Emond Papegaaij 21/07/2025 7 min read

Topicus KeyHub 42

We're proud to present Topicus KeyHub 42, which includes improved account attribute management, a new version of the browser extension and completely redesigned pages for managing clients and applications. As always, we also included a great number of smaller improvements and fixes.

 


Important notices

TKH-3336 As announced in the previous release notes, with Topicus KeyHub 42 the database was upgraded to PostgreSQL version 17. If you are still running Topicus KeyHub 35 or earlier, you will not be able to upgrade to version 42 in one step. For assistance on how to upgrade your deployment, please contact us via your usual support channel.


TKH-3380 Changes have been made to the Applications - Create new applications permission for OAuth2 clients. In previous versions, this permission was global. A client with this permission could create applications for all groups.

Starting version 42 this permission is scoped to a specific group. A client can only create new applications administered by this specified group. Clients previously assigned the permission will have the scope set to their technical administrator group. This occurs during the database migration.

If the OAuth2 client expects to be able to create applications outside of their technical administrator group, new permissions must be assigned after the upgrade.


 

Identity Lifecycle Management and Provisioning

This release brings many improvements to attribute management for accounts, both within Topicus KeyHub and for provisioned accounts. Access profiles can attach custom attributes to accounts and many attributes on provisioned accounts can now be customized. Flexibility regarding account customization has greatly increased in all stages of lifecycle management. We've also made significant improvements to the integration of access profiles with organizational units.
  • TKH-2769 Provisioning on SCIM now supports customization of almost all properties.

  • TKH-2829 Access profiles can now be moved to another organizational unit, together with the owning group.

  • TKH-2860 It is now possible to remove access profiles.

  • TKH-3285 Moving groups between organizational units now correctly takes access profiles and their connections into account.

  • TKH-3342 Account attribute definitions can now be multi-valued.

  • TKH-3343 It is now possible to define custom account attribute definitions.

  • TKH-3349 The performance of the full synchronization of linked systems has been improved substantially.

  • TKH-3370 Provisioning on LDAP/AD now supports customization of almost all attributes.

  • TKH-3379 Account attribute definitions can be marked as being unique across all accounts.

  • TKH-3388 When using source directory provisioning, KeyHub will never try to write rotating passwords to the directory, even if Accounts writable is enabled.

image-png-Jul-04-2025-07-02-36-8845-AM

Custom attribute defintions on Active Directory

 

Browser extension

A new version of the browser extension was released. This new version contains several significant improvements to error handling, login form detection and searching.
  • TKH-3299 The browser extension no longer logs messages in the browser console for all pages opened.

  • TKH-3351 Input fields marked with autocomplete="username" are now recognized as user name fields with high certainty.

  • TKH-3357 Searching for vault records in the browser extension now works identically to the main application. Multiple terms are matched independently and don't have to be next to each other.

  • TKH-3376 The browser extension now handles failures to refresh the server version much more resiliently.

 

Redesigned application adminstration pages

TKH-3218 The pages to manage OAuth2, SAMLv2 and LDAP applications were redesigned from the ground up. The pages under the different tabs were all merged into a single page, showing all relevant information at once.
  • TKH-3396 OAuth2 clients without a configured secret no longer display the option to save a secret in the vault.

oauth2client_en-GB-png-1

An OAuth 2.0 Client

 

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

  • TKH-2585 Support dumps now also contain anonymous statistics about usage of the application, such as row counts and data distributions of database tables.

  • TKH-2993 Reasons and comments added to requests no longer have limits on their lengths.

  • TKH-3278 Our tests were switched to an OpenLDAP docker container that is updated regularly.

  • TKH-3280 The RESTfull API now uses LinkableWrapperWithCount where applicable.

  • TKH-3287 It is now possible to attach a custom HTTP header when using OTLP for metrics delivery.

  • TKH-3328 Handling of simultaneous audits for a single group has been improved.

  • TKH-3352 Instructions were added to the manual for setting up source directory provisioning using Entra Connect Sync.

  • TKH-3353 The failsafe when trying to fetch audit records could hide problems in tests. This failsafe is now disabled when running under test.

  • TKH-3354 The section about group details in the manual was improved.

  • TKH-3368 Searching launchpad tiles now works as other search fields throughout the application.

  • TKH-3374 Some minor errors in the manual were fixed.

  • TKH-3377 An error was fixed that could cause a constraint violation when removing groups with many owned groups on systems.

  • TKH-3378 An error was fixed that could cause periodic database cleanup to fail.

  • TKH-3384 Deployment of new VMs on AWS was fixed.

  • TKH-3385 The sandbox that runs attribute scripts was upgraded to isolated-vm 6.

  • TKH-3387 Tests were added for Terraform provisioning for the adjusted create client permissions.

  • TKH-3389 When changing the name of a dashboard folder, the page was not refreshed properly, causing the folder to appear empty.

  • TKH-3391 A section was added to the manual that explains the algorithm for password recovery.

  • TKH-3393 An OAuth2 client registration was added for our new mobile app that's currently under development.

  • TKH-3403 Deleting a group on system would result in an error in some cases.

 

Visit the Topicus KeyHub Manual

Here you can find the complete manual to the latest version of Topicus KeyHub.

Visit manual