Page tree

Are you looking for the latest documentation for the current versions of Nexus' products?

Version: 21.10

Release Date: 2021-11-09

The Smart ID 21.10 release provides updates in Identity Manager, Self-Service, Digital Access and Physical Access. Messaging provides minor improvements and bugfixes only. All components also provide several bugfixes and library updates to ensure high quality and security.

Upgrade Smart ID

See 21.10 - Upgrade Smart ID with information regarding upgrade from 21.04.3 to 21.10.

Main new features

Smart ID 21.10 provides major updates in with new features in Identity Manager, Digital Access and Physical Access.

The Identity Manager component has extended again SAML authentication capabilities: it is now possible to fetch group information from the SAML ticket in order to map this on IDM roles for user authorization. This means both - authentication and authorization can now be managed directly via the IDP.

Digital Access introduces SAML Single-Logout as a new feature.

In Physical Access Smart ID provides a new PACS connector to DormaKaba Exos.

Smart ID compatibility

Smart ID 21.10 is compatible with the following component versions: 

Detailed feature list


Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

Updated crypto libraries

Updated crypto libraries in ADCS PKI connector for security reasons.



Added support for Subject DN Attribute "pseudonym"

Added support for Subject DN Attribute "pseudonym" in the certificate templates in Identity Manager.



Improved usability of open tasks in Identity Manager Operator

The maximum number of shown open tasks in Identity Manager Operator is now limited to avoid long loading time for the system. It is also possible to filter on a date range. 



Removed 40 character limitation in BPMN designer

The Eclipse plugin to design BPMN workflows ("Activiti Designer") had a 40 character limitation on the process names. This limitation is now removed. 



Improved UX of certificate login in Self-Service

The user experience of the certificate login in Self-Service has been improved. This is the new flow: Click Sign In with Client Certificate, select certificate, enter PIN and get logged in to Self-Service. Read more here: Configure login screen for Smart ID Self-Service.



Added permissions for viewing object history in Identity Manager Operator

The object history permissions control if a user can see the full history, certain types of history entries only (such as data change, status change, process execution), or not see the history entries at all. Read more here: Identity Manager Operator and Set permissions from Identity Manager users or roles.



Email as unique ID for DFN

The DFN PKI connector is now supporting the EMAIL_ID_DFN field. The value will not be added to the certificate, but can be used as unique ID and user identifier in requests and lifecycle management.



Post-login process configuration in Identity Manager Admin

The post-login processes (BPMN-processes executed intermediately after login to Identity Manager), can now be configured in the Identity Manager Admin UI as part of the authentication profiles. Read more here: Standard service tasks in Identity Manager, "Login: Finalize post-login process".



Support for Certificate Manager 8.4.1

Identity Manager has updated the integration with Certificate Manager by supporting Certificate Manager 8.4.1, which is the latest version. 



Improved SCEP service task

The standard service task for SCEP registration in Identity Manager has been improved. New drop-down lists have been introduced to simplify the configuration. See Standard service tasks in Identity Manager, Cert: Create SCEP order request.



Added support for deleting single certificates from a smart card

For smart card encoding, for example when doing renewal, there is added support for selecting one or more dedicated certificates via certificate serial number and delete them.



Changed sorting of open tasks in Self-Service

The sort order of open tasks in Self-Service has changed and now starts with the newest open task as the topmost entry.



SAML Single logout front channel

SAML Single Logout (SLO) is a SAML flow that allows the end-user to logout from a single session and be automatically logged out of all related sessions that were established during SSO. Added the feature for enabling both IDP initiated, and SP initiated single logout. Refer to SAML Single Logout in Digital Access for more details about the feature.



Added ability to add OIDC Issuer per client instance

Added the Open ID Connect (OIDC) Issuer field for every client instance. If the OIDC Issuer value is not set in the client then it will use the global configuration setting value.



Added ability to send OTP on multiple channels 

It is now possible to send One Time Passwords (OTP) to multiple channels through XPI.



Added Kaba integration with Physical Access

It is now possible to configure the Kaba exos 9300 Service, to enable integration between Smart ID Identity Manager, Physical Access and the Kaba exos 9300 Service. Read more here: Set up integration with Dorma Kaba Exos.


Corrected bugs

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

There was an issue when revoking certificates directly in the smart card encoding process (setting certificates on hold), where the revocation state was not returned correctly to Identity Manager after encoding. This has been fixed.



The logging for the "change state in CA" task fails was not clear. This has been fixed by adding a more clear message into the logfile.



There was an issue with translations of "meta fields" (for example, object status, Template name etc.) in Self-Service. This has been fixed.



Unnecessary warning messages regarding "Certificate-based logout" are now removed from the Identity Manager Operator logs.



Configuration of a custom attribute statement (instead of name ID) for SAML authentication in Identity Manager was not working. This has been fixed.



The "forgot password" link, and the "pre-login" process in general, disappeared in Self-Service when doing a page refresh. This has been fixed.



When using a filter on the fields Certificate.renewalApplied or Certificate.KeyArchival in a search configuration, an error message appeared. This has been fixed. 



Improved error handling in Identity Manager when the connection to the database is down by adding a user-friendly message and allowing the user to close the application.



Fixed coloring by showing warning messages in orange again in Self-Service.



There was an issue when revoking certificates via the certificate state graphs of the standard packages. Consolidation of supported revocation reasons and certificate states of the standard workflow package has been done for all PKI connectors in order to resolve these issues.



When deleting states from a state graph, the deleted states where still displayed in the extended search dropdown menu, because the states where still present in the core template configuration. Consistency checks have been added to avoid such situations.



Self-Service was throwing an error after login, when no searches with purpose "self-service" (to show in the menu bar) where configured. This has been fixed.



When configuring a certificate template in more than one application for smart card encoding, the encoding did fail. This has been changed now, and the same certificate template can be used for multiple applications in the encoding description.



When capturing photos in Self-Service on smartphones via the photo upload functionality, the photos had the wrong orientation (90° rotated). This has been fixed now.



Field validation error messages in Self-Service (e.g. missing mandatory field input) where not shown correctly for "meta fields" (status, template name, change state reason etc). This has been fixed.



When disabling a BatchSync job in Identity Manager Operator, it got executed anyway (disable flag was ignored). This has been fixed.



Fixed a multi-language issue when using SAML/ LDAP authentication profiles. Other languages than English where not translated correctly i that case.



Export search results to CSV in Extended Search was broken when running Identity Manager on MS SQL Server. This has been fixed.



Fixed file upload in Self-Service for upper-case file extensions.



The LDAP connection context was not closed explicitly, and this could potentially lead to a memory leak. This has been fixed now, and LDAP context get closed properly.



When using Status fields in quick search of Identity Manager Operator, the status field was not translated. This is fixed now.



Fixed an issue in the standard service task "Process: Search the newest Encryption Certificate". When multiple certificate templates are involved, the result could have been inconsistent.



"List Processes" in Identity Manager Operator was running into an error in some cases. This is fixed now, and listing processes is working stable again.



When uploading a PDF file of binary type document/PDF in Self-Service, the pre-selected extensions in the upload window was wrong (*.jpeg instead of *.pdf). Also upload did not work after changing the pre-selection. This is fixed now.



Improved user guidance and error handling when configuring an LDAP URL in configuration.



Removed some exceptions that appeared in the UI Framework log of Identity Manager Operator. This change does not only keep the logs clean but also improves performance.



Exporting photos in base64 format via IN Groupe card production connector did not work. This has been fixed, and photos are now transmitted correctly now for card production.



Fixed encoding of IN Groupe card production export. The export data is now UTF-8 encoded.



When exporting card orders to IN Groupe card production, optional fields were not handled correctly when they were empty. This has been fixed.



Order Reference field in IN Groupe Card production export did not resolve variable fields on all cases. This is fixed now.



When importing results from IN Groupe card production, the result XML file was sometimes moved to the "valid" folder even though the import had errors. This has been fixed.



Fixed count of number of requests (ReqNb field) in the IN Groupe card order export. 



Improved error handling when creating non-personal visitor cards: the "number of requests" field is now marked as mandatory, and error messages have been corrected.



When withdrawing an employee card with the standard Digital ID package, the status if the original card did not change. This has been fixed.



Fixed the incorrect namespace in case of configuring additional WSFed attributes.



Fixed the issue when a syslog message is sent from Digital Access to the syslog server, it was not UTC timestamped earlier which led to missing logs information.



Fixed the issue that was caused when deleting a service provider having an access rule.



Updated the migrate script to ask user whether to remove the previous images and stop the running instance of Digital Access. Care needs to be taken if the current instance is not stopped. The new instance should not connect to the same DB instance otherwise it might cause conflicts and corrupt data.

Updated the upgrade script to not delete the previous images. It will be the user's responsibility to delete the previous images of older versions of Digital Access from the system and to keep the space free.


Release announcement

From this release, only Docker deployment is supported for the Smart ID components Identity Manager, Physical Access, Digital Access and Messaging. For full instructions, see 21.10 - Deploy Smart ID.

From Smart ID 20.11 and on, components now only have the Smart ID version number and not the different component version numbers. For information on previous releases, see Nexus Documentation Archive.

For details on the updated Smart ID configurations and deployment configurations, see here: 


Smart ID deployment configuration release note
All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 21.10-2021-11-09]

### Added

- Added Digicert Global Root CA certificate. [CRED-11688]
- Added some Let's Encrypt root certificates. [DEVOPS-971]
- Added documentation for maxProfiles option to hermod-conf.yml
- Added `.yamllint` file to set default YAML linting config. [DEVOPS-1085]
- Added volume mapping for logs folder in IDM and Self Service. [DEVOPS-403]
- Fixed cacerts folder permissions in script.
- Added support for docker compose v2 command in script.

### Changed

- New properties for CAAS credentials in smartid.env (placeholders must be replaced before using Nexus GO Cards). [CRED-11688]
- Fixed some copy issues in the script.
- Changed the default selfservice config to include auth methods params example.
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Fixed typo. [DEVOPS-1090]
- Replaced Self-Service `IDM_URL`, `INSTANCE_ID`, `IDM_TENANT` by `APPLICATION_YAML` json. [DEVOPS-1127]
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Fixed YAML format. [DEVOPS-1085]
- IDM and SelfService now support custom translations and do not require mapping the whole translation files again. See doc for more info. [DEVOPS-1118]
- Change Import Logger to correct class [DEVOPS-1143]
- Switched to new image naming for IDM
  - `nexus-prime/explorer` changed to `smartid/identitymanager/operator`
  - `nexus-prime/designer` changed to `smartid/identitymanager/admin`
  - `nexus-prime/tenant` changed to `smartid/identitymanager/tenant`
  - `nexus-prime/updatedb` changed to `smartid/identitymanager/updatedb`
  - `nexus-prime/ussp2` changed to `smartid/selfservice`
- Changed Smart ID version to 21.10.0

### Removed

- Removed Self-Service config.json file. [DEVOPS-945]
- Removed expired Let's Encrypt certificates. [DEVOPS-971]
- Removed translation files for IDM and SelfService. [DEVOPS-1118]

## [Release 21.04.2-2021-09-13]
### Added
- HTTPS support for Physical Access integra. [DEVOPS-1211]
- Environment variable to control debug logging in Physical Access SCIMAPI. [DEVOPS-1211]
### Changed
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Change Import Logger to correct class. [DEVOPS-1143]
- RabbitMQ now uses external docker image. [DEVOPS-1211]

## [Release 21.04.1-2021-07-02]

### Changed
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Updated SmartID version to 21.04.1

### Removed
- Removed Self-Service config.json file. [DEVOPS-945]
- Removed hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-06-10]

### Added
- Added some Let's Encrypt root certificates. [DEVOPS-971]

### Changed
- Fixed some copy issues in the script.
- Changed the default selfservice config to include auth methods params example.
- Update Language files for IDM. [DEVOPS-1067]

### Removed
- Removed expired Let's Encrypt certificates. [DEVOPS-971]

## [Release 21.04.0-2021-05-28]

### Added
- Added new Let's Encrypt cert. [DEVOPS-946]
- Added hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-05-20]

### Added
- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed
- IDM DB will no longer be initialized through script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD_* properties to MESSAGING_*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed
- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed
- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-22]

### Added
- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed
- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed
- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [2020.11.1-2021-02-18]
### Added
- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+.
### Changed
- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1

## [Release 20.11.0-2020-12-22]

### Added
- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed
- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `` script to work regardless of where the script is called from.
- Improved the `` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed
- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.

## [Release 20.11.0-2020-12-07]

### Added
- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed
- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed
- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.

## [Release 20.06.1-2020-10-27]

### Added
- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin. 
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed
- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `` script.
- Moved seflservice to a separate docker-compose file.

### Fixed
- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed
- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.

## [Release 20.06.0-2020-09-28]

### Added
- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed
- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated ``:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed
- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed
- Removed ``, it is included in


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.