Release notes Digital Access component 6.12.0

DA-2517

Token Introspection endpoint support
Implemented OAuth 2.0 Token Introspection as defined in RFC 7662. This feature allows resource servers to query the authorization server to determine the active state and metadata of an access token, enabling more robust token validation and improved security for protected resources.

DA-2307

Smart ID Mobile App quick launch
Added an "Open app" button directly below the Smart ID Mobile App QR-code on the user interface.

DA-2535

Flexible FIDO Relying Party configuration
Introduced the ability to configure FIDO Authentication Methods with a Relying Party ID (RP ID) that differs from the Access Point URL. This provides greater flexibility for organizations with complex domain structures or those migrating between domains while maintaining existing FIDO registrations.

DA-2479

User storage enrichment
Added capabilities to enrich user data within the storage layer, enabling more comprehensive user profile management and integration with external data sources such as databases, REST API and the Microsoft Graph API (Entra ID).

DA-2504

Enhanced SAML metadata import
Improved the SAML metadata import process with better error handling, more informative validation messages, and streamlined workflows for importing metadata. This improvement also introduces whitelisting so that only configured entity IDs will be used and shown to users.

DA-2506

Help text improvements
Revised and enhanced help text throughout the administration interface to provide clearer guidance, better explanations of configuration options, and more actionable instructions for administrators.

DA-2527

Addressed an HTTP vulnerability in the Access Point component.

DA-2238

Upgraded jQuery library to the latest secure version, eliminating known cross-site scripting (XSS) and prototype pollution vulnerabilities present in the previous version. See the warning note below as this change affects branding and an upgrade may trigger undesired changes to existing customized branding.

DA-2554

Resolved a security issue where importing SAML metadata containing corrupt or malformed certificates would silently disable signature verification of SAML requests. The system now properly validates certificates and maintains signature verification integrity.

DA-2546

Fixed a validation gap in the FIDO2 API registration flow where the userId parameter could differ between the /options and /credentials endpoints. The system now enforces strict userId consistency throughout the registration process.

DA-2511

Applied security patches to the OpenJDK runtime to address known vulnerabilities.

DA-2574

Resolved an issue that prevented FIDO credential provisioning from completing successfully. Users can now register and provision FIDO authenticators without errors.

DA-641

Fixed a timing issue where performing a manual publish operation would incorrectly reset the metadata autopublish timer. The autopublish schedule now operates independently of manual publish actions.

DA-988

Corrected the default value handling for the OpenID Issuer configuration. Issuer value must now be explicitly configured.

DA-1597

Fixed SAML signature validation failures that occurred when metadata contained multiple certificates with different key lengths. The validation logic now correctly handles certificate chains with mixed key sizes.

DA-2547

Fixed a FIDO authentication failure that occurred when the authentication method ID exceeded 999. The system now properly handles method IDs of any valid length.

DA-2548

Resolved a Firefox-specific compatibility issue where FIDO authentication would fail due to the browser rejecting asynchronous WebAuthn API calls. The implementation now correctly handles async operations across all supported browsers.

DA-2553

Corrected the Secure DSKPP AuthActivation and Retry Logic to properly handle edge cases in the activation flow, ensuring consistent behavior during authentication retries.

DA-2577

Improved debug logging to log more relevant information and less intra-service communication. Target is to make debug logging more available even in larger installations.