12.9.0

Updated the branding for Bravura Security within the product installer for a few remaining areas.

Updated the following views to pass post-upgrade check:

Implemented flexible project structure with standardized folder organization, build tools, and testing framework, establishing the foundation for modern UI development.

Created a responsive, accessible login form with comprehensive client-side and server-side validation, providing immediate feedback and improving user experience.

Added a "Remember Me" feature to the login page that improves user convenience while maintaining security standards:

Added IIS URL rewrite support for React client-side routing with automatic redirection from /react/path to /react/#/path while preserving query parameters. This enables direct URL access and bookmarking of React routes without requiring manual IIS configuration.

Implemented user-friendly authentication error messages with helpful recovery suggestions, improving user experience during authentication failures.

Improved username field validation on the Login page to disable the Sign in button when it's empty.

Added password suggestions to React UI Change Password feature.

Updated Change Password React UI page to include the account summary and details and to make valid REST API calls.

Created action cards layout with visual category indicators, providing users with quick access to common tasks in an intuitive and responsive interface.

Developed interactive user metrics visualizations with time-based filtering, providing users with meaningful insights into their account activity and status.

Implemented user accounts summary component with status indicators and quick actions, providing users with an at-a-glance view of their accounts and streamlined access to common operations.

Implemented dashboard-specific metrics collection to gather insights on user interaction patterns, enabling data-driven improvements to the dashboard experience.

Implemented flexible dashboard layout framework with responsive grid system and drag-and-drop widget positioning, providing the foundation for a customizable user experience.

Enhanced login error handling with specific messages and recovery suggestions for disabled and locked user profiles.

Improved product logo clarity on installer screens.

Added JWT authentication framework with secure token management and automated type-safe API integration. The implementation includes a complete HTTP client with authentication, React Admin data providers with OData support, and automated TypeScript type generation from OpenAPI specifications for enhanced developer experience and type safety.

Updated the scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Implemented a user profile summary card on the dashboard.

The kvgio input and output log files are now only created when they are explicitely enabled using the psdebug utility and the kvgio submodule.  Previously they were created when simply increasing the log levels for the idmlogsvc logging service.

Updated the IDAPI Login function to return a generic error Invalid username or password  or the specified user has insufficient privileges when login fails in the following cases to prevent username enumeration:

Modified password reset REST API endpoints to accept an optional known batchid input (via custom request header X-BATCH-ID) used to populate batchId values in SessionLogData.

Implemented additional properties for REST API resource TargetGroup:

Implemented the following REST API endpoints:

Implemented REST API identity/connect/userinfo endpoint that provides subject, username, and scopes.

Added lastUpdatedModule and lastUpdatedNode to metadata fields in REST API models.

Added SessionLogAnalytics resource endpoint to REST API.

Added REST API GET request summary endpoint for the SessionLog resource.

Added REST API GET requests for the SessionLog resource.

Added REST API model implementation for the SessionLog resource.

Exposed additional target system options to the REST API:

Added helpUrl property to the target system resource.

Added a script for mass onboarding for the mass password reset feature.

Add a context_strict option to the discovery_context.

This option performs strict error checking of the return codes of commit, wait, and abort discovery functions.

Added REST API GET requests for the PasswordPolicy resource.

Add REST API PATCH requests for the PasswordPolicy resource.

Added REST API model implementation for the PasswordPolicy resource and related subtypes.

Added default authorization policies targetgroups_get and targetgroups_get_list for TargetGroups GET endpoints.

Added default authorization policies for passwordPolicies GET endpoints to allow all authenticated users to access them.

Adds accounts_post_create default policy to allow superusers to make POST /accounts requests.

Added default policies for the following accounts endpoints:

Updated accounts_get and accounts_get_list default policy to allow superuser access.

Modified password strength failures returned on account reset (within idmlib/REST).

Added QuerySplittingBehaviour to IdentityServer.

Suppressed Windows Log Event warnings for non-OData endpoints being flagged incorrectly.

Increased the maximum expansion depth of REST API from the default of 2 to 5.

Added a context_strict option to the discovery_context.

This option performs strict error checking of the return codes of commit, wait, and abort discovery functions.

Added the initial version of the single-user offboard script.

Modified REST API token request error descriptions to say USER_LOCKED or USER_DISABLED if the credentials are correct but the user account locked or disabled, respectively.

Added REST API token revocation endpoint for secure logout functionality.

Added optional X-Batch-ID to REST API function call for mass password reset onboarding and offboarding.

REST: Add default authorization policies targetsystems_get_list, targetsystems_get, targetsystems_accounts_get_list, targetsystems_groups_get_list, and targetsystems_options_get_list for TargetSystems GET endpoints.

The Identity Server 4 implementation has been removed from the REST API solution.

Improved the logging of haveibeenpwned requests

Added a command-line utility for testing the passwords against the haveibeenpwned database to simplify troubleshooting.

Added mass password reset pre-defined request.

Added mass password onboard pre-define request.

Added a mass onboarding script.

Added the initial version of the mass password onboard pre-defined request.

The autores command line utility now skips and warns for roles that are disabled and/or unassignable when submitting.

A warning notification is presented in the role assignment user interface if a selected role is disabled and/or unassignable.

The installer now validates that the database compatibility level meets the minimum requirement of 130.

Changes to Create OTP user request:

Updated stored procedure TargetDelete to use RECOMPILE when deleting from targetobj to ensure that an unsuitable (from a performance perspective) cached query plan is not used when deleting large target systems.

Removed an SQL upgrade script that modifies the value of the discovery option Link accounts on this target system to subscribers for the target system discovery template NT_TEMPLATE and for all discovered systems created from NT_TEMPLATE.

Fixed issues with date timezones for Ajax and the product UI in general related to setting the preferred timezone environment variable.

Fixed unexpected quit during password reset when the browser client IP was too long.

Resolved an issue with the Login Assistant / SKA when upgrading from version 12.4.x to 12.8.1 and up.  Upgrading to 12.5.0 and up caused an upgrade issue due to rebranding from Hitachi ID to Bravura Security.

Fixed an issue where operation SRES (User self-reset result) is logged per account for both self-service and help-desk reset, which should be one operation per reset action and for self-service reset only. Also updated the Session activity report to generate the proper statistics for both self-service and help-desk change passwords.

Resolved an issue with Login Assistant / SKA to retain the value for the vpn-connect-terminate registry key on upgrade.  The value was previously being dropped after upgrading Login Assistant.

Resolved an issue with Login Assistant / SKA to retain the values for -vpnurl and -vpnurlsearch for the cmd registry key on upgrade.  The vpn-url and vpn-url-search registry keys are also now added for new Login Assistant / SKA installations.  These registry keys must be manually added prior to an upgrade of the SKA.

Fixed an issue to correctly report errors when password generation fails.

Added a fix to treat previously completed operations as NOOPs (no operation) instead of failures

Fix issue on pages for unlock/detach/reset password for accounts ending in .x.

Updated the Orgchart graph page to load the current user's manager, even if the manager is in an orphaned Orgchart tree (calculated level is -1).

The autores utility now skips and warns for roles that are disabled and/or unassignable when submitting.

A warning message is given in the role assignment user interface if the role is disabled and/or unassignable.

The Database service (iddb) writes to two named pipes to update OPADotNet for REST and IdentityServer applications.

Fixed a REST API audit data issue where the caller of PATCH /Accounts, specifically when updating a password, was not being stored in the database.

The Identity Server 4 implementation in the REST API solution has been replaced by one that uses OpenIddict 7.0.0.

The Identity Server 4 implementation has been removed from the REST API solution.

Fixed an issue in the Requests app where the delegation manager was unable to delegate an implementer task on behalf of the selected primary implementer.

Updated requests app to not list requests with Calculating authorizers status with Active filter on.

Profile attributes now correctly fall back to the next-priority mapped account attribute when the highest priority attribute is removed.

During discovery, the order of precedence in target attribute overrides is obeyed when listing target attributes.

Resolved an issue where auto discovery failed to recompute account associations when the auto-association account attribute was modified.

Fixed runtime error in ObjDiffAssociate stored procedure during auto-discovery when handling duplicate accounts (sharing the same stable ID) across different targets with cross-target relationships.

Updated scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Modified the component uninstallation to check if the table exists before removing component data.  This previously caused an issue/exception for hid_extdb to show an error for "no such table".

Added a fix to clear the SAML Session ID on failure so that authentication cannot be bypassed.

Fixed an issue that previously still showed connectors in the target type drop-down list that have been removed on upgrade of the Connector Pack.

If relevant, the Link accounts on this target system to subscribers discovery option for the target system discovery template "NT_TEMPLATE" and for all discovered systems created from NT_TEMPLATE should be reviewed.  By default, this setting is disabled upon installation.

Added strings vpn-url and vpn-url-search.  During the upgrade, these registry keys must be manually added to construct the runurl command line (cmd registry key). To do this:

A fix was added to clear the SAML Session ID on failure to prevent authentication bypass.

In addition this will require a change to the custom component Functional.hid_authchain_saml_auth in the authselect_default.py.

In the process function, when checking that the SAMLSessionID exists, it returns an array [''], which will always evaluate to True, so the first string value must be extracted and tested against:

--- if self.authchain.sessdata.get('SAMLSessionID') and sess_userid:
+++ sess_id = self.authchain.sessdata.get('SAMLSessionID')
+++ if isinstance(sess_id, list):
+++     sess_id = sess_id[0]
+++
+++ if sess_id and sess_userid:
        # Successful SAML authentication.
        self.authchain.chains.allow_chain('SUCCESS')
        log.info("Successful authentication of user "
                  "[{}] using SAML".format(sess_userid))