Glenn Bakker 6/01/2025 5 min read

Topicus KeyHub 38

We are proud to announce Topicus KeyHub 38. With this release, we continue moving closer to a full IGA suite. While this release primarily focuses on expanding IGA functionality, we have also made optimisations and enhancements in other areas. As always, we also included many smaller improvements and fixes.

 

Profile attributes

In the previous release, we worked on expanding access profiles with the ability to generate certain attributes for users. Example attributes would be an email address, username and display name. While these are common account attributes, we are working on making it possible to create custom attributes and define sources from which their values can be retrieved.

TKH-3120 TKH-3135 We are now expanding the generation of access profiles attribute values with attribute rules. With these rules, it's possible to prioritize which source leads in calculating the current attribute value for an account. KeyHub now keeps track of previous attribute values and from which source it originated.

TKH-3145  Besides the continued work on access profiles in the backend, we also started working on a user interface for managing and displaying attribute values.
Below is a preview of how the details page of a selected attribute will look.

attributedetails_en-GB-png-2

 

Improvements to source provisioning

TKH-3147 We resolved an issue where KeyHub would incorrectly mark accounts with rotating passwords as unsynced in the hourly sync to a source directory, which led to the user being unable to activate groups on that system.
TKH-3153 When initializing accounts on an Azure OIDC source directory, KeyHub would incorrectly try to initialize accounts without passwords.

 

Empty vaults

TKH-2940 We've made some adjustments to the vaults page to improve the experience for all users. It's now possible to select any group that you are a member of in the filter bar at the top, whereas previously only groups with vault records were listed.

If the selected vault contains no records, an empty vault panel will be shown to help users quickly add a new record to that vault.

 

Assorted improvements

The following larger and smaller improvements and bug fixes were made:

  • TKH-3107 Added missing translations for the rotating password required error.

  • TKH-3111 KeyHub administrators which are marked for removal during an audit, no longer receive mails that suggest they can process the removal request.

  • TKH-3122 We've implemented a 2-second time-out on the retrieval of SAML metadata from a URL, if the supplier doesn't respond.

  • TKH-3125 The notifications endpoint no longer gives an error if the user doesn't have the correct permissions.

  • TKH-3128 When adding a new KeyHub administrator, the panel no longer incorrectly implies that the vault recovery key is required.

  • TKH-3129 The application server was upgraded to WildFly 34.0.0.

  • TKH-3131 When updating KeyHub, steps that have been skipped now include a grey checkmark for a more clear visual indication.

  • TKH-3132 Opening the manual from the license update confirmation page now leads to the corresponding chapter, instead of the start of the manual.

  • TKH-3134 Fixed an error that could occur during the encryption scheme upgrade for users logging in after a long period of inactivity.

  • TKH-3137 We've added more automated tests for our terraform provider.

  • TKH-3138 We've resolved a specific scenario where returning to the vaults page, after unsharing a vault record, would result in an error page.

  • TKH-3139 Increased the refresh delay on retrieval of SAML metadata, to reduce excessive logging if it fails to do so.

  • TKH-3143 Reordered the audit records created when moving, sharing or copying a vault record. First the type of movement is logged and then the effects of said movement.

  • TKH-3150 The KeyHub administrator should no longer be asked for the vault recovery key, when adding a manager through override to a group with vault recovery disabled.

  • TKH-3152 Improved error reporting on script failures executed by the script engine.

  • TKH-3160 LDAP serviceaccounts with password rotation no longer causes an exception during full sync to the system.

  • TKH-3161 Improved the check that determines if the EmptyVaultPanel should be visible, so it's not shown .

  • TKH-3162 Implemented query caches, optimized many queries and changed some configuration, to workaround a bug in Hibernate.

 

Visit the Topicus KeyHub Manual

Here you can find the complete manual to the latest version of Topicus KeyHub.

Visit manual

avatar

Glenn Bakker

Software Engineer