We are pleased to announce the 12.0 release of Topicus KeyHub. This release largely focuses on vaults. Functionality, appearance and user interaction of this area has improved substantially. Furthermore, a large number of smaller improvements have been made and several issues have been fixed.

Vaults redesign

TKH-808 TKH-809 In Topicus KeyHub 12, the vaults have been redesigned from the ground up in response to a set of user interviews we've conducted over the past 6 months. The new design is cleaner, more compact and scales better on smaller devices.



TKH-768 TKH-801 TKH-812 As can be seen on the screenshot above, the clickable bar to lock and unlock your vault is gone. Vaults are automatically unlocked at logon if possible and stay unlocked for the duration of your password session (which has been increased to 4 hours). Moreover, the browser extension shares this session, greatly reducing the number of times you will be asked to enter your password.

Vault records

TKH-628 TKH-737 TKH-740 Vault records can now contain a password, a 2FA secret and a file at the same time. The button to add new records has been moved to the top of the page, and adding and editing records is now also possible from the browser extension.

Vault management

TKH-766 TKH-833 TKH-846 Management of vaults has been greatly simplified. Vaults are created on-demand when a group member adds a record to the vault. Because members gain access to vaults automatically, the user interface to manage vault access has been removed. If a member loses access to a vault after a password reset, he or she can request access by simply trying to view a record.
Removed vaults now remain accessible for 100 days. In this period the records from the vault can be restored to the vault of another group. For personal vaults, the records can only be restored to the account they belonged to.


Custom attributes for SAML and OIDC

TKH-855 You can now define custom attributes for SAML v2.0 and OAuth2/OIDC applications. These attributes can be used to improve integration between Topicus KeyHub and other systems, for example by passing the groups of the user to the external application. These attributes are programmed in JavaScript.


Small improvements

The following smaller improvements and bugfixes were made:

  • TKH-702 TKH-829 TKH-836 TKH-799 Many testcases were added for the browser extension, maintenance mode, modification requests and (de)provisioning, greatly improving test coverage.
  • TKH-789 The CLI now has support for queries across vaults.
  • TKH-792 TKH-857 The browser extension now refreshes the profile page after installing and connecting.
  • TKH-795 Licenses now support multiple domains for failover/backup purposes.
  • TKH-802 TKH-841 Handling of closed popups has been improved with better performance and a reduction of errors as a result.
  • TKH-803 We now have a docker container that can be used as a HTTPS proxy for keyhub.
  • TKH-804 Dependencies on external resources were removed from the build process.
  • TKH-805 Audit log records for assignment of uids on provisioned LDAP systems are no longer visible on the dashboard.
  • TKH-811 The container has been upgraded to WildFly 11.0.0.
  • TKH-815 The browser extension now uses version negotiation to be compatible with older versions of Topicus KeyHub.
  • TKH-816 All JavaScript dependencies used by the browser extension have been updated to their latest version.
  • TKH-817 KeyHub administrators no longer see audit messages for all groups on their dashboard.
  • TKH-823 Errors during provisioning are now always logged at WARN level.
  • TKH-824 TKH-828 Fixed some issues with running Topicus KeyHub in maintenance mode.
  • TKH-825 When running in maintenance mode a prominent message is shown on the login page.
  • TKH-827 Fixed an error with the handling of unusually long user agent strings.
  • TKH-830 Topicus KeyHub now comes with a free license for 5 users for installation and testing purpose.
  • TKH-834 A race condition was fixed which could cause a successful login to trigger an error.
  • TKH-837 Consistency on internal naming conventions has been improved.
  • TKH-838 Accounts can now be provisioned with a prefixed added to their usernames.
  • TKH-844 A "Getting Started" section was added to the user manual (Dutch only).
  • TKH-845 The docker-compose file in the manual is upgraded to version 3+.
  • TKH-848 An OAuth2/OIDC application can now use only one grant type (code or client credentials).
  • TKH-850 The quick search for vault records on the dashboard now also works after expiry of your session.
  • TKH-854 The account validity check now uses the original username in the directory.
  • TKH-856 Re-authentication is now required when changing your ssh public key.
  • TKH-859 Accidentally opening the internal error page now redirects to the dashboard.
  • TKH-863 A mismatching Topicus KeyHub password (caused by a bug in an older version) can now be fixed via the change password wizard.