We are pleased to announce Topicus KeyHub 14.1. This release greatly enhances the auditor dashboard and brings several long-standing features. As usual, a number of smaller improvements have been made and several issues have been fixed. Before upgrading to 14.1 be sure to read the following important notices.

Important notice: SSO with Google G-Suite

TKH-1191 We strongly recommend all installations using SSO with a Google G-Suite directory to be upgraded to 14.1. An error in the validation of the hosted domain could allow a user from a different hosted domain to register an account when this was not allowed. In 14.1 the hosted domain attribute is again checked correctly and now also support multiple hosted domains.

Static provisioning

TKH-1160 One small checkbox for KeyHub, one giant leap for our customers. Topicus KeyHub now supports static provisioning. This feature allows groups to stay active as long as a user is member of a group. The group is automatically activated when the user joins the group and deactivated when the user either leaves the group or the account is disabled.


The following smaller improvements were made w.r.t. account provisioning:

  • TKH-1172 It is no longer possible to force a rotating password when using source directory provisioning.
  • TKH-1186 Accounts created by Topicus KeyHub now have a description containing a notice and the directory they were created from.

Auditor dashboard

TKH-1048 TKH-1165 TKH-1169 TKH-1170 Working with the feedback we received on our first iteration of the auditor dashboard we have packed an improved version in 14.1. It is now possible to search for groups by name or by member. Per group the date of the last audit is shown next to the date of the next audit and important configuration issues are shown (for example, when none of the members of a group can access the vault). On the detail screen, an overview of the members and vault records was added.


OAuth 2.0 Device flow

TKH-1137 TKH-1195 Topicus KeyHub now implements the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices. This allows us to perform a user login from the command line. Any user of Topicus KeyHub can now download and run the CLI and access records in his or her vault. As described in the specification, this new endpoint is exposed in the (also newly added) OAuth 2.0 Authorization Server Metadata.


Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-995 The styling when opening a vault record with a closed vault has been improved greatly.
  • TKH-996 It is now possible to access the 2FA code when editing a vault record.
  • TKH-1163 A toggle all link was added to the check boxes for selecting audit months.
  • TKH-1166 When enabling auditing for the first time, Topicus KeyHub no longer complains about expired audits for previous months.
  • TKH-1168 When a vault record with an expiry date and no reminder in advance expires, this is now also shown on the dashboard.
  • TKH-1171 An error was fixed when navigating back and forth between the vaults and records.
  • TKH-1176 It is now possible to search for groups with a certain account.
  • TKH-1177 An error was fixed when searching with some very specific queries.
  • TKH-1181 An error was fixed when switching tabs while selecting a certificate for a server.
  • TKH-1182 Several rendering issues for audit records on the dashboard were fixed.
  • TKH-1187 An error was fixed when enabling 2FA and entering an incorrect code many times.
  • TKH-1188 The user interface for access management has been improved w.r.t. removing access.
  • TKH-1190 Handling of some corner cases during the login flow was improved.
  • TKH-1193 My groups now uses the entire width of the screen to improve readability with long group names.
  • TKH-1196 The number of different screen widths has been reduced, creating a more uniform user experience.

To the appliance, the following smaller improvements and bug fixes were made:

  • TKH-1150 The IP-table rules were redesigned to put the LDAP port in the management zone.
  • TKH-1173 The button to generate a certificate during install is now hidden when Let's Encrypt is enabled.
  • TKH-1174 The browser session is now kept alive during the install.
  • TKH-1178 The Topicus KeyHub appliance now supports multiple network interfaces. The primary interface will be renamed from eth0 to eth-tkh.
  • TKH-1180 Problems with the DNS will no longer cause SaltStack to timeout.
  • TKH-1185 Automatic recovery of a stale database lock was added.
  • TKH-1189 The number of available system updates is now correctly updated immediately after installing them.
  • TKH-1192 Upgrading docker could lead to a snapshot recovery due to a version mismatch.
  • TKH-1200 It is now possible setup a public key for SSH for the backup user.