KB5066835: KSP vs CSP transition and recommendations for Personal Desktop Client. Read more ->
Nexus Documentation

Release notes Digital Access component 6.13.0

Release date: 2026-06-18

It is recommended to back up the databases, since rollback requires restoring the state of the User Database to before this migration.
Also, note that if a rollback to a previous version is carried out, the database must also be restored to the state before the upgrade.

New Features

Jira ticket number

Description

DA-2612

Transaction Signatures
Digital Access now supports transaction signatures, a lightweight alternative to full PDF signing. It supports signing via Freja eID and Mobile BankID. Signatures can be requested through an OIDC-protected API and either returned to the caller or stored in a secure database ledger. See the online help for more information (Manage System > Transaction Signatures).

Known issues:

  • When enabling 'Require matching signer identity', the current userId comparison is case sensitive. This will be changed to case in-sensitive in an upcoming release.

  • When 'Signing Certificate' is updated in SAML IDP Export settings, a manual update of certificate is also required for the SP used for signing. This will be simplified in an upcoming release.

  • It is not recommended to read the 'signatureAlgorithm' response parameter, since it will be removed in an upcoming release.

DA-2134,
DA-18

ACME Certificate Renewal
Automated server certificate renewal using the ACME protocol (e.g., Let's Encrypt). Certificates are automatically renewed before expiration without manual intervention. Supports HTTP-01 , ALPN-01 and DNS-PERSIST-01 (Only available in Let's Encrypt Staging environment at time of writing) challenges. Addresses Google's push toward 90-day certificate lifetimes.

Recommendation:

  • Use ACME enabled Server Certificates in TLS contexts only.

See the online help for more information (Manage System > Certificates > Manage ACME Settings...).

DA-420

Certificate Authentication with TLS 1.3
Client certificate authentication now works with TLS 1.3. Since TLS 1.3 removed renegotiation, the Access Point uses post-handshake authentication (or optional client cert on initial connection) to support certificate login without requiring TLS 1.2 fallback.

See Set up mTLS certificate authentication with TLS 1.3 for details.

DA-220

Multi-User-Storage Support
A user can now exist in multiple user storages simultaneously and several times in the same user storage. Previously, a duplicate userid across storages was treated as an error. Now configurable on Global User Account Settings in Administration Service. Users can with this have separate e.g. BankID profiles for citizen and employee access without conflicts when different SPs have different user storage requirements.

See online help for more information (Manage Accounts and Storage > Global User Account Settings > User Storage Lookup)

DA-2298

MFA for Admin Service
Administrators can now be required to use multi-factor authentication when logging in to the admin UI. Available MFA methods are configurable per installation using OIDC.

See online help for more information (Manage System > Administration Service > OAuth2 Admin Login)

DA-1737

EC Certificate Support — Extended
Expanded Elliptic Curve Cryptography support to cover additional use cases: attaching EC certificates to users for certificate login, and supporting multiple CAs (both RSA and ECC) for a single authentication profile.

DA-2678

Spring Expression Language for OIDC/SAML Attributes
SpEL expressions can now be used for attribute transformation in SAML and OIDC configurations, matching the existing support in external lookups (enrichment). Allows flexible attribute mapping without custom code.

DA-2596

Secure Password Hashing
Replaced the encryption-based password storage with industry-standard one-way password hashing (bcrypt/Argon2/PBKDF2). Existing passwords are transparently migrated on next login and the Administration Service automatically migrate existing passwords for all users in the User Database.

Corrected bugs

Jira ticket number

Description

DA-2734

SP Metadata Auto-Update Overwrites Display Names
Fixed a issue introduced in 6.12.1 where automatic SAML metadata updates would revert IdP display names to their defaults, discarding administrator customizations.

Known issue:

The upgrade fix for DA-2734 can be quite time consuming in larger SAML Federations. Therefore the upgrade may take considerable time, in very large federations up to an hour. Make sure to let the upgrade proceed even if it seems stuck. This will be addressed in an upcoming release.

DA-2763

SQL Injection Prevention
Parameterized SQL queries to prevent SQL injection in affected endpoints.

Improvements

Jira ticket number

Description

DA-2509

Admin REST API v3 - Completion (Experimental)
The admin REST API v3 has been completed to cover all configuration that was previously only accessible through the admin UI. The API is now OAuth2-enabled

This change has been marked has experimental since some guard rails are missing which could potentially lead to corrupt configuration if required fields are left out. This will be completed in an upcoming maintenance release.

DA-2716,
2759

Vulnerability Fixes
Updated dependencies to address vulnerabilities in underlying libraries.

DA-2761

Removed Unused Jetty Dependency
Removed an unnecessary direct dependency on jetty-server from the core module simplifying the dependency tree.




Last updated: