Release 3.3.0
Highlights:
This version introduces a deprovisioning mechanism which is an addition to the Identity section. This mechanism syncs identities and their status between VeridiumID and Active Directory services and if the user is no longer valid in Active Directory, it will also be disabled in Veridium Server. System allows configuration of deprovisioning reasons, supports manual operation or via cron scheduler, together with a notification.
Statistics now support ElasticSearch to increase data operation efficiency and stability. For this version usage for either Kafka+Cassandra, or ElasticSearch can be used via configuration parameter for full backwards compatibility.
This release is preparing the grounds for moving away from a streaming data approach (Kafka & Statistics microservices) and a high-pressure point (Cassandra) to an Elastic Search approach.
In the future versions, this will allow more complex dashboard graphic support, with improvement in performance (faster delivery times for statistics dashboard, pagination improvements, search capability improvements), granularity and improved system resilience for authentication scenarios.
Upgrade will maintain the previous behaviour of storing audit data in Cassandra and compute statistics through Kafka processors. Adding ElasticSearch is subject of a separate procedure next to upgrade.
Email notifications have a new implementation in the VeridiumID server decoupled from Kafka. It is subject of configuration (feature enable)
By default this is enabled after upgrade.
Location coordinate precision can now be configured via location.json for mobile devices. The new parameter defines the number of digits required for mobile location send to server. For example "locationCoordinatesPrecision": 3 translates into location of latitude x.123,longitute y.123 form. The parameter is supported in server version before 3.3, if set in mobileSettings.json. Upon updating to version 3.3, the parameter will be moved automatically to location.json, maintaining environment behavior.
Applications now support friendly names besides their default initial ones, with display support across the stack
A new mechanism has been introduced to allow configuration of second factor trigger based on time or number of sessions. For example, a user is asked both factors for first login, then the system will only ask for the first factor until the defined time-window or the number of authentications defined has passed.
vFace liveness setting can now be applied at a granular permission for groups of users, applications etc, instead of a global setting. The setting can be controlled in Orchestrator - Commands -
cmd_vface_mobileandcmd_vface_browservia parameters "enableLiveness" and "livenessFactor".Security improvements and hardening to match the latest field standards. These include log cleanup for sensitive information, mitigation of potential authentication hijacking via mobile apps, update for outdated third-party libraries, automatic logout for Self Service Provider page after 5 minutes of user idle , Control Flow Guard enabled for Windows components
Veridium Admin users can now be connected to Active Directory permissions, offering support for central point user configurations in terms of access
LDAP connection setup screen improvements: more descriptive errors, better connection testing using parallel requests, draft connections are no longer included in the connection test with all active connections.
Mobile apps have been updated to support all the new server features, but they maintain backwards compatibility with server versions already deployed in production. They also contain bug fixes for user flow issues reported from production.
New Features and Improvements :
Summary |
|---|
VeridiumID Server & Admin Dashboard & SSP |
Counter added for number of sessions without PIN and trigger PIN challenge according to the setting |
vFace liveness setting can now be applied for groups of users, applications according to Orchestrator conditions |
Improved location map display in all areas to show relevant geographical area (City) |
Automated Mechanism to delete the identities which are not longer valid in Directory Service (deprovisioning service) |
Added UBA Context score explanation support for positive cases |
Fido Authenticator Attestations details can now be accessed in a separate view |
Parameter “locationCoordinatesPrecision” added in location.json and Admin to control the accuracy of mobile location reported to the server |
Application names can now be customized, with display support across the stack |
Disclaimer is no longer mandatory in Directory Service integrations - Enrollment configurations |
All sessions fields are now exported in the CSV report |
GeoIP location database has now an automatic update mechanism and can also be controlled via Admin |
Improved the commercial name translation mechanism for mobile devices and introduced a manual trigger for update in “Load Device” Admin section |
IPv6 support for reverse geoip in session and UBA contexts |
Veridium Admin groups permissions can now be linked on Active Directory groups |
Improved search function on Certificate Pinning section |
Introduced a new warning pop-up in admin for licenses in grace period or expired states |
FIDO authenticators are now traced and displayed correctly with their custom names, instead of “DEVIDE_INDEPENDENT” |
Improved search function in Admin to include invitation codes and correctly search FIDO authenticators |
FIDO full authenticator list can be imported as a file from Admin GUI, without needing external network access to Fido Alliance servers |
LDAP connection setup screen improvements: more descriptive errors, better connection testing using parallel requests, draft connections are no longer included in the connection test with all active connections. |
Bug Fixes:
Summary |
|---|
Veridium Server & Dashboard & SSP |
Fixed a bug that caused authentication devices to be displayed as “N/A” for users that failed user-presence authentication step |
Fixed a bug that caused an error when users scanned a login QR with a mobile app that didn’t have the authenticators enrolled required by the journey |
Fixed a bug that caused incorrect authentication data display in session graphics in Dashboard |
Fixed a bug where authenticating with Push caused the location to be displayed from IP, instead of mobile in Admin and SSP |
Fixed some UI browser console errors in Admin |
Fixed a but that caused a non-descriptive error in Admin, when using a metadata URL that times out in SAML applications |
Fixed a bug that caused a schema validation fail error when adding a rule for UBA notifications |
Fixed horizontal scroll bar appearing in some Admin views without being needed |
The application name is now correctly reported for SPNEGO authentications |
Fixed a bug that caused Yubico OTP codes to not work on occasion. |
Push User Presence code failure is not counted correctly against authenticationMaxRetries parameter |
Fixed a bug that allowed bypass of Device Limitation settings if user enrolled mobile device via the Admin / Quick Actions / QR step |
Improved Self Service Portal FIDO name keys display after a browser refresh actions |
Fixed a bug that prevented new users to scroll down the license agreement on first Admin access without zooming out the page in browser |
Fixed a bug that affected the code validation receiver fallback mechanism if the user did not have the first (preferred) option available in Active Directory |
Security:
Summary |
|---|
Veridium Server, GUI, Mobile, Windows components |
Cookies are no longer written in page response’s body, preventing accessing their values |
Windows Control Flow Guard is now enabled for Credential Provider |
Self Service Provider automatically logs out after 5 minutes of user idle |
Third-Party Libraries used have been updated to latest versions |
Mobile apps logs and other exposed areas have been scrubbed for any potentially harmful or private information |