We are pleased to announce the 11.0 release of Topicus KeyHub. In this release we started the process of further decentralizing access management. In addition to this and many other new features, this release brings several fixes and addresses some issues found in previous versions. Before upgrading, be sure to read these release notes as some additional actions may be required to ensure smooth operation of Topicus KeyHub.


TKH-654 TKH-686 TKH-727 TKH-743 TKH-757 TKH-758 TKH-759 TKH-765 Based upon the results of a large UX-test among our users, the main menu and the popovers have had a major redesign. The header of the popover uses a different colour for normal interaction versus re-authentication requests. All fields now have clear labels and the different shades of grey have been removed, giving them a much clearer appearance. As we continue to interview our users, more improvements to the design will follow.



TKH-563 Topicus KeyHub now requires a valid license. 11.0 will come with a transition license, valid until the end of 2017. Make sure you've received your license file before updating to 11.0 and update your installation before the end of the year. Starting at the beginning of 2018, Topicus KeyHub will no longer function without a valid license and will require a restart in maintenance mode to upload the license file.


Administration of applications

TKH-742 Administration of application is now performed in a decentralized way. Groups can create and administer applications without needing to contact KeyHub administrators. The upgrade to Topicus KeyHub 11.0 will automatically assign KeyHub Administrators as the technical administrator of all existing applications. The first group with access to an application will get ownership. It is important to review this conversion after upgrading and transfer ownership and/or administration when needed.


iOS app

TKH-419 TKH-728 The iOS app has been rewritten from scratch to bring it in line with the Android app. You can now use our app for multiple accounts and as a general TOTP app. Your existing data will be converted upon installation of the new version. Expect the new app to appear in the store soon.


Small improvements

The following smaller improvements and bugfixes were made:

  • TKH-627 Names of the KeyHub administrators are now reported to the the requester of a password or 2FA reset.
  • TKH-639 TKH-755 Searching the audit log is now much more reliable, faster and includes all fields of an audit record.
  • TKH-658 The web application now uses a Content-Security-Policy header to prevent possible XSS-attacks.
  • TKH-662 The reason for accepting or rejecting a request is now also mentioned in the e-mail.
  • TKH-712 TKH-719 TKH-750 (Ext) Placement of the icons and popout in the browser extension has been improved considerably.
  • TKH-729 (CLI) Error handling in many situations has been improved.
  • TKH-731 (CLI) Write vault value no longer ignores the name parameter.
  • TKH-732 (CLI) Command line parameter values can now be quoted, allowing values to start with --.
  • TKH-733 (CLI) A new list command was added to query groups in KeyHub.
  • TKH-738 (Ext) Records from the personal vault are now displayed before records from other vaults.
  • TKH-746 Revoking consent now invalidates all tokens for that application.
  • TKH-747 TKH-749 (Ext) The browser extension no longer opens multiple, unfocused tabs in the browser.
  • TKH-753 Accounts are now sorted on name, rather than username, by default.
  • TKH-761 All Selenium tests now use headless chrome, replacing the obsolete PhantomJS browser.
  • TKH-763 The OIDC jwks-endpoint now includes the use-element to improve interoperability with other OIDC RPs.
  • TKH-764 Copying passwords is now also possible on a mobile phone.
  • TKH-767 The starting UID for LDAP systems can now be changed.