What's new

Look here for the new features and other information that is specific to the current release of IBM® Security Verify.

Note: The new features might not be available in your location yet.

November 2021

  • IBM Security Verify Cloud Directory now supports hashed attributes for custom attributes. See Managing attributes.
  • IBM Security Verify now supports single logout to SAML applications. You can configure the single logout settings from the Custom SAML Application. Configuration instructions are provided in the Custom SAML application template. See Configuring SAML single sign-on in the identity provider. IBM Security Verify also supports single logout to SAML identity providers. You can configure the Single Logout Settings from the SAML Enterprise identity provider. See Adding a SAML Enterprise identity provider.
    Note: If you configure single logout for both SAML applications and the SAML identity provider, the user is logged out from both SAML applications and the SAML identity provider when performing single logout after SSO.
  • If you create an Admin role and you select the permissions ManageUserGroups or readUserGroups, you can add a scope to limit the groups that can be managed by this role. Your tenant must support large groups to use the scope option. See Creating an admin role.
  • You can view devices that are registered for IBM Security Verify. See Managing your registered devices and Managing user devices.
  • Any changes to an applications account adoption policy automatically starts an account synchronization of all the accounts according to the new policy. If the remediation policy is set to Do not remediate non-compliant accounts automatically,this feature eliminates the need to manually reassess each account. See Setting account synchronization for the application.
  • OIDC applications now support ES256, ES384, and ES512 algorithms. See Configuring single sign-on in the OpenID Connect provider.
  • You can now manage macOS devices with the Intune device manager. See Adding an Intune device manager.
  • You can now upload PKCS#8 (.p8) certificates with Elliptic Curve Digital Signature Algorithm (ECDSA) keys. See Configuring single sign-on in the OpenID Connect provider and Managing certificates.
  • IBM Security Verify added a login sessions restriction. Users concurrent login sessions are now limited. If they reach this limit, an error message is displayed indicating that they are logged in to the maximum number of sessions. They can resume their current session or logout from an existing session before they log in to a new session.
  • You can now use the certificate in the <md:KeyDescriptor use="encryption"> element to encrypt and send the SAML2 assertion elements. See A SAML Enterprise identity provider.
  • Updated list of supported application templates. Added support for the following applications:
    • Auvik
    • iQulaify LMS
    • Sapling
    • Skills Base
    • Smartlook
    • Teamwork
    • Tines
    • TOPdesk
    • TrackVia
    See Supported connectors for applications.
Notifications
  • New RSA and ECDSA certificates are available on 19 October 2021 for cn.cloudidentity.ibm.com tenants. The current certificates expire on 17 November 2021. See Product requirements.
  • On October 7, IBM Security Verify is adding a restriction on concurrent browser login sessions for a user. A typical user will not encounter this limit error. If monitor scripts are simulating a user login, you must modify them to explicitly logout by navigating to:
    https://{{tenant}}/idaas/mtfim/sps/idaas/logout
  • IBM Security Verify continually enhances its password security policy. You might encounter some changes in its behavior.
  • Some v1.0 APIs that are related to multi-factor authentication are now deprecated and will be removed after December 2021. Enhanced and easier-to-use replacements are already available. See Deprecated APIs.

October 2021

Various performance improvements were addressed.

Notifications
  • New RSA and ECDSA certificates are available on 19 October 2021 for cn.cloudidentity.ibm.com tenants. The current certificates expire on 17 November 2021. See Product requirements.
  • On October 7, IBM Security Verify is adding a restriction on concurrent browser login sessions for a user. A typical user will not encounter this limit error. If monitor scripts are simulating a user login, you must modify them to explicitly logout by navigating to:
    https://{{tenant}}/idaas/mtfim/sps/idaas/logout
  • IBM Security Verify continually enhances its password security policy. You might encounter some changes in its behavior.
  • Some v1.0 APIs that are related to multi-factor authentication are now deprecated and will be removed after December 2021. Enhanced and easier-to-use replacements are already available. See Deprecated APIs.

September 2021

  • The user interface was reorganized to reduce the need for horizontal scrolling of tabs and to group functions more effectively. Use this table to find the functions that were moved.
    Table 1. Relocated functions
    What's moved From To
    App role management Main navigation Applications > App Role management
    Admin roles Main navigation Global configuration > Administrator roles
    Certification campaigns Governance Applications > Access certification
    Operation results Governance Applications > Provisioning results
    Account sync Governance Applications > Account synchronization
    Users & Groups Main navigation Directory > Users & groups
    Authentication factors Security Authentication > Authentication factors
    FIDO2 Security Authentication > FIDO2 settings
    Registration profiles Security Authentication > Registration profiles
    Usage dashboard Main navigation Global configuration > Subscriptions & usage
    User flows Main navigation User experience > User registration
    Profile management Main navigation User experience > Profile management
    Configuration Main navigation Global configuration
    Analytics (Verify Bridge for Analytics) Configuration Analytics > Analytics configuration
    Analytics (managing analytics) Main navigation Analytics > Analytics
    API access Configuration Security > API access
    Application profiles Configuration Applications > Application profiles
    Attributes Configuration Directory > Attributes
    Certificates Configuration Security > Certificates
    Customizations Configuration Global configuration > Appearance
    Device managers Configuration Authentication > Device managers
    Identity agents Configuration Integrations > Identity agents
    Identity sources Configuration Authentication > Identity providers
    Integrations Configuration Integrations > Extensions
    Password policies Configuration Security > Password policies
    Subscriptions Configuration Replaced by Global configuration > Subscriptions and usage
  • IBM Security Verify now supports password synchronization for provisioning on some applications, See Applications that support password synchronization and Configuring Cloud Directory.
  • Verify Bridge now enforces LDAP TLS server certificate validation when the host is specified by using an IP address. See IBM Security Verify Bridge.
  • Users are now able to recover their usernames. See Recovering your username and Configuring Cloud Directory.
  • Timestamp functions are now supported for attributes. See Attribute functions.
  • OIDC applications now support PS256, PS384, and PS512 algorithms. See Configuring single sign-on in the OpenID Connect provider, Creating the client secret JWT and private key JWT, and Creating the client secret JWT and private key JWT.
  • IBM Security Verify now supports Client_secret_jwt and private_key_jwt for OIDC applications single sign-on. See Creating the client secret JWT and private key JWT.
  • New RSA and ECDSA certificates are available on 23 September 2021 for *.ice.ibmcloud.com tenants. The current certificates expire on 15 October 2021. See Product requirements.
  • With IBM Security Verify you can now use WS-Federation and WS-Trust for Azure AD Join. You can configure it from the Microsoft 365 application with the WS-Federation Sign-on method. Configuration instructions are provided in the Microsoft 365 application template.
  • Transformation rules can now be applied on the username for the active requestor flow of Microsoft 365 WS-Federation applications.
  • A new public SAML API was added to export metadata. The GET operation supports two federations saml20sp and saml20ip.
    /v1.0/saml/federations/saml20sp/metadata
    /v1.0/saml/federations/saml20ip/metadata
    See IBM Security Verify API Documentation.
  • Updated list of supported application templates. Added support for the following applications:
    • AssetSonar
    • Avian
    • ClicData
    • Clockify
    • FireHydrant
    • Jostle
    • Qualified
    • Rewatch
    See Supported connectors for applications.
Notifications
  • The TokenExchange API has an optional request parameter, redirect_url. When it is included, the request returns a redirect response to the browser to the redirect_url. For example, /authenticate/v1.0/auth/session?redirect_url=https://some_url.com. In an upcoming version, an error will be returned if the redirect_url is not in the tenant's list of allowed URLs.
    The tenant administrator can set the allowed URLs. The entries in the list are regular expressions, the administrator can match the redirect_url by using the regular expression syntax. For example,
    https://(?:optional_part.)?ibm.com/.*
    The redirect_url will be allowed by default if:
    • It points to the tenant: https://my_tenant.com/....
    • It starts with a "/", a relative URL: /ivcreds.
    A tenant administrator can use the forthcoming Session Exchange API to set the list of allowed URLs. An example of the SessionExchange payload to set the list:
    {
        "redirectUrls": [
           "https://some_url.com.*",
           ...
        ]
     }
  • On October 7, IBM Security Verify is adding a restriction on concurrent browser login sessions for a user. A typical user will not encounter this limit error. If monitor scripts are simulating a user login, you must modify them to explicitly logout by navigating to:
    https://{{tenant}}/idaas/mtfim/sps/idaas/logout
  • Some v1.0 APIs that are related to multi-factor authentication are now deprecated and will be removed after December 2021. Enhanced and easier-to-use replacements are already available. See Deprecated APIs.

August 2021

Notifications
  • On October 7, IBM Security Verify is adding a restriction on concurrent browser login sessions for a user. A typical user will not encounter this limit error. If monitor scripts are simulating a user login, you must modify them to explicitly logout by navigating to https://{{tenant}}/idaas/mtfim/sps/idaas/logout.
  • As of February 2022, the group information in the OAuth/OIDC grants is no longer updated whenever the user is added to or removed from a group. The group information is only accurate for the time the user logged in and the grant is created. To get the latest group information, use the User Management Version 2.0 /v2.0/Me API.
  • IBM Security Verify continually enhances its password security policy. You might encounter some changes in its behavior.
  • In March 2021, all ciphers that are supported within the Verify platform were restricted to FIPS-compliant algorithms. This change might impact integrations through SAML and Open ID Connect federations.
  • Some v1.0 APIs that are related to multi-factor authentication are now deprecated and will be removed after December 2021. Enhanced and easier-to-use replacements are already available. See Deprecated APIs.

July 2021

  • IBM Security Verify now supports multiple signing certificates for Custom SAML Applications.
  • Three attribute functions were added. Two were added for Identity source credentials iduser.getValue($property) and iduser.getValues($property), and one for Adaptive access risk.getRawAdaptiveSessionData(). See Attribute functions.
  • IBM Security Verify now supports the configuration of custom schema support for Box, Google Workplace, Microsoft 365, Salesforce, ServiceNow, Zendesk, Zoom, and IBM Security Verify custom applications. See Custom schema support for applications.
  • IBM Security Verify supports privacy profiles for purposes and EULAs. See Managing privacy profiles.
  • Provisioning can now be configured for Red Hat® OpenShift® applications. See Configuring provisioning for Red Hat OpenShift.
  • IBM Security Verify now supports application profiles for custom attributes and for identity adapter applications. See Managing application profiles.
  • Updated list of supported application templates. Added support for the following applications:
    • CloudBees Feature Management
    • ConnectWise Control
    • Notion
    • Stoplight
    • Trello - part of the Atlassian suite
    See Supported connectors for applications.
Notifications
  • In March 2021, all ciphers that are supported within the Verify platform were restricted to FIPS-compliant algorithms. This change might impact integrations through SAML and Open ID Connect federations.
  • Some v1.0 APIs that are related to multi-factor authentication are now deprecated and will be removed after December 2021. Enhanced and easier-to-use replacements are already available. See Deprecated APIs.

June 2021

  • User registration flows are available now to make the user onboarding experience easier. A IBM Security Verify user flow can be customized to your needs. Your users can then create their own login account by entering the required information you have defined in your user flow. See Managing user registration.
  • The ability to renew the lifetime of refresh tokens is added for OIDC applications. See Configuring single sign-on in the OpenID Connect provider.
  • With IBM Security Verify you can now use WS-Federation and WS-Trust for Azure AD Join. You can configure it from the Microsoft 365 application with the WS-Federation Sign-on method. Configuration instructions are provided in the Microsoft 365 application template.
  • Adaptive access is now fully supported for both web and mobile native applications. Adaptive access detects risk from native application contexts and drives authentication flows based on policies defined in IBM Security Verify. The solution is supported by SDKs that are available through the developer portal in your tenant, and through documentation available via the ISV documentation hub and Github. See Managing Verify Adaptive Access, Managing access policies, and Adaptive SDK.
  • IBM Security Verify now supports user compliance and user entitlement reports. See Generating a user compliance report and Generating a user entitlement report.
  • IBM Security Verify now supports provisioning with ZScaler, ZScaler Private Access, and custom applications. See Configuring provisioning for ZScaler, Configuring provisioning for ZScaler Private Access, and Configuring provisioning for Custom applications. For a full list of applications that support provisioning , see Applications that support provisioning.
  • Verify now supports IBM Security Verify Gateway for Linux PAM (Pluggable Authentication Modules) version 1.0.5. Version 1.0.5 introduces support for RHEL 8.3 on s390x (zLinux®) and SUSE Linux Enterprise Servers 12.5 and 15.2 on s390x (zLinux). See Overview.
  • User consents for existing OIDC custom applications can be migrated to DPCM. See Migrating user consents.
  • User activity and Admin activity reports now show account expiration events of the type System. These expiration events are based on timestamp and are automatically performed by AccountExpiration. The timestamp can be set by editing the user profile after the user is created. See Updating user details.
    Note: When an account is expired by the system, it shows as disabled. To determine whether a disabled account is expired, go to the Admin activity or User activity report to see the logged event.
  • Updated list of supported application templates. Added support for the following applications:
    • Biztera
    • CloudFlare Access
    • Sketch
    • Status Hero
    See Supported connectors for applications.
  • You can now add multiple password policies for the different users and make changes in existing password policy. See, Managing password policies.
Notifications
  • APIs that are related to OpenID Connect consent management are now deprecated and will be removed after June 2022. See Deprecated APIs. Customers are expected to migrate their apps to Advanced consents during this period. See Migrating user consents.
  • After March 2021, all ciphers that are supported within the Verify platform were restricted to FIPS-compliant algorithms. This change might impact integrations through SAML and Open ID Connect federations.
  • Some v1.0 APIs that are related to multi-factor authentication are now deprecated and will be removed after December 2021. Enhanced and easier-to-use replacements are already available. See Deprecated APIs.