Skip to main content
Skip table of contents


Version 3.5.4 is an improvement addition over the 3.5 version, fixing bugs and introducing new features and optimizations in both UI and under the hood.

In terms of functionality a lot of improvements for existing features have been implemented, both in functional aspects and UI changes and new features have been introduced, with impact in end-user flows and server configuration..


New features and improvements:

  • Users are now able to reset or renew their LDAP password from Self Service Portal.

  • Admin group mapping now supports multiple external groups mapped to a single Veridium group.

  • Introduced improvements in deprovision flows:
    - Identity Deprovision now contains more information from the identity table
    - Filtering is now possible by Domain
    - Introduced pagination size selection
    - Added a new column in the Deprovisioning table for “locked” account status and improved the UI
    - Added helper links and information as a right-side snippet in Identity Deprovision and Deprovisioning Settings to allow easier operation of the entire feature.
    - Introduced relevant messages and warnings in UI for all actions
    - improved the cron scheduler: the current job can be cancelled, improved the entire command flow to prevent running a sync job twice in parallel.
    - Remove and Revert actions are now logged in Veridium Manager / Audit / Action Logs.
    - Fixed the deprovision reports to include all selected data, instead of only the maxNumRetrievedRecords rows.
    - added a new configuration flag for a new status operable in deprovisioning flows: inactive identity detection based on last active date (days). The flag is present in Veridium Manager / Settings / Deprovisioning - “Identity Inactive Days” .

  • QR is now supported as a second step in authentication flows and option cmd_qr is now available in Orchestrator. User can present his “username” or “email” without displaying a QR and receive a personalized QR with the provided user data in the second step - to scan with the mobile app.

  • Offline QR is now a supported command in Orchestrator - cmd_qr_offline

  • Added a new checkmark button in Action column to quickly verify System Services credential status at a glance in Settings / Certificates / Service Credentials.

  • The usability of invitation codes has been extend to allow them to be exported in CSV format (for printable onboarding materials), and to allow their validation during Code Validation step in enrolment.

  • Added granular permissions for invitation code management and enrolment tracker control.

  • Improved the behavior on session opportunity expiration when the QR refresh indicator was not shown if a redirect URL is set on the SAML application and autoRefresh is set to false.

  • Functionality improvements and bug fixing on Windows Credential Provider.

  • Sessions CSV report is not limited to 10.000 results anymore.

  • Security hardening and sanitization of the some Lost Mode configuration fields.

  • Fixed a security policy configuration issue that caused the authentication location map not to be displayed in Veridium Manager Dashboard due to the new security policies. A manual fix is available for already deployed environments:
    Open Veridium Manager / Advanced / admin.json, search for httpResponseHeaders and add '*' value to script-src directive.

"Content-Security-Policy": "default-src 'self'; img-src 'self' * data:; style-src 'self' 'unsafe-inline' *; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; connect-src 'self' *; frame-src 'self' *"

  • SPNEGO authentications now create the identity in Veridium (if not previously registered). This will improve the audit of SPNEGO sessions, mitigate some backend errors and will allow a smoother rollout for Veridium users. No authenticators or credentials are visible in Veridium Manager and Self Service Portal for users created only with this method of authentication.
    Note: For the mechanism described above to work, the option Create Profile When Authenticated Externally needs to be enabled in Veridium Manager / Settings / General section.

  • Helpdesk users can now delete FIDO, SMS authenticators in addition to phones.

  • Improved the yellow information messages displayed in the bottom-right corner to be more relevant.

  • Improved the “Save” button function in Administrators - Create Admin section to not allow consecutive clicks (which resulted in multiple admin certificates being created). Now the button will be greyed out after one use.

  • Improved the Internet Explorer compatibility with Shibboleth, aimed especially at Citrix Workspace flows that still use the old browser engine. Note that due to IE age, some strings in UI may appear slightly out of bounds, but the functionality is supported in full.

  • Improved the Internal Administrator creation process: mitigated errors, introduced relevant error messages, changed the mandatory condition on some fields to better reflect user scenarios. Dedicated documentation page has been updated to contain these new additions.

  • Veridium Server installation is now compatible with RHEL 8.x and 9.x.

  • Introduced a zookeeper parameter to allow OPA communication setting to HTTPS or HTTP.

  • Updated freeRADIUS to version 3.2.3.

Bug fixes:

  • Fixed an issue that prevented “SLO” keyword to be indexed in search results in dashboard.

  • Fixed an UI inconsistency that caused breadcrumb links to be displayed wrong.

  • Fixed an issue that prevented Admin users to authenticate with pre-authentication and SAML if the username contained capital letters.

  • Fixed the logo changing functionality for the logout page.

  • Fixed an error message when user attempted code validation via Line Manager, without having a Line Manager defined in Active Directory.

  • Fixed an error that prevented correct display of identity details in all areas, if the NameID expected by SAML was empty (i.e. user has no email address configured in Active Directory).

  • Desktop fingerprint authenticator (DactylID) can now be removed from Veridium Manager > Identity page also, besides the Self Service user page.

  • Added a more relevant message for blocked/locked users that attempt any actions in Self Service Portal.

  • Fixed the search field “X” button alignment (used to go out of bounds for any string).

  • Fixed a bug that prevented the use of “Friendly Name” configured for an application, during SPNEGO authentication flows.

  • Fixed a bug in Veridium Manager / Settings / Services / LDAP that made connections with special characters not editable in UI.

  • Fixed a bug that prevented the edit of “Integration ID Name” in UI in Veridium Manager / SSP / SAML Config.

  • Fixed a bug that prevented the open of a Custom certificate (device) from the action button from the Veridium Manager / Settings / Certificates / Validity Dashboard.

  • Fixed the oversized Yubico OTP authenticator icon in Self Service Portal.

  • Fixed an issue with timeout sessions not being saved in the Elastic Search correctly on occasion.

  • Fixed an error happening when attempting to create an admin during a connection timeout.

  • Improved the UI to signal mandatory fields in a more visible way in Settings / Mobile / Device Integrity.

  • Improved the Settings / Advanced section to correctly display file timestamps.

  • Improved global search indexing to include newly introduced features, fields, descriptions.

  • A small improvement in logging for bops.log, which should declutter the logs from expired sessions entries inaccurately marked as errors. They are now marked as DEBUG messages, instead of ERROR.

  • Fixed a Self Service Portal console error when user performed an enrolment or a logout.

  • Fixed a calendar bug in various Veridium Manager sections that caused bad sorting and display of results in some corner cases.

  • Fixed a bug in Veridium Manager / Application configuration which caused a conflict between “Redirect URL”, “Hide SSP” and “Hide SSO Redirect” options in certain combinations.

  • Fixed a bug that caused “Stale Request” error in Shibboleth when the username field was focused repeatedly.

  • Fixed an issue that prevented SSO to work correctly using HDX via Netscaler when the user’s password was expired in Active Directory.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.