Topicus KeyHub 41

We're thrilled to introduce Topicus KeyHub 41, which includes a more streamlined group auditing workflow, a first step in syncing with AFAS HRM as an identity source, notable improvements to our provisioning engine. As always, we also included a great number of smaller improvements and fixes.

Important notice

We are planning to upgrade PostgreSQL to version 17 in the next release (Topicus KeyHub 42). If you are still running Topicus KeyHub version 35 or earlier (running on PostgreSQL 12), it is essential that you upgrade to a more recent version before the upcoming version 42 release, to be expected on 21 July 2025.

It will be impossible to upgrade from version 35 or earlier to version 42 or later in one go. Failing to upgrade now will mean difficulties trying to upgrade after Topicus KeyHub 42 has been released.

Streamlining group audits

TKH-3088 Group managers who need to audit multiple groups at the start of the new month can now experience a more streamlined flow. When starting from the dashboard notification, you will be able to save an audit and immediately continue to the next group. You no longer need to go back and forth between audits and your dashboard.

Identity Lifecycle Management and Provisioning

As with the previous releases of KeyHub, we're continuing our efforts towards building a robust provisioning engine for our IGA suite. Read more about the elements of our IGA suite in releases 40, 39, and 38.

The most significant change in this release is how we deal with renamed accounts. Prior to version 41, we would simply delete the old account and create a new one. This was fine for Just-In-Time provisioning, but is of course not desirable for the primary account of a user. KeyHub can now track these name changes and rename the account accordingly. In addition to this change, several bugs were fixed in source directory provisioning.

• TKH-1074 Numbering of POSIX groups (gid) on LDAP now use numbering sequences similar to user identifier (uid) numbering.

• TKH-1874 TKH-2808 The provisioning engine now tracks the identifier of accounts on provisioned systems, allowing the detection of changes of this identifier. With this, KeyHub can now move or rename accounts rather than recreate them.

• TKH-3282 When using source directory provisioning on an OpenLDAP directory, the user identifier (uid) is taken from the directory and matched with the numbering sequence.

• TKH-3295 Topicus KeyHub no longer tries to connect to deactivated provisioned systems.

• TKH-3303 It is now possible to configure the retention period for orphaned accounts when using source directory provisioning with writable accounts.

• TKH-3304 We've resolved a bug where a missing check could cause accounts to be removed from a source directory even when configured with unwritable accounts

• TKH-3309 When deactivating or removing source directory provisioning with unwritable accounts, the options listed now no longer mention removing acounts.

• TKH-3123 TKH-3327 Test coverage for corner cases in the provisioning engine was improved substantially.

• TKH-3344 A slowdown in the full synchronization that was introduced in Topicus KeyHub 39 was identified and fixed. This slowdown was particularly noticeable on linked systems with many groups.

• TKH-3347 A regression was fixed that caused disabled linked systems to be missing in the metrics.

Synchronizing accounts from AFAS (Beta)

TKH-3284 We've started development on a whole new concept: identity sources. Our first implementation allows you to synchronize accounts from AFAS HRM to Topicus KeyHub and from there to any other system that's supported for provisioning, such as Active Directory, Entra ID or SCIM. This ensures your employee accounts will always be in sync with whatever is defined in your HRM. At the moment this module is still in beta, with only basic information being synchronized. However, we are continuing development on this module and we do expect support for more attributes and also other source systems soon.

If you want more information on this new module, don't hesitate to contact us via your usual support channel or fill in our contact form. 

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

• TKH-2515 Pressing ctrl-alt-del on the terminal no longer reboots the VM.

• TKH-2662 Information about the license usage, such as the number of users and seats used, is now exposed via the metrics.

• TKH-2840 The validity of the installation license was extended by one year.

• TKH-3130 Error reporting for the command line interface has substantially been improved. Also, a new --verbose option was added for more verbose logging.

• TKH-3141 It is now possible write TOTP keys via the Terraform provider.

• TKH-3272 An error was fixed that occurred when adding the same group to a group on system more than once.

• TKH-3283 The virtual appliance no longer tries to contact our software repositories when booting for the first time.

• TKH-3288 An error was fixed that could occur when opening your browser with tabs open on pages that no longer exist.

• TKH-3291 Password recovery now correctly handles and reports passwords that do not meet the password complexity restrictions on the directory.

• TKH-3292 The friendly-challenge captcha used on the login page was upgraded to 0.9.19.

• TKH-3294 Changing some configuration options in the appliance manager could cause KeyHub to restart without this being reported to the user.

• TKH-3297 System tasks running in the appliance manager now report counts, successes, and errors in the metrics

• TKH-3298 An error was fixed that could occur if a user was forced through a password change with an active session.

• TKH-3299 A log message about the supported service contract versions was removed from the browser extension.

• TKH-3300 The OpenAPI specification now correctly uses format duration for properties of type duration.

• TKH-3301 When using additional authorization on group activation, it is now possible to view and revoke such authorization.

• TKH-3302 When running on AWS the VM now defaults to the NTP services provided by the platform.

• TKH-3306 When using offline updates, some obsolete packages could remain installed, causing other package updates to be blocked.

• TKH-3307 A glitch in the user interface for adding, editing and removing WebAuthn keys was fixed.

• TKH-3308 The description for the helpdesk property on directories was updated.

• TKH-3310 Some directories would not show up in the breadcrumbs bar at the top of the page.

• TKH-3311 Refresh tokens could be revoked too early. This was especially noticeable when using the CLI with a custom client with secure storage.

• TKH-3312 The list of organizational units for OAuth2 clients is now sorted alphabetically.

• TKH-3314 Durations in JSON responses would be rendered as their number of seconds, rather than in ISO notation.

• TKH-3315 The maximum length restriction for tokens and custom headers for webhooks and SCIM linked systems was lifted.

• TKH-3316 Handling and re-evaluation of duplicate attribute values (such as duplicate email addresses) was improved substantially.

• TKH-3317 The error page now shows the date and time of the error in addition to its reference, making it easier to find the error in the logs.

• TKH-3318 Under some rare circumstances password recovery shares where not rebuild when the keys were reset. This would lead to errors when trying to use those share to perform a recovery.

• TKH-3319 Members of the owning group of an organizational unit will no longer have the option to handle move group requests. This restriction applies if they are not also members of the origin organizational unit.

• TKH-3320 Accounts registered since Topicus KeyHub 38 would not have their 'has-been-active' flag set to true, which would lead to problems when performing a password reset.

• TKH-3322 KeyHub Adminstrators can now change their own license role between business and pro.

• TKH-3323 It is now also possible to change the license role for other KeyHub Administrators directly via the account details page.

• TKH-3324 Checking the validity of an account in an LDAP directory (such as Active Directory), now also checks if the DN of the account is still correct.

• TKH-3325 Vault records without a username set no longer render the empty username as a clickable field.

• TKH-3326 The application server was upgraded to WildFly 36

• TKH-3329 A missing check for missing secrets was added when updating a vault record directly via the API.

• TKH-3330 The new connector service would continue to synchronize its configuration in an endless loop if no identity sources were configured.

• TKH-3331 Some API endpoint could trigger side effects on linked systems prior to checking the authorization of the request.

• TKH-3332 Not setting the provisioning_enabled property on a group_on_system in Terraform could result in an error.

• TKH-3333 A vault record containing only a TOTP key could not be changed without changing the TOTP key.

• TKH-3335 Failure to communicate with KeyHub itself will no longer cause background services to crash in the appliance manager.

• TKH-3337 The command line interface now directly opens the browser if the JRE supports this.

• TKH-3341 The different license roles are now described in the manual.

• TKH-3346 Pgpool-II was upgraded to version 4.6.1.

• TKH-3350 The popup for adding client permissions to an OAuth2-client once again shows translated instead of raw permission type descriptions in the dropdown.

Visit the Topicus KeyHub Manual

Here you can find the complete manual to the latest version of Topicus KeyHub.