Release date: 2026-04-10
Main new features
Remote ID Verification
Remote ID Verification provides a quick and secure way to confirm user identities online by using trusted identity providers through the newly added OIDC authentication flow. This modern method minimizes manual verification, strengthens security, and creates a smoother user experience, which are all widely recognized benefits in today’s digital identity landscape.
With Identity Manager now supporting the full OIDC flow, it can easily integrate with IN Groupe’s Remote ID verification service, E-Ident.
E-Ident functions as a flexible identity broker that enables secure identification using national eIDs or verified identity documents through IN Groupe’s ID Verifier app.
See Remote ID verification for details.
Rootles docker container
All root‑level execution from inside the docker containers is removed, ensuring that they now run fully without root privileges. This greatly enhances security by reducing privilege‑escalation risks and minimizing the attack surface through stronger isolation between the container and the host system.
See Deploy Smart ID for more information.
Larger RSA key sizes with NextVSC
Identity Manager now integrates with NextVSC, enabling the use of RSA keys larger than 2048 bits, including RSA 3072 and RSA 4096, through NextVSC’s TPM‑backed key‑wrapping solution. This integration provides stronger cryptographic protection than Microsoft’s native Virtual Smart Card implementation, which is limited to RSA keys up to 2048 bits.
Support for larger RSA key sizes is the first NextVSC capability available in Identity Manager. Additional features will be introduced in future releases.
See Smart ID Messaging - Standard service tasks in Identity Manager and Set up certificate template in Identity Manager for more information.
Deprecated features
Trustserver functionality
"trustserver" was used in early PRIME projects to store sensitive data (like PIN and PUK) in Nexus Certificate Manager. Since PRIME version 3.12, sensitive data could be encrypted in PRIME but the trustserver functionality for reading secrets was kept for compatibility reasons. This functionality is deprecated and will be removed in the future.
MobileIron MDM connector
MobileIron is a Mobile Device Management (MDM) solution. The connector was delivered with Identity Manager to provision certificates to a mobile device via the MDM. This connector is deprecated and will be removed from delivery in the future.
Scripting Engines
Currently Identity Manager supports different Scripting Engines to be used with script tasks in the processes. In the future, Identity Manager will only support the Groovy Scripting engine. All others are deprecated and will be removed in the future.
Detailed description of features
Features
|
Jira ticket number |
Description |
|---|---|
|
CRED-18356 |
Identity Manager can now trigger ECC key generation via Hermod and Smart ID Desktop App where this is supported, for example Yubikey, Windows Certificate Store etc. For more information, see Smart ID Messaging - Standard service tasks in Identity Manager and Set up certificate template in Identity Manager. |
|
CRED-20663 |
When executing card operations with Smart ID Desktop App, it is now possible to select a default card reader. See Reader/card selection and information in Identity Manager for more information. |
|
CRED-20846 |
In Smart ID Self-Service tables and Open Task lists, the date was sometimes not shown in local formatting. This has been fixed. |
|
CRED-20870 |
Error handling of the service task "Import CSV" has been improved. See Smart ID Blueprints overview for more information. |
|
CRED-21066 |
Processes within the Smart ID Identity Manager docker containers are not executed by root anymore. This requires permissions for mounted volumes to be set accordingly. See Memory limit configuration for Smart ID services and Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 for more information. |
|
CRED-21404 |
Updated the CM SDK to 8.12. This means that CM 8.12 or later versions are required. See Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 for more information. |
|
CRED-21505 |
For creation of OIDC workflows it is now possible to send the start link via email. See Miscellaneous standard service tasks in Identity Manager and Remote ID verification for details. |
|
CRED-21677 |
Extended support for JCOP 4.5 cards with Personal Middleware for special profiles. See IDM 6.0.0 - Requirements and interoperability for details. |
|
CRED-22287 |
Security fixes for Nexus Process Modeler and the internal BPMN editor in Identity Manager Admin. |
|
CRED-22328 |
Two new service tasks, OIDC: Authorization request service task and OIDC: Verify JWT claims service task, are added to create an OIDC workflow. See Miscellaneous standard service tasks in Identity Manager and Remote ID verification for details. |
|
CRED-22506 |
Library upgrades with security fixes. |
|
CRED-22716 |
It is now possible to generate a "token", that is, a very long password, for internal users. This is recommended when web services connect to Identity Manager with basic authentication as the login is faster. |
|
CRED-22721 |
It is now possible to change the admin key via IDM encoding descriptions for COSMO X cards with ID Plug middleware. Other functionality is still under test and ID Plug/COSMO X is not officially supported by Smart ID Identity Manager. |
|
CRED-22733 |
Security upgrade for third-party libraries. |
|
CRED-22734 |
Security upgrades for third-party libraries. |
|
CRED-22873 |
Security upgrades for third-party libraries. |
Corrected bugs
|
Jira ticket number |
Description |
|---|---|
|
CRED-21740 |
There were some issues and configuration mismatches around pre- and post-login processes. This has been fixed. See Configure a pre-login process for Identity Manager Operator, Configure pre-login processes for Smart ID Self-Service and Set up authentication profile in Identity Manager for more information. Also see Upgrade Smart ID Identity Manager from 5.3.1 to 6.0.0 . |
|
CRED-21827 |
Fixed the Flowable executor retry mechanism. |
|
CRED-21866 |
Added "NextVSC" to the dropdown-list of storage priorities in the Smart ID Desktop App service tasks. |
|
CRED-22303 |
There was an issue with revoking certificates when several certificates with the same serial number, but from different issuers, were present in Identity Manager. In this case, the issuer was ignored and all certificates were revoked. This has been fixed. If no issuer is present, the revocation will fail. |
|
CRED-22327 |
The service task "Mobile App: Install Certificates Into Android OS" is now more resilient towards communication errors. |
|
CRED-22488 |
There was a problem where JUEL expressions were not resolved in the task "Modify roles automatically". This has been fixed. |
|
CRED-22592 |
When system properties are parsed, they are no longer printed out to the log. |
|
CRED-22706 |
There was an issue where the authentication method selection in Identity Manager Operator system properties settings would also affect Identity Manager Admin. This has been fixed. |
|
CRED-22810 |
There was an issue where the SAML AuthnRequest was rejected as being from an unknown ISSUER when the Identity Manager alias was different from the ENTITYID in the service-provider-metadata xml file. This has been fixed. |
|
CRED-22819 |
When using Visual Mobile ID, there was an issue with calling the content provider URL from Hermod. This has been fixed. |