Release note Smart ID 20.11
Version: 20.11
Release Date: 2020-12-07
Main new features
The Smart ID 20.11 release provides major updates in Identity Manager, Self-Service and Physical Access. The Digital Access and Messaging components are providing minor improvements and bugfixes only. All components also provide several bugfixes and library updates to ensure high quality and security.
New APDU encoding framework
The new APDU encoding framework in Identity Manager allows to encode smart cards now also with low-level APDU commands, besides the standard middleware encoding.
The feature is important for customers in the public sector, for eIDAS and LoA3 cases – in general where high security on the card encoding level are demanded. APDU scripts are easily configured in Identity Manager and executed via Smart ID Messaging and Smart ID Desktop. See also APDU script applications for PKI cards in Identity Manager.
Improved user forms in Identity Manager and Self-Service
It is now possible to configure URLs to external web resources in a user form and to configure individual file names for file downloads in a form. Also, the forms in processes to issue or lock virtual smart cards and mobile virtual smart cards have been simplified for the users.
Several updates for Physical Access
The Physical Access component introduces several updates on the PACS connectors, such as the new RCO Admin API, the new connector to Siemens SiPass and a PACS Simulator for test and demo purposes.
Smart ID compatibility
Smart ID 20.11 is compatible with the following component versions:
Components | Version |
---|---|
20.11 | |
6.0.3 (included in Smart ID 20.11) | |
5.7 or 5.8 | |
8.3 | |
1.4.3 | |
5.0 | |
2.0 | |
5.4 |
Detailed feature list
Features
Jira ticket no | Description | Digital Access | Identity Manager & Self-Service | Physical Access | Messaging |
---|---|---|---|---|---|
CRED-9443 | Database indices added 3 database indices have been added to the Identity Manager database to increase performance in large environments. | X | |||
CRED-9675 | groovy-dateutil library added The groovy scripting library was updated to the latest version in the previous release. Due to some restructuring in groovy, some functionalities around date formatting got lost. Therefore the groovy-dateutil library was added now to the standard deployment to provide this functionalities again in Smart ID. | X | |||
CRED-10226 | Extended several field lengths in the database Extended the max length for several core fields in the Identity Manager database (such as firstname, lastname, email, title etc.) in the tables "Person", "Card" and "Request". | X | |||
CRED-10277 | "Locale" added to service task Added "Locale" as additional attribute to the service task "Process: Copy Values of LoggedIn User to Process Map". see Standard service tasks in Identity Manager. | X | |||
HAG-2258 | Updated help text Updated text to "Smart ID Digital Access" in the Digital Access Admin interface and in the help pages. | X | |||
IDC-1219 | Added logging of RabitMq Added logging of the Message Queue (RabitMq) to the standard logs of Physical Access. | X | |||
IDC-1648 | Improved connector status heartbeat The connector status heartbeat in Physical Access has been improved. It now also updates the status after the connector was shut down. | X | |||
PMOB-2442 | Change in configuration setting The hideSensitive configuration setting in the Smart ID Messaging component Hermod is set to 'true' as default. | X | |||
PMOB-2456 | Added validation in the 'to' list Added validation to make sure that null isn't used in the 'to' list in the Smart ID Messaging component Hermod. | X | |||
PMOB-2494 | Added a testMode option The Smart ID Messaging component Hermod now has a testMode option that automatically triggers a load test simulator for prov, auth and sign. | X | |||
PMOB-2498 | Added database indices Database indeces have been added to foreign key source tables in the Smart ID Messaging component Hermod. | X | |||
PMOB-2502 | Added return status for database lock The return http status 503 has been added to the Smart ID Messaging component Hermod. It will be sent if a database lock cant be acquired after retries. | X | |||
PMOB-2510 | Added retry to sql queries Added retry to sql queries if a database lock cant be acquired in the Smart ID Messaging component Hermod. | X | |||
CRED-7630 | Extended list view for configuration items To improve usability, the list views of several configuration items in Identity Manager Admin are extended. For example, Data Pools, all Core Templates and Search Configuration now show more columns with additional information in the corresponding list menus. | X | |||
CRED-9045 | Support for TLS in SMTP connector Support for TLS has been added in Identity Manager in the SMTP implementation to ensure an encrypted email communication. | X | |||
CRED-9114 | Added date format configuration in mappings In the "mappings" configuration of Identity Manager, it is now possible to define date formats for fields of type date or timestamp, if the mapped field is not exact match but of type string. This enables the possibility to implicitly convert date to string or vice versa via mapping. The typical and most important use case for this feature is BatchSync to, for example, import data from a string field (e.g. from CSV) into a date field in to Smart ID without any further, explicit conversion. See Set up mapping in Identity Manager. | X | |||
CRED-9513 | Extended remote printing capabilities With this release of Smart ID it is possible to configure different locations of Card SDK printer stations in Identity Manager Admin. In the card production workflow it then can be decided (either automatically via certain attributes in the background or manually by an operator) on which location the card shall be printed. The Card SDK does not need to be installed in the Operations client but can be any Card SDK client that is connected to the Identity Manager Server. See Set up printers in Identity Manager, Set up form in Identity Manager and Set up process in Identity Manager. | X | |||
CRED-9659 | Mobile App OTP can be activated The standard service task in Identity Manager for provisioning to Smart ID Digital Access has been extended. Now it is also possible to provision Smart ID Mobile App for OTP authentication. See "HAG: User provisioning" in Standard service tasks in Identity Manager | X | |||
CRED-9699 | Possibility to expand object relation view by default So far, the object relation view in Identity Manager was by default shown collapsed. It can now be shown expanded by default via a setting in Identity Manager Admin. | X | |||
CRED-9708 | Support for hiding the device encryption certificate The device encryption certificate can be hidden (for internal communication purposes) for Smart ID Desktop and Mobile App. | X | |||
CRED-9739 | Introducing APDU encoding framework It is now possible to encode smartcards directly via APDU scripts, as well as via Pkcs#11 middleware. APDU scripts can be configured (uploaded, modified) together with the Encoding Descriptions in Identity Manager Admin. For that purpose, the Editor, used for Encoding Descriptions has been extended to let the Administrator edit any additional file attached to the encoding (such as .cpf card profiles, APDU scripts and others). During runtime, the APDU scripts will be send to the client and executed via Smart ID Messaging and Desktop App. See APDU script applications for PKI cards in Identity Manager. With this new feature it is possible to execute high sophisticated card encodings e.g. for eIDAS use cases, qualified signature cards etc. via standard functionalities. | X | |||
CRED-9801 | HTTP(s) links to 3rd party resources in user forms It is now possible to configure a link to HTTP(S) 3rd party resources in the user forms, for example, to redirect to an intranet portal or to download a security policy document via Self-Service or Identity Manager Operator. the URLs to the resources can either be static configuration or dynamically created via runtime data. See Set up form in Identity Manager. | X | |||
CRED-9930 | New standard service task for logging A new standard service has been implemented in Identity Manager to be able to write certain, custom specific entries into the logfile during the BPMN process execution. The service task allows to configure the loglevel that should be used and also write either static content or dynamic content, resolved from the process map, into the logfile.See " Process: Log something in the log file" in Standard service tasks in Identity Manager. | X | |||
CRED-9937 | Improved service task to set value in process map The standard service task "Process: Set Value of Variable in Process Map" has been extended: now it is possible to not only set fixed values but also use a JUEL expression to resolve parameters from other data fields. See "Process: Set Value of Variable in Process Map" in Standard service tasks in Identity Manager. | X | |||
CRED-9946 | Customized file names for download buttons It is now possible to customize the file names when downloading binary data (e.g. photos, pdf, certificates etc.) from Identity Manager or Self-Service. The format of the filename can be defined in the form design (via fixed values and dynamic values created out of data pool fields). See Set up form in Identity Manager. | X | |||
CRED-9968 | Support for Smart ID Certificate Manager 8.3 Updated Nexus Certificate Manager integration - supporting the latest version of Certificate Manager via Identity Manager. | X | |||
CRED-10012 | Extended the CSV upload service task
See "Miscellaneous: Import CSV file" in Standard service tasks in Identity Manager. | X | |||
CRED-10086 | Added use of PIN pad readers for card encoding Encoding of smart cards in combination with a PIN pad reader was not implemented in combination with Desktop App so far. This has been added now, so that end users, encoding their smart card in Self-Service also can use a PIN pad reader. | X | |||
CRED-10138 | Added support for registration requests via the EST protocol Similar to the already existing ACME and SCEP registration now also registration requests for the EST protocol is supported via a standard service task in Identity Manager. See "Cert: Create EST order request" in Standard service tasks in Identity Manager. (This feature is only available in combination with Smart ID Certificate Manager.) | X | |||
DEVOPS-400 | Added options for Self-Service login Added flexibility and configuration options of the Self-Service login screen:
See Enable two-factor authentication to Identity Manager clients via SAML federation and Set up authentication profile in Identity Manager. | X | |||
DEVOPS-85 | Changed configuration of CA certificates for Identity Manager Instead of creating a java keystore with CA certificates for Identity Manager to trust, the certificates can now be added to a folder and they will be loaded into Identity Manager at startup. Supported formats are .base64 and .cer. | X | |||
DEVOPS-95 | Changed configuration of database properties for Identity Manager The configuration file database.properties is no longer needed. Database settings are now set using environment variables. | X | |||
DEVOPS-382 | Improvements in Docker configuration Several improvements in the Docker configuration of Smart ID have been implemented in this release. Most requested feature was splitting up the compose files for the different services. The Identity Manager but also the Digital Access dockers have now separate configurations so that it is easier to deploy the solution distributed over multiple servers. See Deploy Smart ID and Smart ID deployment configuration release note. | X | X | ||
HAG-723 | Added support for SMB v2.0 and v2.1 The Common Internet File System (CIFS) version used by Digital Access is now updated to a later version. Prerequisite for customers is to upgrade the SMB version to v2.0 or v2.1 as v1.0 won't be supported after this. | X | |||
IDC-1067 | Added support for PACS Connector Siemens SiPass Support is added for a new Standard PACS connector in Physical Access. Now Siemens SiPass is supported for all standard use cases in Smart ID Physical Access. | X | |||
IDC-1569 | Added support for PostgreSQL Added support for PostgreSQL (version 11+12) for Physical Access. | X | |||
IDC-1573 | Added support for new RCO Admin API With the latest release of RCO R-Card M5 a new REST Admin API was introduced. Smart ID Physical Access supports this now as well (in addition to the old RCO API). | X | |||
IDC-1604 | Improved error handling in Web API The error handling of the Physical Access SCIM interface - which is the main communication channel with Identity Manager - has been improved to avoid potential data loss during provisioning. | X | |||
IDC-1665 | Introduced PACS Simulator With this release, a new PACS Simulator for Physical Access is introduced. The simulator comes as an ordinary PACS connector as part of Smart ID but does not communicate with a real PACS. it just simulates the communication and writes the results into files. The purpose of this connector is to run tests, demos etc. of the Smart ID Physical Access package also in an offline demo environment. | X |
Corrected bugs
Jira ticket no | Description | Digital Access | Identity Manager & Self-Service | Physical Access | Messaging |
---|---|---|---|---|---|
CRED-7317 | Fixed an issue in the Procecss Task for creating custom entries in the Object History. The custom values was not visible completely in the Object History list. | X | |||
CRED-9305 | Fixed error handling during card encoding via Desktop App. When Messaging Server was not reachable, a cryptic message was displayed on the screen. | X | |||
CRED-9376 | Fixed an issue with with popup window, for mandatory fields that are missing in user forms of Identity Manager. It could happen that the popup did not show up after process got canceled and restarted a second time. | X | |||
CRED-9390 | Fixed a bug in the tenant application of Identity Manager. When deleting a tenant, the signature of the object history got broken when working with multiple tenants. | X | |||
CRED-9580 | Translation of headlines in user forms did not work properly when logging in via SAML in Identity Manager Operator. This is fixed now. | X | |||
CRED-9627 | The "resultCount" variable of the "AssertUniqueness" task was not filled up if there was no result. This has been fixed now, empty results the variable is set to "0". | X | |||
CRED-9676 | Fixed an issue when changing active/inactive state in the "HAG: User Provisioning" standard service task. Depending of on the state configuration it could happen that the state change failed. | X | |||
CRED-9696 | Display of user roles in Object History was not updated correctly when changing selection of history entry. This is fixed now. | X | |||
CRED-9759 | Fixed a concurrency issue when executing standard service tasks for Personal Messaging. | X | |||
CRED-9774 | The List/Selection view for Batch Orders had an issue that the underlying search configuration was chosen randomly if multiple search configs for that purpose had been configured. Due to lack of a configuration element to explicitly select the search config, now always the first search config that is configured in the corresponding Order Template will be used. | X | |||
CRED-9812 | Setting a hidden or read-only date value as filter criterion in a search configuration was not possible. This is fixed now | X | |||
CRED-9867 | Fixed an "Internal Server Error" issue (related to certain authentication profile configuration) when downloading a configuration file from Identity Manager Admin. | X | |||
CRED-9948 | Fixed an issue with downloading P12 files in Smart ID Self-Service. | X | |||
CRED-9989 | Order CoreObjects where not capable of handling coreObjectDescriptors in all cases: the referenced objects (via the "CoreObjects" data field) only provided CoreObject IDs. This has been fixed now. | X | |||
CRED-9992 | "New process" in batch order details view are made invisible. it has no meaning there and could be executed accidentally. | X | |||
CRED-10003 | Added missing FK index on CertificateBinaryDataMap table for Oracle DB. Missing index did lead to locking the table when deleting certificates. | X | |||
CRED-10006 | Using search filter with filter value "empty" did not work in BatchSync. This is fixed now. | X | |||
CRED-10010 | Fixed a permission issue when displaying templates (e.g. available card templates for requests) in Smart ID Self-Service. All templates used to be visible in the combobox instead of only the ones the user has permission for. | X | |||
CRED-10018 | The "line break" checkbox in the Form designer didn't have any effect in Smart ID Self-Service. This has been fixed. | X | |||
CRED-10063 | BatchSync now allows to configure a separate skip policy for read process and write operations. Before only write operations could be addressed. | X | |||
CRED-10135 | Fixed inconsistency in CSV export (via Export Definition). Empty fields have been exported with quotes (""). This has been removed now to align with non-empty fields. | X | |||
CRED-10146 | Configuration Export failed in Identity Manager Admin, after a CA Configuration was uploaded. This has been fixed now. | X | |||
CRED-10147 | Improved error handling in the "Core Objects: Drop Relation" service task: empty task parameters could result in a misleading error message. | X | |||
CRED-10163 | Fixed behavior of multiple search buttons in combination with ObjectList component in a user form. Results from the different search buttons have been mixed up in the result lists. | X | |||
CRED-10165 | Encrypted field value got corrupted when using a mapping task to transfer the value from plain text fields. This is fixed now. | X | |||
CRED-10175 | Fixed an issue when signing and encrypting an email in Identity Manager. The signature is now also visible for the receiver if the email is encrypted. | X | |||
CRED-10190 | Configuration of predefined sorting in Search Config did only work for one sorting criterion. This has been fixed, multiple sorting criteria can be defined again in Identity Manager Admin. | X | |||
CRED-10198 | Fixed behavior when displaying of passwords as images in Identity Manager Operator and Smart ID Self-Service. | X | |||
CRED-10201 | Fixed error handling in Nexus GO Card Configuration. Now a human readable error message is shown when the connection to Nexus GO API fails. | X | |||
CRED-10216 | Improved error handling for "extended error mode" in PKI card encoding. Certain exceptions (e.g. CAServiceException) where not handled correctly in the past. | X | |||
CRED-10259 | Fixed connection test to Messaging Server in Identity Manager Admin. Test button reported 'success' even if AuthenticationToken was wrong. | X | |||
CRED-10278 | Fixed an issue in XML parsing of CardJob. PKI card encoding response with Smart ID Desktop App could result in an error. | X | |||
CRED-10313 | Fixed display of "hidden" secret fields in Smart ID Self-Service. The actual value was shown instead of "dots". | X | |||
CRED-10323 | Smart ID 20.11 now supports PostgreSQL databases version 11 and 12 in all components. | X | X | X | |
DA-6 | Corrected the MariaDB configuration string. | X | |||
DA-63 | Added the extended attribute "Radius Status server supported" to the general Radius authentication method. If the value is set to false, it means that the configured Radius server does not support "Status message packet", so that the policy service will not send any Server-Status check to the Radius server. | X | |||
HAG-1304 | Allow the user to login even if the 'Allow user not listed in any User Storage' is set to true and the user attribute property is set. This is resolved for Swedish Bank ID, Nexus GO, Open ID and Freja ID authentication methods. | X | |||
HAG-1308 | Fixed an issue where Smart ID Mobile App profile was not activated for a user after Self provisioning flow. | X | |||
HAG-1396 | Fixed the display of message on the forgot password page to show Swedish characters. | X | |||
HAG-2249 | Removed the duplicate entries appearing in the Database dropdown after saving the Database Service settings. | X | |||
HAG-2253 | Fixed the output of well known config API to work with Google where Digital Access acts as the Identity Provider. | X | |||
IDC-1437 | Fixed error handling for duplicate entitlement assignments in Physical Access. Now the error is reported back if a duplicate assignment happens instead of just writing the result into the log. | X | |||
IDC-1583 | Fixed an issue when deleting a large number of entitlement assignments at the same time on MS SQL Server. The error was detected in SiPort Environment. | X | |||
IDC-1626 | Fixed an issue in the SiPort connector causing new profiles to be created (and not deleted anymore) in the Physical Access database before save has been triggered. | X | |||
IDC-1692 | Fixed a bug in RCO Connector when creating/ deleting users in RCO. | X | |||
PMOB-2421 | Added validation to prevent empty userid in provisioning. | X | |||
PRSM-69 | Fixed changing card state of visitor cards if non-personal card is being assigned (visitor card remained active). | X | |||
PRSM-82 | Improved uniqueness check when doing card activation to enforce only one active card per employee. Not all cases where covered by the check previously. | X | |||
PRSM-974 | Fixed process for deactivating Contractor record in Smart ID Base package. | X | |||
PRSM-1041 | Added validation for duplicate entitlement assignment in Physical Access and improved user experience/error message during validation. | X | X | ||
PRSM-1043 | Fixed default permissions for creating company in Smart ID Base module. | X | |||
PRSM-1044 | Locking of temporary employee card when deactivating employee didn't work. This has been fixed now. | X | |||
PRSM-1065 | Fixed object relation handling when withdrawing non-personal card for Visitor. | X | |||
PRSM-1077 | Fixed provisioning of status to Physical Access component and corresponding PACS system when a Contractor gets reactivated in the Physical Access module. | X | X | ||
PRSM-1083 | Fixed batch job for triggering renewal of Virtual Smart Cards in Digital ID. | X | X | ||
PRSM-1088 | Fixed an issue when activating an temporary employee card in Digital ID package. | X | |||
PRSM-1093 | Fixed wrong relation between employee and employee card when withdrawing non-personal card in Physical Access module. | X | |||
PRSM-1095 | Fixed activation of cards (that are in state 'issued') via Batch Order. | X | |||
PRSM-1097 | Fixed some labels/translations in Smart ID Self-Service (e.g. VSC provisioning). | X | |||
PRSM-1103 | BPMN fixes: changed several processes from "CoreObjectID" to "CoreObjectDescriptor" collections. the CoreObjectID is deprecated and didn't work anymore in several places (e.g. the Self-Service). | X |
Release announcement
From this release, only Docker deployment is supported for the Smart ID components Identity Manager, Physical Access, Digital Access and Messaging. For full instructions, see Deploy Smart ID.
From Smart ID 20.11 and on, components now only have the Smart ID version number and not the different component version numbers. For information on previous releases, see Nexus Documentation Archive.
For details on the updated Smart ID configurations and deployment configurations, see here:
Contact
Contact Information
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Support
Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.