Releases

Test deployment - beta1

This release improves SAML 2.0 interoperability with Microsoft Entra ID and enhances visibility of logout configuration in the Control Client.
It introduces a ready-to-use Microsoft Entra ID SAML 2.0 template, improves login hint handling to accommodate Entra ID limitations, and makes the SAML single logout endpoint easier to discover.

New Features and Improvements

• Microsoft Entra ID SAML 2.0 template
  Added a built-in SAML 2.0 template for Microsoft Entra ID, simplifying configuration and speeding up integration.

• login_hint support for Microsoft Entra ID
  Added support for passing login_hint as a query parameter when authenticating with Microsoft Entra ID.
  This is required because Microsoft Entra ID does not support the Subject element in SAML 2.0 AuthnRequest.

• Visible SAML 2.0 single logout URL
  The SAML 2.0 Single Logout URL is now displayed in the Control Client, making logout configuration clearer and easier to validate.

This release improves usability and clarity when working with NemLog-in integrations and external user lifetimes.
The NemLog-in template has been updated with a direct link to documentation, and external user lifetime configuration is now expressed in days instead of seconds, making it easier to understand and manage.

New Features and Improvements

NemLog-in Template Improvements

• Updated NemLog-in template documentation link
  The NemLog-in template now includes a direct link to the official documentation, making setup and configuration easier and more discoverable.
  Documentation: https://www.foxids.com/docs/auth-method-howto-saml-2.0-nemlogin

External User Lifetime Usability

• Lifetimes configured in days
  External user sliding lifetimes are now configured in days instead of seconds.
  This simplifies configuration and makes lifetime values easier to reason about while retaining the same behavior (extended on each login).

This release introduces a significant improvement to login orchestration and cost efficiency when working with linked environments.
A login (authentication) request is now counted only once across connected environments, allowing you to compose advanced login flows by linking multiple environments with different configurations – similar to modular components – without incurring additional login costs.

In addition, this release expands modular and template-based integrations with identity providers, adds first-class support for DK NemLog-in, improves external user session handling, and enhances filtering and claim mapping capabilities. Several issues affecting claim management and initial login flows have also been resolved.

New Features and Improvements

• Single login count across environment links
  A login (authentication) request is now counted only once in environments connected via environment links.
  This enables orchestration of login flows across multiple environments with different configurations – similar to reusable components – without additional login costs.

• Modular identity provider integrations
  Started building modules and templates to make it easier to connect to identity providers.

• NemLog-in template (Denmark)
  Added a NemLog-in template that enables connection to DK NemLog-in with just a few clicks.
  Documentation: https://www.foxids.com/docs/auth-method-howto-saml-2.0-nemlogin

• DK CPR number collection and validation
  Added a module that can prompt the user to enter a Danish CPR number and validate it after a NemLog-in private login.

• Configurable sliding lifetimes for external users
  External users now support configurable sliding lifetimes in Link External User.
  The lifetime is extended on each login (0 = unlimited).

• Simplified claim mapping
  Removed Extended UI Claim mapping from JWT-to-JWT mappings and retained only the correct JWT-to-SAML claim mappings.

• User filtering by claim value
  Added support for filtering both internal and external users by claim value in the Control Client and Control API.

Bugs Resolved

• Fixed an issue where claims could not be added to a scope if it was initially created without voluntary claims.
• Fixed an issue where the first login in a fresh setup could fail during password change when using PostgreSQL as the database. Also fix other related PostgreSQL errors.

This release strengthens the user creation and login experience in FoxIDs, delivering improved reliability in passwordless (OTP) scenarios, and a more consistent and user‑friendly Control Client interface.
Additional refinements improve test application management and ensure error messages remain visible at all times, contributing to a clearer and more predictable administrative workflow.

New Features and Improvements

• Improved user creation sequence
  The user creation flow is now more robust, especially in cases where the user already exists or is configured for passwordless authentication (OTP).
  This results in more reliable behavior and clearer outcomes during user onboarding.

• More resilient login sequence
  The login process has been enhanced to tolerate situations where a user identifier may be missing, reducing unexpected failures and improving authentication stability.

• Test application name updates
  The test application in the Control Client now supports name changes, making configuration management easier and more flexible.

• Always‑visible error messages in Control Client
  Error messages now remain visible and no longer scroll out of view, ensuring administrators receive clear feedback without losing context.

This release improves logout interoperability between OpenID Connect and SAML 2.0 authentication methods by relaxing the requirement for an ID Token hint in logout flows.
It also includes routine NuGet package upgrades to keep dependencies current and secure.

New Features and Improvements

• Relaxed ID Token hint requirement for SAML logout via OpenID Connect
  The ID Token hint is no longer required when logging out of a SAML 2.0 authentication method through OpenID Connect.
  However, it is still recommended to include the ID Token in any logout request when available.

• Dependency updates
  Updated NuGet packages across the solution.

This release adds new password management capabilities across the Control API and Control Client, including support for setting passwords via secure hashes and managing user passwords directly in the UI.
It also improves configurability of the FoxIDs client interface by allowing company branding and messaging settings to be hidden, and enhances developer experience through richer Swagger documentation.
Additionally, PgKeyValueDB has been updated to fix a runtime issue affecting the Any method.

New Features and Improvements

• Set password API with hashed password support
  Added a Set Password API and support for creating users and setting passwords using a password hash.

• Password management in Control Client
  Added support for setting a user’s password directly in the Control Client.

• Hide branding and messaging settings in client UI
  It is now possible to hide company branding (company name and address) as well as SMS and email settings in the FoxIDs client user interface. Hide settings:

  - name: "Settings__ClientUi__HideBrandingSettings"
    value: "true"
  - name: "Settings__ClientUi__HideSmsSettings"
    value: "true"
  - name: "Settings__ClientUi__HideMailSettings"
    value: "true"
  

• Improved Swagger documentation
  Added documentation in Control API XML summaries and property descriptions to improve Swagger clarity and usability.

• Server URL element in Swagger
  Swagger now includes a servers URL element for improved API discoverability and correct base URL representation.

Bugs Resolved

Resolve “Any method is not supported”

PgKeyValueDB has been updated to version 3.1.1, resolving an issue where the Any method was not supported.

Resolve "Password validation error if no current password"

Can occur if a user is created without a password and then set the password e.g. with a email code.

This release upgrades FoxIDs to .NET 10, delivering the latest runtime improvements and long term support benefits.
It also includes multiple enhancements across dependencies, Control Client usability, claims handling, and SAML interoperability.

A major addition is support for Password Policy Groups and Aging, giving administrators more flexible password control per environment. Environments can now define up to 10 named policy groups in Environment Settings and assign users to them. If no group is assigned, the environment's base password policy applies.
The policy itself has been extended with controls for maximum password length, banned characters, password history checks, maximum password age, and a soft password-change window. Users now store PasswordLastChanged, and during login passwords are validated against the active policy. Expired passwords require change, while soft aging prompts users without blocking sign in.

In addition, a critical Windows Server certificate loading issue has been resolved through fallback read methods, and a Control Client test application URL update bug has been fixed.

New Features and Improvements

Upgraded to .NET 10

FoxIDs now runs on .NET 10 for improved performance, security, and platform support.

General Platform and UI Improvements

• Dependency updates
  Updated NuGet packages across the solution, including PgKeyValueDB.

• Control Client claims and text updates

  • Improved claims mapping in the Control Client.
  • Improved rendering and handling of text pages.

• Better internal user claim handling
  Improved support for phone and email claims on internal users, instead of having the values as identifiers.

• Improved browser auto-complete
  Enhanced username and password auto-complete behavior in supported browsers.

• Improved time formatting in Control Client
  Updated date and time presentation for certificates and logs to be more consistent and readable.

• UI spacing refinements
  Added more space between buttons in button groups for clearer layouts.

• Unified SAML Authn endpoint
  Added support for using the SAML Authn endpoint as a single URL that:

  • Serves IdP metadata on GET, and
  • Handles AuthnRequests via Redirect/POST.

Password Policy Groups and Aging

This release adds support for password policy groups per environment and extends the base environment password policy.

Environments can now hold up to 10 named policy groups, each with an optional display name. Users may be linked to a group by name. If no group is assigned, the environments base password policy applies. The feature is exposed in the Control Client UI under Envionment Settings.

The password policy has been expanded with new controls:

• Maximum password length
• Banned characters list
• Password history check
• Maximum password age
• Soft password-change window

Users now also store `PasswordLastChanged, set on initial password creation and on later password changes.

Login behavior:

• Passwords are validated against the active policy during login.
• If a password exceeds maximum age, the user must change it.
• With a soft password-change window enabled, users are prompted during login and may either change immediately or continue signing in normally.
• Reset-password flows always enforce a hard password change regardless of soft window settings.

Bugs Resolved

Certificate loading reliability fix

A reliability issue affecting certificate loading on Windows Server in certain cases has been resolved.
Fallback certificate read methods have been added to ensure stable certificate handling across environments.

Unable to change client ID on test application

Resolved an issue where the test application URL was not updated when the client ID was changed.

This release strengthens session lifecycle management across FoxIDs, improving how user sessions are created, updated, and removed.
It introduces new APIs for retrieving and deleting individual active sessions, prevents unintended session creation when session tracking is disabled, and improves robustness through safer active session updates.

New Features

• Session cleanup on Control Client login
  Ensure that user sessions are deleted when logging in through the Control Client, preventing stale sessions from persisting.

• Active session retrieval and deletion APIs
  Added new APIs to:

  • Retrieve a single active session
  • Delete a single active session

• Respect disabled session settings
  Sessions are no longer created in the Login authentication method when session settings are set to 0 (disabled).

• Safer active session updates
  Added null checks before assigning applications and authentication methods to an active session, preventing unexpected failures.

This release introduces extensive improvements to claim handling, session management, authentication flows, UI functionality, and security hardening across FoxIDs.
Enhancements include richer claim transform capabilities, improved login and environment management in the Control Client, extended dynamic content and CSS generator support, stronger session validation, improved certificate handling, and refined security headers.

New Features

Claim Transform Enhancements

• Added support for saving claims on both internal and external users through a claim transform task.
• Added support for querying external users using the linked claim value in a claim transform task.
• Added the ability to select which claims are queried on internal or external users within a claim transform task.
• Added support for logging events that include claim values during claim transform execution.
• Added support for large text translations, used in UI elements displaying content such as terms and conditions.
• Dynamic content now supports checkbox fields, large text fields, and large HTML elements.
• Width support for Markdown formatting in text and large text fields.

Control Client Improvements

• Added easy access to log in to the test application again after logout.
• Environment Settings now auto-scrolls to the top after deleting an environment.
• Updated CSS generator with support for large content and checkbox elements.

Authentication and Protocol Improvements

• OpenID Connect now displays invalid redirect URIs on the generic error page.
• The SAML 2.0 application now checks the HTTP form for a login hint if it is not supplied via query parameters or the SAML 2.0 request from the relying party.
• Default behavior updated (new environments): refresh tokens are now deleted when a user changes or sets a password in master environments.
• Added support for active sessions stored in the database, allowing remote session termination.
• Access token sessions are now validated using the sid claim and active session data in the UserInfo endpoint.
• Added support for deleting refresh token grants per session ID.

Security and System Enhancements

• Health checks can now verify individual dependencies separately.
• Updated jQuery Validate JavaScript library.
• Improved handling of security headers by allowing any request headers (not only Content-Type and Authorization) in Control.
• Added broader support for Permissions-Policy security headers.
• Stream logger now flushes only Application Insights data for improved performance.
• Improved certificate upload flow and added support for PEM files (.crt + .key).