not shown for the user on authentication for Okta challenge response.

Oracle script targets (agtorascript)

  • Sanitized log messages when a password reset fails due to the password containing comment‑like sequences, so plaintext passwords are no longer written to logs.

  • Plaintext password in logs

    Ensured logs no longer display plaintext passwords when a password reset fails due to comment‑like sequences in the password.

SAP

  • Resolved an issue with the SAP Server (Netweaver 7.5+) connector (agtsapnw) when listing users filtered with a selection range to add more than one selection criterion.  This was previously causing an issue to only list from one selection range.

  • Fixed an issue with the SAP Hana Database connector (agthana) when encryption is used for the target address configuration.

Siteminder (agtsm)

  • Fixed an issue in the Siteminder connector (agtsm) so that it now correctly saves the list override setting.

Windows server

  • Fixed an issue to include default global attributes when an attribute override is used.

Active Directory connector (agtaddn)

  • Active Directory connector – expired password/account handling

    Restored the documented behaviour for how expired passwords and accounts affect login checks via registry options.

Azure AD (agtazure)

  • New user creation falsely reported as failed

    Fixed a bug where Azure user creation succeeded but was reported as failed because subsequent attribute updates immediately after creation returned HTTP 404 “resource does not exist”. The connector now recognises this as a temporary propagation delay, retries PATCH operations for newly created users, and uses the user’s object ID when checking for resource existence, so template attributes and post‑creation changes are applied reliably without manual intervention.

  • User filter URL construction

    Fixed formation of URLs for filtered user listings, preventing Azure “Invalid filter clause” errors.

  • Updated the Azure Active Directory connector (agtazure) to correctly construct the query URL when attributes are empty and a filter is used, which was previously causing listing to fail.

PeopleSoft 8.49

  • Fixed session handling in the PeopleSoft 8.49 connector to prevent crashes during the list‑groups operation.

Upgrade actions

  • Google Apps connector cleanup defaults

    After upgrading, review existing Google Apps targets to confirm whether app‑specific passwords, backup verification codes, third‑party tokens and two‑step verification should be cleared or disabled during reset, disable and delete operations. The connector now defaults to performing this cleanup; if you do not want this behaviour, uncheck the corresponding address‑line attributes on your Google Apps targets.

In this section: