Versions

• WS-Federation with support for WS-Trust needed for Entra ID support.
• Add WS-Trust and MEX in WS-Federation metadata.
• Improve WS-Federation metadata.
• Improved certificate resource handling by consistently disposing temporary certificate instances after use. This reduces the risk of native handle/resource leaks in certificate validation, metadata generation, and token processing flows.
• WS-Federation application can enable application specific issuer.
• When a authentication methods name is updated, the name is also updated on claim transforms and tasks with the name and in applications allowed authentication methods.
• Related Environment Links are now cleaned up automatically. When an environment is deleted, any related Environment Link connections are deleted as well. If either the application side or authentication method side of an Environment Link is deleted, the related counterpart is also deleted.

• WS-Federation with support for WS-Trust needed for Entra ID support.
• Add WS-Trust and MEX in WS-Federation metadata.
• Improve WS-Federation metadata.

This release improves the reliability of Environment Link logout flows and strengthens the consistency of Home Realm Discovery (HRD) configuration handling across applications and authentication methods.

The update ensures that front-channel logout requests are handled gracefully, even when the associated authentication method session has already been removed. It also resolves an issue where HRD auto-selection based on IP addresses, IP ranges, and regular expressions could stop working for applications linked to authentication methods.

Bugs Resolved

Environment Link Front-Channel Logout Reliability

• Idempotent logout handling
  Fixed a crash that could occur during Environment Link front-channel logout when the logout callback arrived after the authentication method session had already been removed.

• Improved session cleanup behaviour
  Logout requests are now handled idempotently, ensuring that delayed or repeated callbacks are processed safely without causing errors.

Home Realm Discovery (HRD) Configuration Synchronisation

• Fixed HRD auto-selection in linked applications
  Resolved an issue where HRD auto-selection based on IP addresses and IP ranges could stop working in applications linked to an authentication method.

• Complete HRD rule propagation
  Applications linked to an authentication method now correctly inherit all HRD rules when they are created or updated, including:

  • IP addresses
  • IP ranges
  • Regular expression (regex) rules

This ensures consistent Home Realm Discovery behaviour across linked configurations and prevents missing or outdated HRD settings.

Summary

This release delivers significant enhancements across federation protocols, claim transforms, authentication token handling, logging, and the Control Client user experience.

The headline feature is the addition of WS-Federation support for both authentication methods and application registrations, including interoperability with AD FS and Microsoft Entra ID. The release also improves claim transform usability and diagnostics, adds support for issuing refresh tokens from authentication methods to applications, and introduces more detailed Home Realm Discovery (HRD) trace logging.

Additional improvements ensure that the Control Client test applications remain reliable for long-term use, while NuGet package updates address known vulnerabilities and strengthen overall platform security.

New Features and Improvements

WS-Federation Support

• Added WS-Federation support for authentication methods and application registrations.
• Supports metadata import and export, SAML 1.1 and SAML 2.0 tokens, sign-in and sign-out flows, token encryption, and claims mapping.
• Compatible with AD FS and Microsoft Entra ID.

Claim Transform Enhancements

• Claim transforms now support querying users by User ID using the sub lookup claim.
• Updated descriptions and help text throughout the claim transform UI.
• Added colours, summaries, and default-expanded sections to improve usability and troubleshooting.

Authentication and Token Improvements

• Added support for exposing a refresh token from an authentication method in a refresh_token claim.
• The refresh_token claim can now be issued alongside an access_token claim to applications.

Home Realm Discovery (HRD)

• Added more detailed Home Realm Discovery trace logging to simplify troubleshooting.

SAML 2.0 Improvements

• New SAML 2.0 application configurations now include phone and email claims by default.

Control Client Improvements

• Improved the Control Client test applications to ensure reliable operation and compatibility over the long term.

Security and Dependency Updates

• Updated NuGet packages to address known vulnerabilities and improve overall platform security.

User Experience Improvements

• Updated email templates to include more detailed and meaningful text.

Bugs Resolved

SAML 2.0 Certificate Management

• Fixed an issue where removing a SAML 2.0 certificate did not immediately update the UI.
• The same certificate can now be re-added immediately after removal, either by file selection or drag-and-drop.

SAML 2.0 NameID Handling

• Resolved an issue where an external SAML 2.0 NameID could be overridden by a claim transform, resulting in incorrect logout requests.
• Fixed an issue where SAML 2.0 did not correctly select an alternative identifier claim when the NameIdentifier claim was unavailable. FoxIDs now correctly falls back to UPN, Email, or Name.

This release improves logging behaviour for external API integrations, with a particular focus on SMS provider and external service diagnostics.
Instead of globally limiting all log messages to 4 KB, FoxIDs now applies response-size limits only when logging responses from external APIs, such as SMS providers.

This approach preserves detailed internal logging while still protecting the system from excessively large external API responses.

Improvements

Improved External API Response Logging

• Selective response-size limiting
  Log message size limits are no longer applied globally across all logging.

• External API response protection
  Response-size limits are now applied only when logging responses from external APIs, such as:

  • SMS providers
  • External HTTP integrations
  • Third-party services

This release expands Access Structure policies for internal users, introducing hierarchical controls for MFA enforcement, sign-in restrictions, and password policy assignment.
Administrators can now apply security and password policies through access structure nodes, with inheritance across child nodes and prioritised password policy groups.

The release also introduces a new generic Access URL SMS provider, providing flexible SMS integration through configurable API endpoints and placeholders.
In addition, SMS logging has been improved to reduce unnecessary logging, sensitive query parameters are excluded, HTTPS is now required for all SMS providers, and log message sizes are capped to improve stability and security.

New Features and Improvements

Access Structure Policies

Added Access Structure policies for internal users.

Nodes in an access structure can now:

• Require multi-factor authentication (MFA)
• Disable user sign-in
• Assign password policy groups

Policies apply to users assigned to the node and are inherited by child nodes.

Password policy group prioritisation

• Password policy groups are now prioritised according to their order in Environment Settings.
• The Control Client UI now supports reordering password policy groups to control evaluation priority.

Generic Access URL SMS Provider

Added support for a new generic Access URL SMS provider.

The provider can be configured:

• Per environment
• Globally

Configuration options include:

• Base API URL
• Query parameters with placeholders for:
  • Phone number
  • Message
  • Sender name

This enables integration with custom or third-party SMS gateway providers using simple URL-based APIs.

SMS Logging and Security Improvements

• Reduced SMS logging verbosity
  SMS provider logging has been improved to log less information by default and only include SMS message content when errors occur.

• Improved SMS log privacy
  SMS logging now avoids storing query parameters while still including phone numbers for troubleshooting purposes.

• HTTPS required for all SMS providers
  All SMS providers are now required to use HTTPS to improve transport security.

Logging Improvements

• Log message size limits
  Log messages are now limited to 4 KB, reducing excessive log payloads and improving operational stability.

This release introduces Directory Connector support, enabling FoxIDs to integrate with external authoritative user directories while maintaining internal user records.
It allows organisations to delegate authentication and password lifecycle operations to external systems such as Active Directory, while still leveraging FoxIDs for identity orchestration and claims handling.

In addition, a deployable Active Directory Directory Connector component is provided, simplifying integration with on-premises environments.
The release also strengthens security and consistency by enforcing stricter validation of enabled user identifiers in login authentication methods.

Further improvements include expanded Access Structure scalability with support for up to 2,000 nodes, enhanced visibility of certificate information in the NemLog-in template, improved master seed readiness error messages, and updated NuGet packages addressing known vulnerabilities.

⚠️ The External Login – API is now obsolete and will be phased out in a future release. It is recommended to migrate to the Directory Connector for all external authentication scenarios.

New Features and Improvements

Directory Connector

Added Directory Connector support for validating users against an external authoritative directory while maintaining internal FoxIDs users.

• Validate username and password against an external directory.
• Delegate password change and set-password operations to the external directory.
• Save a local password copy by default, allowing future transition to internal validation without forcing password resets.
• Automatically disable or delete internal users when the external directory reports changes.
• Support external directory identifiers via directoryUserId.
• Support password policy error codes from the external directory, enabling clear validation messages.
• Create or update internal users on successful authentication with identifiers, claims, and properties from the directory.
• Includes a documented API contract and sample implementation.

Active Directory Directory Connector Component

Added a deployable Active Directory Directory Connector component for Windows/IIS environments.

• Deployable as a standalone ZIP package.
• Uses static API key protection via FoxIDs Basic authentication, with optional X-FoxIDs-Api-Key support for reverse proxy scenarios.
• Supports user lookup by email, phone, or username.
• Returns directoryUserId as base64 encoded Active Directory objectGUID.
• Authenticates users by validating passwords against AD.
• Supports password change and set-password operations in AD (requires appropriate privileges).
• Returns configurable AD attributes as FoxIDs claims.
• Optional support for nested AD group claims.
• Includes a health endpoint for operational status and AD connectivity checks.
• Comprehensive documentation for configuration, IIS installation, deployment, patching, and updates.

Authentication Improvements

• Stricter user identifier validation
  Enforced stricter compliance for which user identifiers are enabled in login authentication methods, improving consistency and reducing configuration errors.

Additional Improvements

• Expanded Access Structure scalability
  Increased Access Structure capacity to support up to 2,000 nodes, enabling larger and more complex hierarchical access models.

• Improved NemLog-in template visibility
  Certificate information is now displayed in the NemLog-in template within the Control Client, improving transparency and troubleshooting.

• Improved master seed readiness error messages
  Enhanced error messages related to master seed readiness to provide clearer diagnostics and easier troubleshooting.

• Security and dependency updates
  Updated NuGet packages to address known vulnerabilities and improve overall platform security.

This release fixes an issue in the password reset flow, ensuring that the correct communication channel is selected based on user configuration.
FoxIDs now correctly respects user-specific channel restrictions when both SMS and email are available in the authentication method.

Bugs Resolved

Password reset channel selection

• Correct channel selection for password reset codes
  Fixed an issue where FoxIDs could attempt to send a password reset code via SMS even when SMS was disabled for the user.

• Improved channel prioritisation
  If the authentication method allows both SMS and email, but the user is only permitted to reset their password via either SMS or email, the permitted method is selected.

This release introduces Access Structure, a powerful new feature for modelling hierarchical access across both internal and external users.
It enables organisations to define structured access models such as departments, roles, or customers, and automatically resolve user memberships into claims at login.

By converting hierarchical relationships into fixed local claims, the feature integrates seamlessly with existing claim transforms and authorisation logic without requiring dynamic claim handling.
Additional improvements include enhanced token decoding capabilities in the Control Client for better diagnostics and troubleshooting.

New Features and Improvements

Access Structure

FoxIDs now includes a new Access Structure feature for modelling hierarchical access for both internal and external users.

• Hierarchical access modelling
  Define access using a node hierarchy and assign user memberships to specific nodes.
  Each access structure contains a single node hierarchy.

• Resolved access at login
  At login, FoxIDs resolves user membership and inherited hierarchy into fixed local claims, enabling use in existing claim transforms and authorisation flows.

• Optional claim forwarding
  If the default-enabled Forward access structure claims to applications setting is enabled, resolved access claims are forwarded to downstream applications.

Local claims emitted in claim transforms

• _local:access_node
• _local:access_claim
• _local:access_path_claim

Example use cases

• Model customer, department, and role hierarchies
• Assign approver or reader responsibilities through node membership
• Enrich users with resolved access context before claim transforms execute
• Forward resolved access claims to applications when needed

Control Client Improvements

• Token decoding enhancements
  Added support for decoding:

  • UserInfo access_token
  • Logout id_token_hint

  This improves troubleshooting and visibility into authentication flows directly within the Control Client.

This release improves standards compliance for OpenID Connect tokens by correcting how the amr (Authentication Methods References) claim is issued.
The change aligns FoxIDs with the OpenID Connect specification and improves compatibility with standards-compliant clients, libraries, and downstream token validation.

Additionally, the release improves Control Client validation logic by adding missing UI checks for various username formats, ensuring more consistent handling of phone numbers, email addresses, and username combinations.

Improvements

OpenID Connect amr Compliance

• Correct data type for amr claim
  The amr claim is now issued as an array, in accordance with the OpenID Connect specification.

• Improved interoperability
  Previously, amr could be returned as a string, which could cause issues with strict or standards-compliant clients.
  This has been corrected to ensure consistent and reliable token processing across integrations.

Control Client Validation Improvements

• Improved username validation checks
  Added missing UI checks for certain username types, including combinations of:

  • Phone numbers
  • Email addresses
  • Usernames

  This ensures more consistent validation and reduces the risk of invalid or ambiguous user input.