Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added info regarding a known bug in DA-166

Version: 21.04

Release Date: 2021-05-20

The Smart ID 21.04 release provides major updates in Identity Manager, Self-Service, Digital Access and Physical Access. Messaging provides minor improvements and bugfixes only. All components also provide several bugfixes and library updates to ensure high quality and security.

See Upgrade Smart ID with information regarding upgrade from 20.11 to 21.04.

Main new features

Identity Manager login page revised

In this Smart ID release, several changes around login for Identity Manager have been done. The tenant pre-selection page has been removed, selecting tenant is now part of the main login page. Also, there are now dedicated login buttons for SSO (via SAML) and certificate based login, so that users can select the login method on the UI (instead of selecting SAML and certificate login just via URLs). At the same time, the logout button for SAML was introduced in Self-Service and Identity Manager Operator in order to close the user sessions via the UI.

Furthermore, it is now possible to configure in the Admin panel of Identity Manager Operator, which authentication methods will be visible per tenant (e.g. to enforce strong authentication in Identity Manager and disable username/ password).

Improved Batch Sync in Identity Manager

With Smart ID 21.04, it is now possible to control the Batch Sync jobs in the runtime system (in the Admin tab of Identity Manager Operator). New buttons have been introduced in the Batch Sync job list, to start/stop/execute scheduled jobs from there. Besides that, improvements in the paging behavior of the searches have been done for Batch Sync.

Introducing Interflex 6040 connector

This release of Smart ID introduces a standard connector to the Interflex 6040 PACS system in Physical Access, supporting the standard use cases of Smart ID Physical Access.

Search AD user groups in Digital Access

In Digital Access Admin, the handling of selecting and assigning AD user groups has been improved. Instead of listing the available AD groups in dropdown menus, a search has been introduced to support selecting user groups in large AD environments with more than 1000 AD groups.

Smart ID compatibility

Excerpt Include
Smart ID 21.04 - Compatibility
Smart ID 21.04 - Compatibility

Detailed feature list


Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

Added instance ID in Docker config for self-service

It is now possible to set the instance id (used to differentiate the applications when running multiple instances) for the Self-Service via the docker-compose environment variable. Set properties for Smart ID Self-Service.



Improved standard password issuing process

So far the standard process in the Identity Manager Base package was that every new employee gets automatically username/password for self-service sent per email and printed as PDF during user activation. Now the standard process has been adjusted so that is easier to choose if optionally either PDF or mail is used to issue the username/password. See Enter person data manually - Digital ID.



Supporting ObjectGUID attribute in LDAP

It is now possible to use the ObjectGUID attribute - or in general attributes in binary format - in LDAP as a datapool field or in an export configuration in Identity Manager. This means that the GUID can now be used as a unique identifier for import/export, especially in large AD forests when no other uid is available.



Improved password complexity

The default settings in the standard Identity Manager packages for generating passwords have been updated. The password complexity has been increased (16 digits, number, upper case character and special character) in order to increase security.



French translations

Added some missing French translations in the standard workflow packages for Identity Manager.



Added tenant id in docker config for self-service

It is now possible to set the tenant id for the self-service via the docker-compose environment variable.See Set properties for Smart ID Self-Service



Return certificate chain with QuoVadis PKI

The QuoVadis PKI connector did not return the certificate chain (root, issuing CA) as part of the certificate requests. In some use cases it is required to write also the whole chain on smart cards or to deliver the chain in soft tokens. This functionality has been added now as well to the QuoVadis connector. See Cert QuoVadis PKI - Standard service tasks in Identity Manager.



Added certificate chain parameter to soft-token task

The soft-token service task got an additional parameter to decide if the whole certificate chain will be added to the Pkcs#12 soft-token or not. Before, the chain was always added, and this is still the default behavior. But with the new parameter, customers can deactivate the chain, so that only the end user certificate will be added to the Pkcs#12. See "Cert: PGP Soft Token" in Standard service tasks in Identity Manager.



Obsolete JSPs removed

Removed obsolete .jsp sub pages for PDF printing in the form designer. These sub pages are leftovers from the former java-based clients and do no longer work on the HTML5 clients in Identity Manager. 



Standard service task cleanup

The standard service tasks have been aligned with the new Smart ID naming conventions (e.g. changed terms like Personal X, HAG etc. to the new names). This does not affect the functionality, also no change in the configuration is needed because of the name changes.

Also the deprecated "generateAndArchivePasswordAccordingPasswordPolicyTask" and the old soft token task "executeSoftTokenRequestAndRecovery" are removed with 21.04. Customers, that are still using these tasks have to switch to the successor tasks. See Smart ID Messaging - Standard service tasks in Identity Manager.



Improved error handing for BPMN rollback

When the BPMN process engine does a rollback due to an error during execution of a process task, the default behavior is that the BPMN engine does infinite retries every 5 min, if the error is not caught properly in the BPMN design, e.g. via ErrorBoundaryEvents. To prevent endless retries, when the error is not handled in the BPMN design, the implementation limits now to 3 retires max.



Updated SAML algorithms

Specifically the hash algorithm is updated to SHA-256 now.



Extended filter capabilities in multi-level search

When searching through multiple levels in a coreObject hierarchy, in general the filters can be applied on both - the source and the target data pool. There was one limitation so far on that - when using the same data pool as source and as target, the filters could only be set on the source so far. With 21.04, this has been improved, now we can also apply filters on both - source and target - even if both is the same data pool.



New revocation service task

Added new service task for certificate revocation that can fetch states also dynamically from the process map, e.g. for easier automated revocation via APIs. See "Cert: Revoke Certificate" in  Standard service tasks in Identity Manager



Allow BatchSync to modify data in data source

The BatchSync functionality in Identity Manager had so far a limitation when using the same data pool as source and target. Use case e.g. if mass card blocking is done, the search will read on the same source that is used later on for writing in the blocking process. In that case, when processing a large amount of records, BatchSync did not process all records in the first run but needed multiple iterations (due to an internal paging). This has been improved with Smart ID 21.04 - BatchSync will process now all records in one run for all use cases.



History migration from SmartACT/ProACT

The migration tool to move from the old (EOL products) SmartACT/ ProACT has been extended, now also SmartACT/ ProACT history tables can be migrated into the IDM ObjectHistory.



"start/stop/execute" for BatchSync

User experience has been improved for BatchSync. So far the only way how to execute the Batch Jobs was the cron expression in the configuration. Now it is possible to start/stop the scheduled jobs and also execute them immediately in the Admin panel in Identity Manager Operator. See Identity Manager Operator and Set up batch synchronization scheduled jobs in Identity Manager.



Domain registration for QuoVadis PKI

With this release a new standard service task has been added to Identity Manager to do domain registration when using QuoVadis PKI.  Use case is: when customer wants to issue TLS certificates for a new domain, the registration of the new hostname can now be done directly via workflows in Identity Manager instead of going through the QuoVadis Portal.

See Cert QuoVadis PKI - Standard service tasks in Identity Manager



Enabling/disabling authentication methods in Identity Manager

As part of the redesign of the Identity Manager Operator login screen, we also added the possibility to enable/disable dedicated authentication methods (such as username/password, SAML SSO or certificate based login). A corresponding configuration was added to the Admin Panel in Identity Manager Operator to do that configuration. This means that e.g. username/password can be deactivated to enforce strong authentication.

The separate configuration of authentication methods for Smart ID Self-Service remains, so that authentication methods can be differentiated for Identity Manager Operator and Self-Service. See Identity Manager Operator.



Connect to PKI service providers via Proxy

For our connectors in Identity Manager to PKI service providers (D-Trust and QuoVadis) we have now introduced the possibility to set up an HTTP proxy. Customers that have no direct access to Internet from the application server can now route the traffic to the PKI service providers via a web proxy. See Integrate Identity Manager with D-Trust connector and Integrate Identity Manager with QuoVadis connector.



Added Eject parameter to Card Encoding via Card SDK

From Smart ID 21.04 on, it is possible to control the eject behavior in of card printers, when printing and encoding cards via Identity Manager and Card SDK. In previous versions, when doing integrated encoding in the card printer, by default the card was ejected when card personalization was finished. In some cases, a second encoding process is required (after a round-trip to Identity Manager for execution of additional business logic). For that purpose, an additional parameter was introduced in the encoding files to decide if the card should remain in the printer or if it should be ejected.

See Structure of an encoding description in Identity Manager.



Performance improvement in CM Connector

The implementation of the CM Connector has been improved in Identity Manager in order to improve performance, specifically request throughput, in high load scenarios. The new implementation (based on the CM Toolkit) will reuse an established TLS session again for subsequent requests.



Delete objects via SCIM

With this release we added the possibility to delete also objects in a SCIM service. The standard "delete Object" BPNM process task can now be used also on a SCIM data pool. When executing that task on SCIM, the system will trigger deleting the selected record in the foreign SCIM resource. See Set up process in Identity Manager.



SAML Logout in Identity Manager Operator and Self-Service

With Smart ID 21.04 we are introducing a session logout for Identity Manager Operator and Self-Service. This means that users that authenticate via SAML can now logout also with the ordinary logout button. Please note that this is just an ordinary invalidation of user session in Identity Manager and not a SAML SLO. The SAML ticket still remains valid after logout in Identity Manager or Self-Service. See Identity Manager Operator.



Improved REST Process API

The Process REST API was extended to make querying data at a given user-task more reliable:

  • added a new optional parameter the process "start" command (backwards-compatible)
  • added two additional commands

Interaction with existing clients will behave as before. Client changes are required to take advantage of the new features. See Identity Manager Process REST API for details.

Setting certificate validity dates now also supports the lexical xsd:dateTime format (see
Using this (with timezone, ideally UTC) is recommended over the legacy format "yyyy-MM-dd HH:mm:ss", which depends on the server's local timezone.



Support added for Interflex IF-6040 PACS connector

Interflex IF-6040 PACS connector from Interflex Datensysteme GmbH (Allegion Group) is supported for all standard use cases in Smart ID Physical Access. See Set up integration with Interflex IF-6040.


Docker Compose updates

Environment variables are now used for setting and reading configuration settings instead of app.config.



Added ability to search user groups

Added ability to search user groups instead of having dropdown at multiple places so that groups can be searched and added even if there are more than 1000 AD groups.



Local users can be added as delegated administrator

Added ability to add local users as delegated administrator under Delegated Management. This works both for Digital Access Admin and XPIs.



Ericom client has been removed

Removed EricomClient / Access now references from Digital Access Admin under Resources. This will only be removed from the default standard resources and not the ones specifically added by users. Resources added by users will have to be manually removed.



Upgraded to Guacamole version 1.3.0

Added option to url encode for guacamole web resource.



Added support for TLS version 1.3.0

Added support for TLS version 1.3.0. Removed the support for SSL v2 and v3. Removed weak ciphers for TLS v1.0, 1.1. Disabled weak ciphers by default for TLS v1.2.

Known bug: User certificate authentication method fails when TLS1.3 is enabled. The work around is to disable TLS1.3. The fix for the same will be included in the later DA releases that will be communicated once released.



Added Docker Swarm orchestration

Added Docker Swarm orchestration for Digital Access deployment in virtual appliance. Read more here: Deploy Digital Access componentFrom version 6.0.5 onward, there will be only the command line way to upgrade Digital Access versions (both Online and Offline upgrade). Removed the v-apps and admin GUI upgrade options. More details can be found in the upgrade instructions document for different setups, see here Upgrade Digital Access component.

Also, upgrade to 6.0.5 and above will remove the existing orchestrator and replace it with industry adopted standard docker-swarm.


Corrected bugs

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

Fixed setting password in EST registration service task.



Fixed handling empty files that are mapped to encrypted fields in CSV import.



Fixed translations of coreObject state, template name and change state reason in Self-Service.



Fixed escaping of special characters (such as "/") in DN of an LDAP string.



When changing a field value in Self-Service to "blank", the value was not removed from the BPMN process map, therefore the previous value was applied again. This has been fixed.



It could happen, if a check box is selected as default value in the form designer, that the value is not shown correctly in the form when using the form during runtime. this is fixed now.



Fixed a client side memory leak, when doing smart card production via the java PKI encoding client in combination CardOS API.


CRED-10563Avoid NullPointerException if a configured certificate template is not found during card encoding.


Card production and card operation process tasks did create wrong card -> certificate object relations if another certificate was already in the BPMN process before the card production was executed. This has been fixed now.



Fixed a security issue in SCEP Registration task: when doing the SCEP registration via Identity Manager, the plain SCEP registration password, remained in the BPMN process map - immediate cleanup of the map was missing.



Card state change could end in an endless BPMN loop in a certain scenario: state change runs into an error (e.g. invalid transition) on the process level and at the same time a database rollback happens (e.g. due to concurrent read/write). This has been fixed now.



Fixed a performance issue when switching between the main tabs in Identity Manager Operator (PRIME Explorer). In a very large environments (lot of runtime data and lots of different configuration items) it could happen that switching between the tabs ("Start", "Search", "In Progress") takes up to 30 seconds. Switching tabs does no also perform well in these scenarios.



The templates for Identity Manager database initialization for MS SQL DB was wrong in the Smart ID environment file. Template is corrected now.



A dedicated error page for unexpected SAML authentication errors was missing so far. This has been fixed, now in any case a user-friendly error message is shown when SAML login fails.



Search results in Identity Manager extended search could not be sorted by states by clicking the headline in the search result so far. Now sorting will be done on the symbolic name of the states when clicking the headline.



Fixed an SQL statement in BPMN history cleaner, that could cause to incomplete cleanup and slow down the cleanup.



File upload in self-service user tasks was not working anymore. This is fixed now.



The name of the Batch Sync jobs in the Admin tab of Identity Manager Operator was not shown correctly - ID instead of the name was displayed. Now the correct name is shown in the job list.



Improved error handling of the "build ZIP file" standard service task. In some cases (e.g. when fields could not resolved to build the filename) an exception was thrown. These errors are now handled correctly.



When copying the username from the authentication context via the standard service task in self-service, a wrong username was returned. This has been fixed, now also in self-service the correct login name is returned.



When exporting and importing the Identity Manager configuration, the order of the assigned card applications (encodings) in the card templates could get lost/changed. this has been fixed with this release.



When importing records from a CSV file via client side upload (and corresponding service task), it could happen that records are added to the "updatedCoreObjectDescriptorList" parameter in the BPMN process map even if the records have not been changed. This is fixed now.



When setting up "generate date" as initialization value in the form designer in Identity Manager Admin, an exception was thrown. Fixed in 21.04.



Search for fields of type datetime in LDAP didn't work correctly. This has been fixed in 21.04



Time zones have been resolved differently in the Self-Service in contrast to Identity Manager Operator. This did lead to different results between Self-Service and Identity Manager Operator when listing or displaying dates and times. Issue is fixed in 21.04.



When executing a search via search button in a user form in Identity Manager Operator, it could happen that the list did not get filled up til the end of the screen (unused space at the end). This has been fixed now.



When switching from cards with encoding to printable cards only in card template configuration in Identity Manager Admin, the encoding got not disabled and still executed. This has been fixed now, when switching to printable card, encodings get properly removed.



Session handling in Self-Service was not implemented correctly: unnecessary sessions where opened and not closed anymore. This has been fixed in 21.04



Swedish language files where not set correctly in Identity Manager. This has been fixed.



Fixed vulnerability in Self-Service API. Entity reference IDs are now encrypted in the communication between Self-Service and Identity Manager Operator,



Card production failed in Identity Manager if no validity date was present in the request process. This is fixed now, valid from/to is not mandatory anymore for card production.



Initialization values in Self-Service did not work in combination with dropdown-boxes. Has been fixed in this release.



When setting "valid from" parameter for dates in user forms, the date picker in Self-Service and Identity Manager Operator did not evaluate the borders correctly (due to wrong timezone handling). This has been fixed now.



When editing secret fields in a user form, the current field value are masked with "dots". When changing the content, the masked dummy values have not been removed automatically. This could lead to wrong input data, containing the dummy values behind the dots. This has been fixed now.



When adding new fields in a datapool in Identity manager Admin, the check for the name "id" (which is a system field) was done on the translation instead of the symbolic name. Fixed in this release.



Self-Service did show ids instead of display names in comboboxes with static content. Fixed in this release.



Fixed an issue when evaluating the client IP in Self-Service, that is written in object history or read via the "copyValuesOfLoggedInUser" task. Previously the server IP was provided instead of the client IP.



Device name was not passed to Card Operation Task for RFID encoding. Fixed now.



Preview of PDF report templates in Identity Manager Admin was broken. Fixed in this release.


CRED-10232When changing the content of an already saved Batch Order (e.g. removing or adding items in the order), an error was thrown. This has been fixed now.
Please note that a new field "search config" has been introduced in the orders for that fix, that has to be configured now (see update instructions). See Upgrade Smart ID Identity Manager from 20.11 to 21.04.



Signatures over Web service API produced orphan sessions.



Added ‘cacheDuration’ attribute of value 15 minutes in SAML metadata when Digital Access acts as an IDP.



While importing server certificate, encrypted private key with newer encryption algorithm like PBE-SHA1-3DES works now. All PKCS#5 v1.5 and PKCS#12 algorithms are supported now.



Improved performance when many SAML attributes are added by reducing the unneeded repetitive storage calls.



Update the default NPS URL to ‘



Improved on the Docker health check logging to monitor the Docker health at service level to avoid log cluttering.



WS federation stops working after an upgrade to 6.0.x, this has been fixed.



If we Use Organization ID service for Freja authentication, then the registration level set in the Force authentication dropdown does not have any effect on the authentication. Hence disabled force authentication control if Use Org ID service is checked.



Oauth2 Discovery returns 202 Accepted when according to spec it should be 200 OK, this has been fixed.



Failing to delete profile connected to Smart ID Mobile App through XPI services, this has been fixed.



Upgraded openSSL version to 1.1.1k to fix the CVE-2021-3449 vulnerability.


Release announcement

From this release, only Docker deployment is supported for the Smart ID components Identity Manager, Physical Access, Digital Access and Messaging. For full instructions, see Deploy Smart ID.

From Smart ID 20.11 and on, components now only have the Smart ID version number and not the different component version numbers. For information on previous releases, see Nexus Documentation Archive.

For details on the updated Smart ID configurations and deployment configurations, see here: 

titleSmart ID configuration release note

Excerpt Include
Smart ID 21.04 Configuration release notes
Smart ID 21.04 Configuration release notes

titleSmart ID deployment configuration release note

Excerpt Include
Smart ID deployment configuration release note
Smart ID deployment configuration release note


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.