12.9.1

Updated the "Connectors Being Removed" pre-installation check for the "Deprecated connectors" link to now point to an updated URL for the documentation site and to use the docs.bravurasecurity.com domain.

Safer psupdate use in shared schema environments.

In shared schema environments, running auto discovery from a non‑primary node now shows a clear warning and blocks psupdate execution, preventing silent changes to scheduler settings that previously caused scheduled psupdate jobs to fail on both nodes.

KMKeyGetByAccount external scanner fallback mapping

Added KMKeyGetByAccount fallback mapping so that when host/IP/DNS lookups fail, external scanners can resolve credentials via a registry‑based account/domain/resource mapping, with the feature remaining disabled unless the registry key is configured.

Better VIM display in Guacamole PAM

Upgraded the bundled Guacamole component to address a VIM display bug where lines appeared duplicated when scrolling, improving readability for users working in terminal sessions through PAM disclosures.

Tomcat updated from 9.0.94 to 9.0.109.

Added an error message box when the browser extension plugin process cannot be launched.

Added support for Windows Authentication for the MSSQL system type.

The pslocalr.ocx and other controls are added back along with the pslocalr-x64.msi and pslocalr.msi Local Reset Extension installers.  The cgilocalr.cfg sample script is also updated for the pslocalr control.

Added per-account password validation on Change passwords page to check "not be an old password" rule against each selected account when transparent synchronization is disabled for the target group.

Profiles with trailing whitespace now supported.

Fixed handling of profiles whose identifiers include leading or trailing whitespace so that requests such as MOVE‑IN‑ORG no longer fail with “Recipient identification ambiguous”, and related profile reports now return the expected results.

Added support for Android version 15 for the Bravura One mobile app.

More robust enrollment completion navigation.

Improved the enrollment completion flow so that newly triggered notifications are handled correctly, and users are redirected back to the expected pages after completing registration and password change steps, instead of occasionally encountering a broken UI.

OAuth support for global‑mail‑plugin

Implemented OAuth‑based SMTP authentication (XOAUTH2) in the global‑mail‑plugin so that customers can use modern mail servers where basic authentication is being retired.

HTML formatting for request macros in email.

When HTML mail content is enabled, request macros such as %REQUESTBATCHDETAILS%, %REQUESTPURPOSE% and %REQUESTLINKS% are now wrapped in <pre> tags so line breaks and spacing are preserved, improving readability of request emails that use customer‑specific HTML templates.

ASP.NET Core 8.0.23 security baseline

Updated Bravura Security’s bundled ASP.NET Core runtime and related packages from 8.0.10/8.0.11 to 8.0.23 to address Microsoft security vulnerabilities (CVE-2024-43498, CVE-2024-43499, CVE-2024-43500).

Added database indexes to optimize REST API get_account_attributes performance. Three new indexes added: metaattr_idx_4, targetobjattr_idx_4, and targetobjattr_file_idx_2.

Add exit traps for help desk operations in idmlib REST calls.

Updated database queries in ObjAssociateInitial and UserList operations to use OPTION(MAXDOP 1) for improved performance.

Added default authorization policies policies_post_create, policies_put, and policies_delete.

Set ui/src/react/src/shared/api/spec to be a submodule repository for postman, to get our OpenAPI specification.

Saved report lists honour display limits.

The “My saved reports” and “Other users’ saved reports” pages now correctly honour the configured “Records to display” value. Saved reports with missing or unreadable spool files remain in the list but have their selection and action controls disabled, instead of silently reducing the number of rows shown.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React‑based interface.

Adaptive dashboard stakeholder demos

Completed the first stakeholder demo phase for the adaptive dashboard design, collecting feedback and refining the Storybook implementation before applying it to production.

The new UI is now the primary interface accessible at the application root, providing a modern user experience with improved performance and clean URLs.

Optimized dashboard API queries to fetch only required fields, reducing data transfer by 80-99% for user metrics, account summaries, and authentication operations.

Change Passwords Page Enhancements

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, passwords validate against the suggested passwords list.

Added "Parent role ID" and "Parent role description" columns to the Certification details and Review certification details reports to show parent role information for role member entitlements.

More accurate idmsuite.log timestamps.

The logging service for idmsuite.log now periodically flushes file buffers on a configurable interval so the file’s modification timestamp reflects recent logging activity. This makes it easier for administrators to see when logs were last written, without relying solely on log entry content.

Mail plugin OAuth

Added documentation describing how to configure OAuth authentication for the global‑mail‑plugin, including new settings and example configuration steps. See Modifying global mail settings.

Notification client manual install docs and tests

Reviewed and updated documentation and testing guidance for manually installing the Bravura Security notification client from a network share, consolidating best practices from KB content into the main product docs. See Notification Client (psntfclient).

Fixed instdump.exe so that it outputs global connector pack binary versions.

Fixed an installation issue where IIS handler mappings lacked script execution permissions, preventing the instance from running correctly.

Update Jamfile to properly set the upgrade file as patchdbxml.

psupdate scheduler corruption on non‑primary node.

Fixed an issue in shared schema environments where manually running auto discovery from a non‑primary node could silently change local scheduler settings and leave both nodes configured as the scheduled psupdate node, causing scheduled runs to fail.

Fixed account associations that are not recalculated during psupdate after changes to account attributes made through our product.

SKA sessions no longer persist across users

Resolved an SKA session persistence issue where closing the “Change my password” window on shared workstations could allow a subsequent user to see the previous user’s dashboard. Sessions now end when the SKA window is closed, requiring re‑authentication. See Login Assistant compatibility.

Fixed a compatibility issue to ensure that the newer version of the Active Directory interceptor will work with older versions of Bravura Security Fabric and the Password Manager service (idpm).

Fixed Mass Password Reset (MPR) button not displaying in the new dashboard by adding translation mappings for the massPasswordReset dashboard item.

Adjusted the minimum and default batch size values used for mass onboard and mass password reset.

The initial values were too high for the current version of the safe connector.

Note that the performance will degrade significantly with low values.

“Recipient identification ambiguous” errors for some profiles.

Fixed a defect where profiles created from accounts with trailing spaces in identifiers could not be used as recipients in certain PDRs and did not appear correctly in profile reports, removing spurious “Recipient identification ambiguous” errors.

Request search by requester notes

Fixed All Requests filtering so searches on Requester Notes correctly return matching requests, including those stored in legacy columns, restoring expected behavior for help desk and identity users relying on note text queries.

Fixed the session monitoring service (idsmpg) to treat the file/path not found as success for both single and multi-session package removal.

Fixed the session monitor recording icon label branding.

Adjusted the pam_system_type_linux component to use the LINUX_NG connector.

Adjusted other components to use LINUX_NG instead of LINUX.

Fix mobproxy HTTP request handling issues for PATCH operations.

Updated mobile proxy paths for modern deployment.

Fixed a runtime error in UserclassIsMember stored procedure due to SQL optimizer executing operations out of order, causing data type conversion failures.

Fixed a runtime error in the UserClassPointLoadFromCache stored procedure that occurred when the userclasspoint.criteriap field contained NULL value.

Fixed REST API output of datetimes to respect timezones.

Added discoveryId to auto-discovery operation output for target systems.

Fixed REST API v2 to correctly mask password attribute values as ******** instead of returning encrypted strings.

Fixed group and account DELETE endpoints returning 400 error in v1 API.

Fixed refresh token authentication by ensuring the required userguid claim is properly included in refreshed access tokens.

Fixed a mass password reset issue to URL-decode the X-CSRF-Token header value for REST API calls.

Added superuser access to accounts and users patch operations.

Added REST API error response fixes for:

Account information now properly populated in SessionLogs REST API responses for ACUA operations.

Fixed an issue where the authchain2factor API call was failing.

REST API now invalidates access tokens when refresh tokens are revoked (RFC 7009 compliance).

Excluded PWGEN_NUM from PasswordPolicy GET endpoints to list rules.

Fix multi-issuer token validation by configuring OpenIddict to use BASE_IDSYNCH_URL for consistent issuer claims.

Modified the following default REST API OPA policies to authorize members of user class _REPORT_READERS_:

Added missing fields to ReqBatch.

Saved reports record count and paging.

Resolved an issue where saved reports pages did not respect the “Records to display” setting and appeared to show fewer results than configured, particularly when some spool files were missing or unreadable.

Boolean filters behave correctly for “No”

Fixed Boolean request attribute handling in the “Managed account check‑outs / check‑ins” report so that searching for “No” returns the correct results, matching how values are stored in the database.

Blocked insecure HTTP methods TRACE and CONNECT to address penetration test findings while preserving REST API functionality.

Resolved 8 npm security vulnerabilities by updating playwright, vite, storybook, and other dependencies to secure versions.

Enhanced postMessage origin validation to prevent potential message interception by malicious frames.

Fixed the Skip authentication button text cutoff by allowing login buttons to wrap and styling the Skip button to match the Continue button.

HTML formatting for request macros in email

Corrected handling of request macros like %REQUESTBATCHDETAILS%, %REQUESTPURPOSE%, and %REQUESTLINKS% when MAIL CONTENT TYPE is enabled so multi‑line values render with proper HTML line breaks instead of being collapsed into a single unreadable line.

Fixed an issue to allow users with the "View workflow requests" (viewworkflow) permission to view request details on the request popup page.

Modified util rbacenforce.exe to properly save requests failed to submit, now the file has similar request kvg as the one produced by wizard.

First‑time registration flow stability.

Resolved an issue where the first‑time registration process could crash the UI before the password change step completed, particularly when multiple notifications were triggered. The flow now consistently returns users to the expected notification and password change pages.

Fixed a notification client white-screen issue; notifications now display properly.

Fixed hid_policy_wfemail to respect the default policy.

jQuery 3.7.x validation test coverage

Extended and updated automated UI tests to validate the jQuery 3.7.x upgrade, improving the reliability of regression coverage for the React‑based interface.

Saved reports honour record limits

Fixed saved report pages so the “Records to display” setting is respected. Reports with missing or unreadable spool files are shown but their controls are disabled instead of silently dropping the rows.

Added a fix to bypass the cookie check when using the "forgot password" flow.

Fixed "Invalid request" error when AJAX calls are made from popup windows.

Fixed an issue to prevent API calls before the userId is set.

Fixed an issue where logging into a different instance would log out users from their current instance by implementing instance-specific cookie paths.

Added in-app password character help dialog for password rule contain only characters available on a standard English (US) keyboard.

Removed Login Manager (SSO) from the license and list of supported products.

Password suggestion count now uses the AUTOGEN_NUM rule from password policies (defaults to 5 if not configured).

Added an optional suggestedPasswords field to the PasswordPolicies POST endpoint. When the AUTOGEN_NUM rule is enabled, passwords validate against the suggested passwords list.

The "Remember Me" functionality now correctly persists user preferences across logout and session expiry.

Fixed "Session Active in Another Tab" text visibility in dark mode.

Fixed missing translations in User Accounts Summary widget configuration for status filters, sort options, and sort order dropdowns.

Removed quick action menu (3-dot icon) from User Accounts Summary list view.

Removed "Last activity" field from User Accounts Summary widget including display, configuration, sorting, and all related functionality.

Add XSS sanitization to password policy rule descriptions with DOMPurify to prevent script injection attacks.

Ensured default dashboard does not pre-emptively load before determining if user has saved dashboard layout.

LegacyIntegrationService is the source of truth for userStorageKey, ensuring no shared dashboard layouts between users.

Mobile header now shows icon-only logo on small screens to ensure logout and navigation buttons remain accessible.

Locked the search bar at the top and description toggle to the bottom of the side menu.

Password policy rules panel now displays regular expression and whitelist requirements alongside the rules.

Fixed password policy descriptions not translating when user changes language by parsing Accept-Language header correctly and adding language family fallback in backend, plus refetching policies on language change in React UI.

Password Policy Validation

Mobile header now shows icon-only logo on small screens to ensure logout and navigation buttons remain accessible.

Fixed badge calculation and display bugs in "User Accounts Summary" dashboard.

User Profile widget now dynamically loads attributes from the API with localized labels, filters out user-type attributes, and includes comprehensive icons.

Fixed "Total Group Memberships" user metric widget to correctly display the count of group memberships across all user accounts instead of showing "Selected metric not found" error.

Remove the Show Last Login option from the user profile configuration widget.

Fixed the "Show Avatar" toggle to properly hide/show the user avatar.

Removed non-functional "Strong Passwords" metric from dashboard widgets.

Fixed an issue to read the CSRF token fresh from cookies on each request.

Enabled server logout endpoint to clear cookies.

Fixed CSRF token expiring after 1 hour while session remains active, preventing unnecessary 403 errors.

Fixed REST API authorization failures for sessionclient tokens by adding missing user claims to JWT payload.

Added a missing GUID marker to the root HTML page.

Fixed User Accounts Summary widget's "Enabled Statuses" filter to correctly filter displayed accounts based on selected status options.

Fixed User Accounts Summary widget to show real-time status updates until account operations fully complete.

Fixed User Accounts Summary widget list view displaying plain text status chips instead of icon badges. List view now shows the same status badge icons as grid view for consistent status visualization.

Added missing legacy module ID mappings for dashboard items.

Fixed feature to restore default widgets on layout reset.

Added session transfer system for multi-tab coordination to prevent authentication conflicts and ensure consistent user experience across browser tabs.

Fixed authentication race conditions and iframe display issues on page refresh.

Fixed legacy UI flash during React logout, navigation loop after logout, and cleared user cache to prevent stale data when switching users.

Removed unused actions configuration option from User Accounts Summary widget.

Added the allow-popups-to-escape-sandbox token to the sandbox attribute of the legacy iframe.

Fixed an issue to always use the top-level document for communications over the WebView channel.

Fixed an issue where quick actions were not loading on first login.

Language switching now correctly translates dark/light mode toggle, logout button, and refresh button in all supported languages (English, French, Spanish).

Password change notification messages are properly translated.

Fixed memory leak in StorageService that prevented proper cleanup of user session data during logout/login cycles, eliminating unreleased promise references and race conditions in the authentication flow.

Fixed a React UI issue to use the proper self-service exit trap on password reset.

Fixed an issue to avoid displaying duplicate attributes on the user profile card on the dashboard.

Enhanced User Accounts Summary widget with immediate account loading and configurable refresh intervals with intelligent caching.

Fixed widget refresh intervals not working correctly:

Fixed unhandled exceptions that could occur during proxy shutdown, improving application stability.

Frozen idmsuite.log modification time.

Fixed a threading issue that could cause the idmsuite.log file’s modification timestamp to stop updating even though new log entries were being written, which made it appear as though logging had stopped when it had not.

Apply ASP.NET Core 8.0.23 guidance

When upgrading to this release, ensure that server environments meet the documented ASP.NET Core 8.0.23 (or later) requirements for Hosting Bundle, Runtime, and Desktop Runtime, and redeploy Bravura Security Fabric instances so that bundled DLLs are updated to the secured versions.

Optional KMKeyGetByAccount fallback configuration

For environments previously using the Qualys‑specific fallback registry value, administrators should rename the KMKeyGetByAccount mapping value to the new generalized name while preserving the accountname domain resource_id format so external scanners continue to function after upgrading.

Plan OAuth transition for global‑mail‑plugin

For environments using global‑mail‑plugin with Exchange or other OAuth‑capable SMTP servers, plan to configure OAuth settings (client ID, client secret, token endpoints) ahead of Microsoft’s basic‑auth retirement date to avoid mail delivery interruptions.

Optional log flush interval tuning.

Administrators who want tighter control over idmsuite.log timestamp updates can adjust or disable the new periodic flush interval using the flush-interval-ms registry setting for the logging service. The default interval is low‑overhead and suitable for most deployments; no change is required unless you have specific logging or performance needs.

Validate psupdate scheduling on shared schema

In shared schema environments, verify that psupdate is only configured to run from the intended primary node after applying these builds, and update operational procedures so administrators always initiate auto discovery from that node to avoid future scheduler conflicts.

Pass – Review SKA deployment on shared workstations

For shared machines using the SKA “Change my password” tile, deploy updated SKA installers and verify that session‑only cookie settings are applied so that no active session remains available when users close the SKA window.

The SKA client software needs to either be upgraded, or have windows registry entries modified (append ?EPHEMERALCOOKIE=1 to the URLs):