Skip to main content

4.7.1

Features and improvements

Google Applications

  • Updated the Google Apps connector (agtgapps) to add support for clearing app-specific passwords, backup verification codes, third-party tokens, and to disable two-step verification as part of the reset, disable, delete and update operations.

  • Roles with empty descriptions

    Fixed the list‑groups‑as‑roles operation so that roles with empty descriptions no longer cause the connector to crash.

Linux / Unix SSH (unixssh.py)

  • Account names with dots

    Updated the unixssh.py script for the Python‑based connectors to allow a dot/period (.) in user/account IDs, matching what modern Linux distributions permit.

Salesforce

  • Support has been added for version 65.0 of the Salesforce SOAP API.

Okta connector (agtokta)

  • Timestamp logging

    Updated the Okta time conversion helper to return an empty string when the Okta time value is empty, eliminating “not a valid format []” notice messages when Okta timestamp fields (such as last login) are missing.

SAP Server (Netweaver 7.5+)

  • CUA user systems

    Updated the SAP Server (Netweaver 7.5+) connector to comment out reading the ZMT_USER_SYSTEMS_READ function for CUA systems, improving stability for those environments.

  • Local roles and profiles

    Added the LOCACTIVITYGROUPS and LOCPROFILES table lookups and their account attributes so the SAP Server (Netweaver 7.5+) connector supports SAP / CUA systems that use local ACTIVITYGROUPS and PROFILES.

  • Memory usage

    Ensured that RfcDestroyFunction is always called when using the SAP connector, reducing memory usage during large account listings, especially when account‑attribute listing is enabled.

Palo Alto Networks firewall with PAN‑OS (SSH) (agtpanos)

  • Updated the Palo Alto Networks firewall with PAN‑OS (SSH) connector so that auto‑discovery (listing objects) and password reset operations function reliably during onboarding.

Active Directory (agtaddn)

  • Expired password/account handling

    Reintroduced support for the AD_VERIFY_EXPIRED_PW and AD_VERIFY_EXPIRED_ACCT registry options so you can control whether expired passwords and expired accounts are treated as login failures.

  • Updated Active Directory (agtaddn) computer attribute listing to exclude msDS-RevealedUsers and msDS-AuthenticatedToAccountList, as these lengthy multi-valued attributes exceed the discovery queue size limit.

Azure Active Directory (agtazure)

  • Better handling of new users.

    Updated the Azure AD connector to tolerate Microsoft Graph’s eventual consistency when creating users. After a successful user create, the connector now uses the object ID for follow‑up checks and applies targeted retry logic to PATCH operations, so attribute updates that happen immediately after creation no longer fail due to transient “resource does not exist” responses.

Exchange (agtexg2k7)

  • Updated the Exchange 2007+ Server connector (agtexg2k7) to add the longid for the agent output for the create operation and for when users already exist.

  • Exchange connector now supports OAuth 2.0 authentication for Exchange Online (list operations only; on-premises Exchange continues to use Basic Authentication).

PowerShell (agtps)

  • Logging level

    Updated the PowerShell connector so that variable conversion messages are logged at Debug level instead of Info, reducing noise in normal logs.

Resolved issues

Customer‑Verified connectors (loadcvagents.exe)

  • Fixed an issue in the loadcvagents utility that previously prevented existing Customer‑Verified connectors from being upgraded when newer versions were loaded for an instance.

DUO authentication (agtduo)

  • Fixed an issue in the DUO Authentication connector where challenge‑response authentication could intermittently crash when a user had no DUO authentication methods configured.

  • Intermittent crashes

    Fixed intermittent crashes during DUO challenge‑response authentication when users had no DUO methods configured.

Oracle script targets (agtorascript)

  • Sanitized log messages when a password reset fails due to the password containing comment‑like sequences, so plaintext passwords are no longer written to logs.

  • Plaintext password in logs

    Ensured logs no longer display plaintext passwords when a password reset fails due to comment‑like sequences in the password.

SAP

  • Resolved an issue with the SAP Server (Netweaver 7.5+) connector (agtsapnw) when listing users filtered with a selection range to add more than one selection criterion.  This was previously causing an issue to only list from one selection range.

  • Fixed an issue with SAP Server (Netweaver 7.5+) (agtsapnw) connector to always call the RfcDestroyFunction.

  • Fixed an issue with the SAP Hana Database connector (agthana) when encryption is used for the target address configuration.

Siteminder (agtsm)

  • Fixed an issue in the Siteminder connector (agtsm) so that it now correctly saves the list override setting.

Windows server

  • Fixed an issue to include default global attributes when an attribute override is used.

Active Directory (agtaddn)

  • Active Directory connector – expired password/account handling

    Restored the documented behaviour for how expired passwords and accounts affect login checks via registry options.

Azure AD (agtazure)

  • New user creation falsely reported as failed

    Fixed a bug where Azure user creation succeeded but was reported as failed because subsequent attribute updates immediately after creation returned HTTP 404 “resource does not exist”. The connector now recognises this as a temporary propagation delay, retries PATCH operations for newly created users, and uses the user’s object ID when checking for resource existence, so template attributes and post‑creation changes are applied reliably without manual intervention.

  • User filter URL construction

    Fixed formation of URLs for filtered user listings, preventing Azure “Invalid filter clause” errors.

  • Updated the Azure Active Directory connector (agtazure) to correctly construct the query URL when attributes are empty and a filter is used, which was previously causing listing to fail.

Okta (agtokta)

  • Notice log spam from empty timestamps

    Eliminated repeated “not a valid format []” notices when Okta timestamp fields are missing.

  • Okta Verify OTP with multiple devices

    Modified the Okta connector to show a single challenge‑response option for the Okta Verify OTP method. The single option now accepts OTP codes from multiple registered Okta Verify factors (for example Okta Verify and Google Authenticator), avoiding confusion when several OTP factors exist for the same user.

  • Fixed an issue with the Okta connector (agtokta) to ensure that when methods from the "Authentication methods order" target address configuration are not configured that the matching Okta methods are not shown for the user on authentication for Okta challenge response.

PeopleSoft 8.49

  • Fixed session handling in the PeopleSoft 8.49 connector to prevent crashes during the list‑groups operation.

Dayforce connector (agtdayforce)

  • Adds additional error handling to Python Dayforce connector (agtdayforce) to handle more errors on connect and add more retriable error cases when listing

Upgrade actions

  • Google Apps connector cleanup defaults

    After upgrading, review existing Google Apps targets to confirm whether app‑specific passwords, backup verification codes, third‑party tokens and two‑step verification should be cleared or disabled during reset, disable and delete operations. The connector now defaults to performing this cleanup; if you do not want this behaviour, uncheck the corresponding address‑line attributes on your Google Apps targets.

  • Salesforce OAuth token

    An OAuth token must be configured on the Salesforce side and set on the Bravura Security Fabric side.

    The system ID corresponds to the client_id and the system password corresponds to the client_secret.

In this section: