12.8.1

Updated the branding for Bravura Security within the product installer for a few remaining areas.

Updated the "Connectors Being Removed" pre-installation check for the "Deprecated connectors" link to now point to an updated URL for the documentation site and to use the docs.bravurasecurity.com domain.

KMKeyGetByAccount external scanner fallback mapping

Added KMKeyGetByAccount fallback mapping so that when host/IP/DNS lookups fail, external scanners can resolve credentials via a registry‑based account/domain/resource mapping, with the feature remaining disabled unless the registry key is configured.

More robust enrollment completion navigation.

Improved the enrollment completion flow so that newly triggered notifications are handled correctly, and users are redirected back to the expected pages after completing registration and password change steps, instead of occasionally encountering a broken UI.

OAuth support for global‑mail‑plugin

Implemented OAuth‑based SMTP authentication (XOAUTH2) in the global‑mail‑plugin so that customers can use modern mail servers where basic authentication is being retired.

HTML formatting for request macros in email.

When HTML mail content is enabled, request macros such as %REQUESTBATCHDETAILS%, %REQUESTPURPOSE% and %REQUESTLINKS% are now wrapped in <pre> tags so line breaks and spacing are preserved, improving readability of request emails that use customer‑specific HTML templates.

Safer psupdate use in shared schema environments.

In shared schema environments, running auto discovery from a non‑primary node now shows a clear warning and blocks psupdate execution, preventing silent changes to scheduler settings that previously caused scheduled psupdate jobs to fail on both nodes.

Updated the scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Added "Parent role ID" and "Parent role description" columns to the Certification details and Review certification details reports to show parent role information for role member entitlements.

More accurate idmsuite.log timestamps.

The logging service for idmsuite.log now periodically flushes file buffers on a configurable interval so the file’s modification timestamp reflects recent logging activity. This makes it easier for administrators to see when logs were last written, without relying solely on log entry content.

ASP.NET Core 8.0.23 security baseline

Updated Bravura Security’s bundled ASP.NET Core runtime and related packages from 8.0.10/8.0.11 to 8.0.23 to address Microsoft security vulnerabilities (CVE-2024-43498, CVE-2024-43499, CVE-2024-43500).

Updated the IDAPI Login function to return a generic error Invalid username or password  or the specified user has insufficient privileges when login fails in the following cases to prevent username enumeration:

Added database indexes to optimize REST API get_account_attributes performance. Three new indexes added: metaattr_idx_4, targetobjattr_idx_4, and targetobjattr_file_idx_2.

Add exit traps for help desk operations in idmlib REST calls.

Updated database queries in ObjAssociateInitial and UserList operations to use OPTION(MAXDOP 1) for improved performance.

Saved report lists honour display limits.

The “My saved reports” and “Other users’ saved reports” pages now correctly honour the configured “Records to display” value. Saved reports with missing or unreadable spool files remain in the list but have their selection and action controls disabled, instead of silently reducing the number of rows shown.

Profiles with trailing whitespace now supported.

Fixed handling of profiles whose identifiers include leading or trailing whitespace so that requests such as MOVE‑IN‑ORG no longer fail with “Recipient identification ambiguous”, and related profile reports now return the expected results.

The autores command line utility now skips and warns for roles that are disabled and/or unassignable when submitting.

A warning notification is presented in the role assignment user interface if a selected role is disabled and/or unassignable.

Better VIM display in Guacamole PAM

Upgraded the bundled Guacamole component to address a VIM display bug where lines appeared duplicated when scrolling, improving readability for users working in terminal sessions through PAM disclosures.

Tomcat updated from 9.0.94 to 9.0.109.

Added an error message box when the browser extension plugin process cannot be launched.

Added support for Windows Authentication for the MSSQL system type.

The pslocalr.ocx and other controls are added back along with the pslocalr-x64.msi and pslocalr.msi Local Reset Extension installers.  The cgilocalr.cfg sample script is also updated for the pslocalr control.

Mail plugin OAuth

Added documentation describing how to configure OAuth authentication for the global‑mail‑plugin, including new settings and example configuration steps. See Modifying global mail settings.

Notification client manual install docs and tests

Reviewed and updated documentation and testing guidance for manually installing the Bravura Security notification client from a network share, consolidating best practices from KB content into the main product docs. See Notification Client (psntfclient).

The installer now validates that the database compatibility level meets the minimum requirement of 130.

Fixed instdump.exe so that it outputs global connector pack binary versions.

Fixed an issue with the Websocket Connector Proxy to add mitigations to prevent exceptions when connecting to the proxy tunnel.  This was previously causing connection issues when multiple nodes were configured.

Fixed unhandled exceptions that could occur during proxy shutdown, improving application stability.

Fixed a runtime error in stored procedure UserclassIsMember due to SQL optimizer executing operations out of order, causing data type conversion failures.

Fixed a runtime error in the UserClassPointLoadFromCache stored procedure that occurred when the userclasspoint.criteriap field contained NULL value.

Changes to Create OTP user request:

Updated stored procedure TargetDelete to use RECOMPILE when deleting from targetobj to ensure that an unsuitable (from a performance perspective) cached query plan is not used when deleting large target systems.

Removed an SQL upgrade script that modifies the value of the discovery option Link accounts on this target system to subscribers for the target system discovery template NT_TEMPLATE and for all discovered systems created from NT_TEMPLATE.

Fixed issues with date timezones for Ajax and the product UI in general related to setting the preferred timezone environment variable.

Fixed the session monitoring service (idsmpg) to treat the file/path not found as success for both single and multi-session package removal.

Fixed the session monitor recording icon label branding.

Adjusted the pam_system_type_linux component to use the LINUX_NG connector.

Adjusted other components to use LINUX_NG instead of LINUX.

Resolved an issue with the Login Assistant / SKA when upgrading from version 12.4.x to 12.8.1 and up.  Upgrading to 12.5.0 and up caused an upgrade issue due to rebranding from Hitachi ID to Bravura Security.

Fixed an issue where operation SRES (User self-reset result) is logged per account for both self-service and help-desk reset, which should be one operation per reset action and for self-service reset only. Also updated the Session activity report to generate the proper statistics for both self-service and help-desk change passwords.

Resolved an issue with Login Assistant / SKA to retain the value for the vpn-connect-terminate registry key on upgrade.  The value was previously being dropped after upgrading Login Assistant.

Resolved an issue with Login Assistant / SKA to retain the values for -vpnurl and -vpnurlsearch for the cmd registry key on upgrade.  The vpn-url and vpn-url-search registry keys are also now added for new Login Assistant / SKA installations.  These registry keys must be manually added prior to an upgrade of the SKA.

Fixed unexpected quit during password reset when the browser client IP was too long.

Fixed an issue when unlocking accounts, changing passwords, and detaching accounts for users when the accounts ended with .x.  Previously this caused these operations not to be successful.

Fixed a compatibility issue to ensure that the newer version of the Active Directory interceptor will work with older versions of Bravura Security Fabric and the Password Manager service (idpm).

“Recipient identification ambiguous” errors for some profiles.

Fixed a defect where profiles created from accounts with trailing spaces in identifiers could not be used as recipients in certain PDRs and did not appear correctly in profile reports, removing spurious “Recipient identification ambiguous” errors.

Request search by requester notes

Fixed All Requests filtering so searches on Requester Notes correctly return matching requests, including those stored in legacy columns, restoring expected behavior for help desk and identity users relying on note text queries.

Updated the Orgchart graph page to load the current user's manager, even if the manager is in an orphaned Orgchart tree (calculated level is -1).

The autores utility now skips and warns for roles that are disabled and/or unassignable when submitting.

A warning message is given in the role assignment user interface if the role is disabled and/or unassignable.

Resolved a certificate link failure with SAML authentication.

Adjusted IDWFMServiceGetto only return a service with matching serverid and actingserver fields if picking a random server

Fixed REST API output of datetimes to respect timezones.

Added discoveryId to auto-discovery operation output for target systems.

Added missing fields to ReqBatch.

Fixed an issue in the Requests app where the delegation manager was unable to delegate an implementer task on behalf of the selected primary implementer.

Updated requests app to not list requests with Calculating authorizers status with Active filter on.

HTML formatting for request macros in email

Corrected handling of request macros like %REQUESTBATCHDETAILS%, %REQUESTPURPOSE%, and %REQUESTLINKS% when MAIL CONTENT TYPE is enabled so multi‑line values render with proper HTML line breaks instead of being collapsed into a single unreadable line.

Updated the idtm service to suppress operation failure emails when agent returns ACTryAgainLater.

Fixed an issue to allow users with the "View workflow requests" (viewworkflow) permission to view request details on the request popup page.

Modified util rbacenforce.exe to properly save requests failed to submit, now the file has similar request kvg as the one produced by wizard.

First‑time registration flow stability.

Resolved an issue where the first‑time registration process could crash the UI before the password change step completed, particularly when multiple notifications were triggered. The flow now consistently returns users to the expected notification and password change pages.

Profile attributes now correctly fall back to the next-priority mapped account attribute when the highest priority attribute is removed.

Saved reports honour record limits

Fixed saved report pages so the “Records to display” setting is respected. Reports with missing or unreadable spool files are shown but their controls are disabled instead of silently dropping the rows.

Added a fix to bypass the cookie check when using the "forgot password" flow.

psupdate scheduler corruption on non‑primary node.

Fixed an issue in shared schema environments where manually running auto discovery from a non‑primary node could silently change local scheduler settings and leave both nodes configured as the scheduled psupdate node, causing scheduled runs to fail.

During discovery, the order of precedence in target attribute overrides is obeyed when listing target attributes.

Fixed runtime error in ObjDiffAssociate stored procedure during auto discovery when handling duplicate accounts (sharing the same stable ID) across different targets with cross-target relationships.

Saved reports record count and paging.

Resolved an issue where saved reports pages did not respect the “Records to display” setting and appeared to show fewer results than configured, particularly when some spool files were missing or unreadable.

Boolean filters behave correctly for “No”

Fixed Boolean request attribute handling in the “Managed account check‑outs / check‑ins” report so that searching for “No” returns the correct results, matching how values are stored in the database.

Updated scheduled report configuration page to allow editing and saving the previously saved scheduled report on a patch version upgraded instance.

Modified the component uninstallation to check if the table exists before removing component data.  This previously caused an issue/exception for hid_extdb to show an error for "no such table".

Frozen idmsuite.log modification time.

Fixed a threading issue that could cause the idmsuite.log file’s modification timestamp to stop updating even though new log entries were being written, which made it appear as though logging had stopped when it had not.

If relevant, the Link accounts on this target system to subscribers discovery option for the target system discovery template "NT_TEMPLATE" and for all discovered systems created from NT_TEMPLATE should be reviewed.  By default, this setting is disabled upon installation.

Added strings vpn-url and vpn-url-search.  During the upgrade, these registry keys must be manually added to construct the runurl command line (cmd registry key). To do this:

Use a full build to upgrade to apply the fix for the certificate link failure with SAML authentication.

Optional KMKeyGetByAccount fallback configuration

For environments previously using the Qualys‑specific fallback registry value, administrators should rename the KMKeyGetByAccount mapping value to the new generalized name while preserving the accountname domain resource_id format so external scanners continue to function after upgrading.

Apply ASP.NET Core 8.0.23 guidance

When upgrading to this release, ensure that server environments meet the documented ASP.NET Core 8.0.23 (or later) requirements for Hosting Bundle, Runtime, and Desktop Runtime, and redeploy Bravura Security Fabric instances so that bundled DLLs are updated to the secured versions.

A fix was added to clear the SAML Session ID on failure to prevent authentication bypass.

In addition this will require a change to the custom component Functional.hid_authchain_saml_auth in the authselect_default.py.

In the process function, when checking that the SAMLSessionID exists, it returns an array [''], which will always evaluate to True, so the first string value must be extracted and tested against:

--- if self.authchain.sessdata.get('SAMLSessionID') and sess_userid:
+++ sess_id = self.authchain.sessdata.get('SAMLSessionID')
+++ if isinstance(sess_id, list):
+++     sess_id = sess_id[0]
+++
+++ if sess_id and sess_userid:
        # Successful SAML authentication.
        self.authchain.chains.allow_chain('SUCCESS')
        log.info("Successful authentication of user "
                  "[{}] using SAML".format(sess_userid))

Plan OAuth transition for global‑mail‑plugin

For environments using global‑mail‑plugin with Exchange or other OAuth‑capable SMTP servers, plan to configure OAuth settings (client ID, client secret, token endpoints) ahead of Microsoft’s basic‑auth retirement date to avoid mail delivery interruptions.

Optional log flush interval tuning.

Administrators who want tighter control over idmsuite.log timestamp updates can adjust or disable the new periodic flush interval using the flush-interval-ms registry setting for the logging service. The default interval is low‑overhead and suitable for most deployments; no change is required unless you have specific logging or performance needs.

Validate psupdate scheduling on shared schema

In shared schema environments, verify that psupdate is only configured to run from the intended primary node after applying these builds, and update operational procedures so administrators always initiate auto discovery from that node to avoid future scheduler conflicts.