What's new
Look here for the new features and other information that is specific to the current release of IBM® Security Verify.
Note: The new features might not be available in your location yet.
August 2024
- No new features were added in August.
- Updated list of supported application templates. Added support for the following
applications:
- No new applications were added.
- Notifications
-
- Generic User Count and CSV Download features are now deployed in all environments including Australia, Canada, and Japan. See Generating a users list report and Downloading a CSV report.
- When a POST request is sent to the /oidc/endpoint/default/* and /v1.0/endpoint/default/* endpoints, the parameters must be sent in a POST body and not in the query parameters. Enforcement of this restriction begins 20 July 2024 to ensure that security standards are followed.
- The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
July 2024
- IBM Security Verify now supports a n HSTS preload option for vanity hostname. See Network security.
- IBM Security Verify Adapter now supports SAP Business Technology Platform v1.0.0 application. For more information, see Managing endpoints by identity adapters. The target applications can now be configured for provisioning endpoints managed by Identity Adapters from IBM Security Verify to the SAP Business Technology Platform application. For more information, see Configuring provisioning for SAP Business Technology Platform.
- IBM Security Verify added new entitlements. See Access entitlements.
- IBM Security Verify added FIDO enrollments and authentication to Management and Authentication event payloads. See Management event payload, or Authentication event payload.
- IBM Security Verify now supports modifying user profile settings pages. See Modify user profile pages
-
IBM Security Verify now supports decoupling of user and device authentication. The admin can configure Device trust settings for Microsoft Intune, Jamf and Google Workspace device managers to issue a non-exportable certificate on the end user’s device for the device management. See Adding an Intune device manager, Adding a Jamf device manager and Adding a Google Workspace device manager for further details.Note: The Device trust feature can be enabled upon request. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. Create a support ticket if you have permission. IBM Security Verify trial subscriptions cannot create support tickets.
Furthermore, the admin can now set the Client certificate validity period to value other than the default selection of 3 years.
The Device trust, Event type detail is now recorded in the Authentication activity report. See Generating an authentication activity report for further details.
- IBM Security Verify now supports adding access policies to profile management. See Create a user profile.
- The attributes for password dictionary were added to the payloads for management and authentication events. See Management event payload and Authentication event payload.
- IBM Security Verify now supports generating a users list report. See Generating a users list report.
- IBM Security Verify Gateway for Windows Login has updates to the config.json file. See The config.json file.
- IBM Security Verify Gateway for Linux PAM and AIX® PAM has updates to system configuration modules. For information see, "pam":{}, "ibm-auth-api":{}, and The PAM system configuration file.
- IBM Security Verify Gateway for Linux PAM and AIX® PAM supports additional operating systems. See Overview.
- IBM Security Verify now supports Verifiable credentials. See Managing verifiable credentials.
- The Configure your application in Google topic was updated. See Configuring your application in Google.
- Notification webhooks now support JWT and mTLS authentication types. See Creating a notification webhook.
- The user invitation option for identity providers is now available in the Add identity provider flow. For examples, see Adding a SAML Enterprise identity provider, Configuring an OIDC Enterprise identity provider, Adding a MaaS360 Cloud Extender identity provider, and Configuring an on-prem LDAP provider.
- Updated list of supported application templates. Added support for the following
applications:
- SAP Business Technology Platform
- IBM Storage Ceph
- Notifications
-
- Generic User Count and CSV Download features are not yet deployed in the following environments.
- Australia
- Canada
- Japan
- When a POST request is sent to the /oidc/endpoint/default/* and /v1.0/endpoint/default/* endpoints, the parameters must be sent in a POST body and not in the query parameters. Enforcement of this restriction begins 20 July 2024 to ensure that security standards are followed.
- To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
- Application grants v1.0 APIs
/v1.0/appgrants
are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements. - The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
- Generic User Count and CSV Download features are not yet deployed in the following environments.
June 2024
- No new features were added in June.
- Updated list of supported application templates. Added support for the following
applications:
- No new applications were added.
- Notifications
-
- When a POST request is sent to the /oidc/endpoint/default/* and /v1.0/endpoint/default/* endpoints, the parameters must be sent in a POST body and not in the query parameters. Enforcement of this restriction begins 20 July 2024 to ensure that security standards are followed.
- To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
- Application grants v1.0 APIs
/v1.0/appgrants
are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements. - The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
May 2024
- Enhanced the Access certification to allow the user to end and delete campaigns. For more information, see Access certification.
- Enhanced the support to mark consents as required, automatically grant them and globally store them across all applications. For more information, see OpenID Connect request mapping for consent requests.
- Password policies that are assigned to a user can now be managed from the Managing users. tab. See
- The following modifications are done in the Admin
Activity report to enable the administrator to trace the actions taken in accordance
with the flow designed in the Flow designer:
- A record gets displayed whenever a flow is created, modified, exported, imported, published, deleted, or Trace URL is generated by a user logged in the admin console.
- The Event details under Management Event is enhanced to display the Flow name, Flow reference and Trace URL validity.
- A new attribute
data.authenticatorattachment
was added to management event and authentication event payloads. See Management event payload and Authentication event payload. - You can now enforce client authentication on a device authentication
/oauth2/device_authorization
endpoint for device flow. See Configuring OIDC application general settings. - With context to Flow designer, now when the Function task execution fails, its details get saved in error object inside context and the flow continues instead of displaying the error page.
- A new attribute Refresh token fault tolerance lifetime option was added to OIDC general settings. See Configuring OIDC application general settings.
- Two filter , API client ID and API client name were added to MFA reports. See Generating a multi-factor authentication activity report.
- Updated list of supported application templates. Added support for the following
applications:
- None
- Notifications
-
- To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
- Application grants v1.0 APIs
/v1.0/appgrants
are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements. - The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
April 2024
- Enhanced the procedure to configure Microsoft 365 for user provisioning. For more information, see Configuring provisioning for Microsoft 365.
- An update procedure was added for IBM Security Verify Bridge for Directory Sync. See Upgrading the IBM Security Verify Bridge for Directory Sync.
- A requestable feature CI-131380 is available for digital badge provisioning for Apple and Google wallet. See Managing physical access badge.
- You can now modify invite new user pages for federated users in IBM Security Verify. For more information, see Modify invite new user pages.
- A requestable feature CI-108233 for user invitations is now available. With this feature, you can send others an invitation to register as new users. Upon accepting the invitation, the users are created and added to the specified groups. Through the users' group memberships, they are automatically given the roles and permissions that are assigned to those groups. See Inviting users.
- The V1.0 management APIs for identity sources are being deprecated. See Deprecated APIs. To view
the new APIs, see https://docs.verify.ibm.com/verify/reference/updateidentitysource.
Note: If an identity provider has V2 properties, either created with or updated by the V2 API, use of the V1 API to set or modify it results in an error.
- Reports are now tagged according to category, either Audit or Status. See Managing reports.
- A requestable feature, CI-117151, is available for assigning password policies to individual users and groups. See Assigning password policies to users and groups.
- The following modifications and additions are introduced in the Flow designer:
- The Flow designer look and feel is enhanced for better user experience, thus, providing more canvas area for flow construction. The General section is now displayed as a panel that opens on the click of icon provided in the screen. For more information, refer Managing flow designer.
Requires callback
input parameter is introduced in the User form, Redirect and Page task to auto generate a Message node post these tasks. For more information, see Managing tasks.
- IBM Security Verify now supports configuring threat detection and remediation policies. The policy enables the Admins to set their Verify SaaS environment to alert and/or proactively block login traffic that results from identified attacks. For more information, refer Managing threat detection.
- IBM Security Verify now supports modifying threat detection email notification pages. For more information, see Modify threat detection email notification pages.
- IBM Security Verify Adapter now supports PostgreSQL Server - v12.0. For more information, see Managing endpoints by identity adapters. The target applications can now be configured for provisioning endpoints managed by Identity Adapters from IBM Security Verify to the PostgreSQL Server application. For more information, see Configuring provisioning for Postgres.
- IBM Security Verify Adapter now supports MySQL Server - v8.0.19. For more information, see Managing endpoints by identity adapters. The target applications can now be configured for provisioning endpoints managed by Identity Adapters from IBM Security Verify to the MySQL Server application. For more information, see Configuring provisioning for MySQL.
- IBM Security Verify now supports allowing access tokens to be exchanged for SSO session. For more information see, Configuring OIDC application general settings, Managing STS clients, Configuring single sign-on in the OpenID Connect application, and Configuring single sign-on in the OpenID Connect for Open Banking applications.
- Threat detection is now supported by the IBM Security Verify user interface. See Managing threat detection.
- A new grant type is provided for OIDC applications. Context-based authorization is a multi-stage grant type. The API client is prompted to perform an authentication factor. The JWT bearer grant must be enabled to perform the authentication factors that are determined by the access policy attached to the application. See Configuring single sign-on in the OpenID Connect application and Configuring single sign-on in the OpenID Connect for Open Banking applications.
- Attribute-based access control through dynamic roles now is supported by IBM Security Verify. This feature is available as part of a requestable feature, 46644. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. If you have permission to create a support ticket, create a support ticket with the feature number. Note: IBM Security Verify trial subscriptions cannot create support tickets. See Creating a dynamic administrator role and Creating a dynamic application role.
- The following modifications have been done in the Admin
Activity report to provide the administrator with traceability to all changes done to an
Access Policy:
- A record gets displayed whenever Access policy is created, modified or deleted either by a user logged in the admin console or through APIs.
- The Event details under Management Event is enhanced to display the Policy name, Policy ID and Modifications made to an Access Policy. This provides the administrator with traceability to all changes done to an Access Policy.
- IBM Security Verify now supports modifying user profile pages. For more information, see Modify user profile pages.
- Updated list of supported application templates. Added support for the following
applications:
- None
- Notifications
-
- To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
- Application grants v1.0 APIs
/v1.0/appgrants
are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements. - The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
March 2024
- New Certificates are available for *.ice.ibmcloud.com tenants. See Product requirements.
- IBM does not support the customization of alphanumeric
senderId
s SMS in Australia and Singapore. For these restrictions, see Supported countries for SMS and Voice. - Updated list of supported application templates. Added support for the following
applications:
- None
- Notifications
-
- To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
- Application grants v1.0 APIs
/v1.0/appgrants
are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements. - The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
- The mtlsidaas global tenants for device managers are now deprecated and will be removed after March 2024. Go to Obtaining a vanity hostname to request a vanity domain. For more information, see Adding a device manager.
- The RSA-v1.5 Encryption key transport algorithm will not be supported after March 2024. See the Encryption options table in Configuring SAML single sign-on in the identity provider.
February 2024
- IBM Security Verify supports SMS and Voice one-time passwords for many countries depending on the type of plan that you have for your tenant. This feature is supported for paid tenants only. It is not available for trial tenants. For a list of countries and any restrictions, see Supported countries for SMS and Voice.
- OIDC and OAuth token lengths are not fixed. See Tokens in Table 1 Single Sign-on.
- Updates to the logo.png and the page_style.css pages can take up to 5 min. For more information, see Create common branding.
- Information was added about SAML2 application metadata export URLs. See Configuring SAML single sign-on in the identity provider What to do next.
- The process for obtaining a vanity hostname was updated. See Obtaining a vanity hostname.
- Updated list of supported application templates. Added support for the following
applications:
- None
- Notifications
-
- To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
- Application grants v1.0 APIs
/v1.0/appgrants
are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements. - The Subscription Usage Dashboard is currently still in preview mode. Some
inaccuracies were discovered in the usage statistics. The levels of consumption for your
subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
- New certificates for *.verify.IBM.com were deployed on 11 December 2023. The previous certificates expired on 09 January 2024. See Product requirements.
- The mtlsidaas global tenants for device managers are now deprecated and will be removed after March 2024. Go to Obtaining a vanity hostname to request a vanity domain. For more information, see Adding a device manager.
- The RSA-v1.5 Encryption key transport algorithm will not be supported after March 2024. See the Encryption options table in Configuring SAML single sign-on in the identity provider.
- Access policy management v3.0 APIs /v3.0/policyvault/accesspolicy are deprecated. The end of life was 23 December 2023. See Deprecated APIs. The new APIs are at https://docs.verify.ibm.com/verify/reference/listaccesspolicyrevisions.