Identity Manager release note 5.1.0
Release date: 2025-08-19
Main new features
FIDO support: enrollment on behalf of another user with MS Entra
FIDO2 security keys are a great improvement to provide a secure and phishing-resistant authentication method. On the downside, the registration of a FIDO2-credential requires manual intervention and the presence of the future holder of the credential. The standard workflow requires a user to first authenticate with the service that they want to register the token for and then enroll the token itself. This leaves the user with two authentication methods, one of which is potentially a username/password-authentication.
A more enterprise suitable approach is to allow operators to register the tokens on behalf of the user and then distribute the tokens to the user. Microsoft Entra offers an interface to allow FIDO enrollment on behalf of another user. This Smart ID release supports FIDO enrollment on behalf of another user with MS Entra.
Android keystore provisioning
Mobile phones offer a high level of security through their sandboxing approaches built into the operating system. This can also be an obstacle to the usability of security features. For instance, if you want to read your encrypted emails not only on your desktop but also on your mobile device, the same encryption certificate and key would have to be accessible for the email reading app on the mobile device.
The new feature allows to provision keys and certificates to the Android keystore to share it with other apps like MS Outlook. This allows to use certificate-based security features seamlessly on desktop and the mobile device without too much interference with the user.
DATA REST API
The Data REST API provides a standard API interface for reading entity data like users, cards, certificates etc. via REST. All the data that can be seen in Identity Manager Operator UI search, can be made available to other systems through this API. It is based on the search configurations created in Identity Manager Admin and can be further refined via additional filter, sorting and paging options. For more information, see Identity Manager Public Data REST API .
High availability for scheduled jobs
Smart ID Identity Manager supports high availability setups especially to allow load balancing with multiple nodes. However, some functions like Scheduled Jobs must be restricted to one node. This could be a problem in failover setups if these functions need to be highly available as well. With the new version, Scheduled jobs can now be configured to run on several nodes giving full high availability also for the Scheduler functionality. As the underlying library has been changed, there are some effects on cron formats and system.properties. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.
Config format versioning
Identity Manager allows up- and download of configuration files containing workflows, data structure etc. With the new versioning of the configuration format and with each new version it is indicated which config format version is compatible with the Identity Manager version. This makes it possible to share configuration files with different Identity Manager versions if the config format version is the same. Also, checks are introduced on upload to ensure that only compatible versions are uploaded. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.
Java 21
One building block of cyber security is keeping the system up to date. This is true for software versions as well as the underlying libraries. Smart ID Identity Manager is based on Java and as such many dependencies rely on the Java version used. With Java 21 we are on the latest version with long term support. This allows using modern versions of dependent libraries as well.
Java 21 itself comes with improvements and and new features that lead to overall performance improvement.
There are some impacts when upgrading from an older version. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information.
Stabilizing Flowable: removed Messaging
With Identity Manager 5.0 we already introduced Flowable as the new forward looking process engine. The integration has been stabilized in Identity Manager 5.1.0. The messaging between Identity Manager and the process engine has been removed as it introduced more complexity while advantages could not be proven.
Removed features and changes in delivery
The undocumented module “cryptovision_integration” has been removed.
Some custom classes have been deprecated as there are Java replacements available.
Removal of Security Filter Chain filters:
The filter chains have been reworked and filters have been removed and replaced by spring security standards. Some legacy projects might have introduced custom endpoints with custom filter chains. These need to be adjusted.Referencing “SetProcessMessageExecutionListener” via class name in BPMN is deprecated.
For more information, see Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0.
Detailed description of features
Features
Jira ticket number | Description |
|---|---|
CRED-17763 | Access permission filters have been restructured and stricter for enhanced security. |
CRED-18591 | Versioning for the configuration files is added with this release. See Identity Manager 5.1.0 - Compatibility for more information. |
CRED-18817 | The scheduler library used in Identity Manager has been changed. The scheduler can now run on multiple nodes. There are some differences to the old scheduler. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information. |
CRED-18862 | Identity Manager is now based on Java 21. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0 for more information. |
CRED-19037 | Added support for JCO p60 cards with special profiles and Idopte middleware. See Encoding using Idopte middleware in Identity Manager and child pages for more information. |
CRED-19100 | Search configurations can be triggered and search results retrieved via REST using the Identity Manager Public Data REST API. See Identity Manager Public Data REST API for more information. |
CRED-19130 | Security fixes for the spring library. |
CRED-19294 | In Identity manager Admin, Predefined JavaDelegateClasses have been added to the drop-down list of available service tasks in the BPMN editor. |
CRED-19475 | All log entries within a single scheduled task now contain the same correlation ID. |
CRED-19488 | The messaging between Identity Manager and the BPMN engine has been removed. |
CRED-19608 | Two new service tasks added to provision a FIDO credential to a FIDO key: “Desktop App: Fido - Create Credential” and “Desktop App: Fido - Start Connection”. |
CRED-19651 | A new service task is added to get creation options for FIDO credential from Entra: “Entra: Fido - Get Creation Options“. See Miscellaneous standard service tasks in Identity Manager for details. Also see Fido passkey provisioning with Microsoft Entra. |
CRED-19657 | A new service task is added to register a FIDO credential with Entra: “Entra: Fido - Create Credential“. See Miscellaneous standard service tasks in Identity Manager for details. Also see Fido passkey provisioning with Microsoft Entra . |
CRED-19658 | Update of Captain Casa library. |
CRED-20235 | Security fixes for commons-io. |
CRED-20516 | Security fix for the jetty library. |
CRED-20520 | Security fixes (library upgrades) for Smart ID Self-Service and Identity Manager Operator. |
CRED-20695 | The ‘versionStamp’ of internal users will no longer be increased when the ‘lastLoginTimestamp’ is updated. This adjustment is made to prevent optimistic lock issues. |
CRED-20970 | Added support for TCOS middleware 1.20.0. See Encoding using T-Systems TCOS middleware in Identity Manager for more information. |
Corrected bugs
Jira ticket number | Description |
|---|---|
CRED-17064 | In Identity Manager Admin, when a service task was added via the BPMN editor, the pre-selection from the service task was not taken into account in the task list. This has been fixed. |
CRED-17364 | There was an issue in Identity Manager Admin where the Test Connection Button on LDAP connections in the authentication profile would overwrite connection data if there were two LDAP authentication profiles. This has been fixed. |
CRED-18832 | Non-configurable class-based JavaDelegate service tasks were editable in the task list even though nothing could be changed. This has been fixed. |
CRED-19947 | In Identity Manager Operator, there was a problem with data from timed out sessions not being removed properly, leading to out-of-memory situations in some cases. This has been fixed. |
CRED-20103 | Error boundary events on processes were not caught correctly. This has been fixed. |
CRED-20156 | There was an issue with Secure Key injection with ATOS middleware, where the encryption key could not be used in some cases. This has been fixed. |
CRED-20169 | Service Task Credentials: Create Minidriver Card Manager Key threw an exception on Oracle databases when the parameter ‘blockCountFieldName’ was empty. This has been fixed. |
CRED-20203 | There was an issue with setting connectionSecurity for the SMTP settings via the REST endpoint /deploy/property. This has been fixed. |
CRED-20223 | Sending requests to Certificate Manager could not be parallelized which limited throughput. This has been fixed. |
CRED-20274 | Connection data for Hermod, printers and SAML was exported with the config even when the option to exclude connection data was set. This has been fixed. |
CRED-20286 | Performance of login with basic auth has been improved for webservices, for example Hermod call backs. |
CRED-20303 | Pre-login processes can be removed from the Dashboard in Smart ID Self-Service. See Upgrade Smart ID Identity Manager from 23.10.19 to 5.1.0. |
CRED-20311 | There was an issue with logging multiple identical requests to Certificate Manager that came in the same second. This has been fixed. |
CRED-20755 | Reverted an optimization of precondition validators introduced with version 23.10.15 as it would lead to more ConcurrentModificationExceptions under load. |
CRED-20789 | When using Juel expressions in Identity Manager Admin which contained two variable names, these were not resolved correctly. This has been fixed. |