Releases

This release improves standards compliance for OpenID Connect tokens by correcting how the auth_time claim is issued.
The change ensures better compatibility with standards-compliant clients, libraries, and downstream validation systems by aligning with the official specification.

Improvements

OpenID Connect auth_time Compliance

• Correct data type for auth_time claim
  The auth_time claim is now issued as a numeric value, in accordance with the OpenID Connect specification.

• Improved interoperability
  Previously, auth_time could be returned as a string, which could lead to compatibility issues with strict or standards-compliant clients.
  This has now been corrected to ensure consistent and reliable token validation across integrations.

This release improves network handling, scalability, and Control Client usability in FoxIDs.
Enhancements include more accurate client IP detection when using proxies, increased limits for home realm discovery (HRD), and refined user interfaces for managing applications and authentication methods.

In addition, HTTP request handling has been strengthened with case-insensitive header processing, improved diagnostics through full header logging, and simplified forwarded header support.

New Features and Improvements

Network and IP Handling

• Improved client IP detection
  Client IP address handling now supports proxy-style comma-separated IP lists.
  The system parses and uses the first non-empty value as the client IP address, improving accuracy in proxy and load-balanced environments.

• Increased HRD IP limits
  The number of supported Home Realm Discovery (HRD) IP addresses and IP ranges has been increased from 10 to 20, allowing more flexible routing configurations.

Control Client Improvements

• Enhanced application and authentication UI
  Improved the user experience when adding applications and authentication methods in the Control Client.

HTTP Request Handling

Case-Insensitive Request Header Handling

• Ignore request header casing
  Request headers are now handled in a case-insensitive manner, ensuring consistent behaviour regardless of how headers are formatted by clients or intermediaries.

Enhanced HTTP Request Diagnostics

• Full HTTP request header logging
  FoxIDs can now log all incoming HTTP request headers. This capability is intended for troubleshooting and diagnostic scenarios and should only be enabled temporarily when investigating issues.

Simplified Forwarded Header Handling

• Removed support for underscore variants of forwarded headers
  Support has been removed for the following non-standard header variants:
  • X_Forwarded_For
  • X_Forwarded_Scheme
  • X_Forwarded_Proto

This release improves the tenant creation experience, strengthens data binding reliability in the Control Client, and resolves issues in the CosmosDB to PostgreSQL migration tooling.

New Features and Improvements

Improved Tenant Creation

• Admin user claims during tenant creation
  It is now possible to create a tenant while assigning claims to the initial admin user, such as given_name and family_name.

• Company name for new tenants
  A company name can now be specified when creating a new tenant, improving tenant identification and management.

Control Client Improvements

• More robust voluntary claim data binding
  Added a key to the voluntary claim element in the Control Client scope list to ensure more reliable data binding and reduce UI inconsistencies.

Migration Tooling Improvements

• CosmosDB to PostgreSQL migrator packaging fix
  Added the appsettings.json file to the CosmosDbToPostgreSQLMigrator build package and corrected a dependency issue affecting the migration tool.

This release introduces flexible multi-factor authentication (MFA) capabilities, expanded claims diagnostics, improved token and log visualization, and enhanced infrastructure tooling.
Authentication methods such as OIDC, SAML 2.0, and TrackLink can now be configured as MFA steps alongside traditional factors like SMS, Email, and Authenticator App, allowing highly customizable authentication flows.

The release also improves developer and administrator insight by enhancing claim transform logging, adding token decoding directly in logs, and introducing more precise log filtering. Additionally, a new CosmosDB-to-PostgreSQL migration asset has been added to simplify database transitions.

New Features and Improvements

Multi-Factor Authentication (MFA) with Authentication Methods

• Added support for multi-factor authentication (MFA) where authentication methods can be used as MFA steps.
• Authentication methods such as OIDC, SAML 2.0, and TrackLink can now participate in MFA alongside traditional factors like SMS, Email, and Authenticator App.
• Enabled with a Enable multi-factor flag on the Login authentication method.
• Allows configuration of an ordered list of MFA steps with specific ACR values for fine-grained authentication control.

Uppercase SMS and Email Codes

SMS and email verification codes are now automatically converted to uppercase as users type in the browser. This improves usability by reducing errors caused by letter casing and makes code entry more consistent across authentication and confirmation flows.

This applies to SMS and email code entry in:

• Two-factor authentication
• Passwordless sign-in
• Email and phone confirmation
• Email and phone set-password flows

Enhanced Claims Diagnostics and Visualisation

• Improved claims logging by recording both input and output claims in claim transforms.
• Local _local: claims are now also visible in logs.
• Claim logs in the Control Client are now colour-coded and easier to read.

Token Decoding in Logs

• Added support for decoding tokens directly in logs:
  • ID tokens
  • Access tokens
  • SAML 2.0 tokens
• Tokens are displayed in a formatted and colour-coded view in the Control Client for easier inspection.

Improved Log Filtering

• Logs and audit logs can now be filtered using from-time and to-time instead of fixed intervals in the Control Client.

Claim Transform Improvements

• Claim transform queries now ignore claim value casing when searching internal and external users.
• Claim selection based on claim value is now case-insensitive.

Forwarded Header Compatibility

• Added support for reading forwarded headers with underscores and case-insensitive matching:
  • X_Forwarded_For
  • X_Forwarded_Scheme
  • X_Forwarded_Proto

Migration Tooling

• Added the CosmosDB-to-PostgreSQL migrator as an assets component to simplify database migration scenarios.

This release improves the onboarding and billing experience in FoxIDs Cloud, making it easier to start with a paid plan while maintaining flexibility in the Control Client interface.
New tenants can now be created with a paid plan that includes the first month free, and payment warning messages in the Control Client can be dismissed for improved usability.

New Features and Improvements

• Improved paid plan onboarding in FoxIDs Cloud
  Creating a new tenant with a paid plan in FoxIDs Cloud has been streamlined.
  New paid plans now include the first month free, making it easier to get started without immediate billing impact.

• Dismissible payment warnings
  Payment warning messages in the Control Client can now be closed.

This release enhances SAML 2.0 metadata handling, improves OpenID Connect ACR claim behavior, and introduces stronger testing capabilities in the Control Client.
Key updates include support for reading SAML metadata via URL or file upload, faster metadata refresh intervals for earlier certificate updates, and new re-login and MFA enforcement options in test applications.
Several Control Client usability issues have also been resolved.

New Features and Improvements

SAML 2.0 Metadata Enhancements

• Metadata import via URL and file upload
  Added support for reading SAML 2.0 metadata from both a URL and a file directly in application configuration.

• Faster metadata refresh interval
  Reduced the SAML 2.0 metadata update rate from 2 days to 24 hours, ensuring certificate changes are detected earlier.

OpenID Connect ACR Claim Improvements

• ACR claim passthrough support
  Added support for passing the ACR claim from an OpenID Connect application to the OpenID Connect authentication method.

Control Client Test Application Improvements

• Re-login and MFA enforcement
  Added support for triggering re-login and requiring MFA in Control Client test applications, improving authentication flow testing.

Bugs Resolved

• Fixed an issue that prevented deleting the last scope in OpenID Connect and OAuth application configurations in the Control Client.
• Fixed an issue where the Extended UI submit button text did not correctly fall back to “Log in” when an empty button label was configured.

This release improves SAML 2.0 interoperability with Microsoft Entra ID and enhances visibility of logout configuration in the Control Client.
It introduces a ready-to-use Microsoft Entra ID SAML 2.0 template, improves login hint handling to accommodate Entra ID limitations, and makes the SAML single logout endpoint easier to discover.

New Features and Improvements

• Microsoft Entra ID SAML 2.0 template
  Added a built-in SAML 2.0 template for Microsoft Entra ID, simplifying configuration and speeding up integration.

• login_hint support for Microsoft Entra ID
  Added support for passing login_hint as a query parameter when authenticating with Microsoft Entra ID.
  This is required because Microsoft Entra ID does not support the Subject element in SAML 2.0 AuthnRequest.

• Visible SAML 2.0 single logout URL
  The SAML 2.0 Single Logout URL is now displayed in the Control Client, making logout configuration clearer and easier to validate.

This release improves usability and clarity when working with NemLog-in integrations and external user lifetimes.
The NemLog-in template has been updated with a direct link to documentation, and external user lifetime configuration is now expressed in days instead of seconds, making it easier to understand and manage.

New Features and Improvements

NemLog-in Template Improvements

• Updated NemLog-in template documentation link
  The NemLog-in template now includes a direct link to the official documentation, making setup and configuration easier and more discoverable.
  Documentation: https://www.foxids.com/docs/auth-method-howto-saml-2.0-nemlogin

External User Lifetime Usability

• Lifetimes configured in days
  External user sliding lifetimes are now configured in days instead of seconds.
  This simplifies configuration and makes lifetime values easier to reason about while retaining the same behavior (extended on each login).

This release introduces a significant improvement to login orchestration and cost efficiency when working with linked environments.
A login (authentication) request is now counted only once across connected environments, allowing you to compose advanced login flows by linking multiple environments with different configurations – similar to modular components – without incurring additional login costs.

In addition, this release expands modular and template-based integrations with identity providers, adds first-class support for DK NemLog-in, improves external user session handling, and enhances filtering and claim mapping capabilities. Several issues affecting claim management and initial login flows have also been resolved.

New Features and Improvements

• Single login count across environment links
  A login (authentication) request is now counted only once in environments connected via environment links.
  This enables orchestration of login flows across multiple environments with different configurations – similar to reusable components – without additional login costs.

• Modular identity provider integrations
  Started building modules and templates to make it easier to connect to identity providers.

• NemLog-in template (Denmark)
  Added a NemLog-in template that enables connection to DK NemLog-in with just a few clicks.
  Documentation: https://www.foxids.com/docs/auth-method-howto-saml-2.0-nemlogin

• DK CPR number collection and validation
  Added a module that can prompt the user to enter a Danish CPR number and validate it after a NemLog-in private login.

• Configurable sliding lifetimes for external users
  External users now support configurable sliding lifetimes in Link External User.
  The lifetime is extended on each login (0 = unlimited).

• Simplified claim mapping
  Removed Extended UI Claim mapping from JWT-to-JWT mappings and retained only the correct JWT-to-SAML claim mappings.

• User filtering by claim value
  Added support for filtering both internal and external users by claim value in the Control Client and Control API.

Bugs Resolved

• Fixed an issue where claims could not be added to a scope if it was initially created without voluntary claims.
• Fixed an issue where the first login in a fresh setup could fail during password change when using PostgreSQL as the database. Also fix other related PostgreSQL errors.

This release strengthens the user creation and login experience in FoxIDs, delivering improved reliability in passwordless (OTP) scenarios, and a more consistent and user‑friendly Control Client interface.
Additional refinements improve test application management and ensure error messages remain visible at all times, contributing to a clearer and more predictable administrative workflow.

New Features and Improvements

• Improved user creation sequence
  The user creation flow is now more robust, especially in cases where the user already exists or is configured for passwordless authentication (OTP).
  This results in more reliable behavior and clearer outcomes during user onboarding.

• More resilient login sequence
  The login process has been enhanced to tolerate situations where a user identifier may be missing, reducing unexpected failures and improving authentication stability.

• Test application name updates
  The test application in the Control Client now supports name changes, making configuration management easier and more flexible.

• Always‑visible error messages in Control Client
  Error messages now remain visible and no longer scroll out of view, ensuring administrators receive clear feedback without losing context.