Glenn Bakker 6/05/2024 9 min read

Topicus KeyHub 33

We are proud to announce Topicus KeyHub 33. This release brings a great variety of improvements to provisioning and some noteworthy improvements to organisational units. Furthermore, we've also added many smaller and larger improvements throughout the entire suite.


There are a lot of different improvements to provisioning in this release, ranging from smaller quality-of-life additions to bigger new features. Some improvements are specific to a certain type of systems, others are generally available.


These improvements affect all types of linked systems:

  • TKH-2771 Service accounts can now also have an SSH public key bound to them, if the linked system on which the service account resides supports this.

  • TKH-2792 Sometimes a linked system does not support groups, or there is a need to just enable an account without having to add it to a group. With account-only provisioning it is now possible to provision an account on a linked system without the need to add it to a group.

  • TKH-2857 It's now possible to configure how long accounts should be retained on a linked system, for linked systems that disable rather than remove those accounts. This is now configurable in days, weeks, months or years instead of the previous immutable period of 2 weeks. This period starts when an account loses all access to the system, for example when the account in KeyHub is disabled.

These are some improvements that apply specifically to Active Directories:

  • TKH-2734 The type of the security group can now be specified when creating a group on an Active Directory. The security group type can either be set to global security or local security. This security group type corresponds to the types available in an Active Directory.

  • TKH-2740 The SSH public key of accounts can now also be stored in the 'altSecurityIdentities' attribute. This attribute does not require custom object classes, but it is not officially meant to specifically store an SSH public key, thus we can't guarantee other programs might not use the attribute for a different purpose.

Last but not least, these various improvements are also included:

  • TKH-2751 The Microsoft-graph SDK, which is used for communication with Entra ID, was upgraded to 6.5.

  • TKH-2755 The owning group of a linked system is now able to see all groups-on-system within the linked system.

  • TKH-2758 Restructured the 'Linked systems' chapter in the manual to reflect the menu options on the linked system pages.

  • TKH-2794 It's no longer possible to add or remove a group-on-system that does not support provisioning (such as predefined roles on Entra ID).

Organisational units

In the previous version of Topicus KeyHub, we've added the possibility to move groups from one organisational unit to another. Whilst this is very functional, we felt that we could further improve the reporting on these changes by including more details in the report.

Alongside the more detailed report, we've also made minor improvements to the interface of these pages for a smoother experience.

This release also makes it possible for an organisational unit to assign which groups should be responsible for processing the requests for creation or removal of groups and enabling the technical administration role for a group.

  • TKH-2782 Expanded the changes report with the total amount of changes and the effect these changes will have. Changes in report now includes the names of the accounts, groups and service accounts affected by these changes.

  • TKH-2778 Each organisational unit can now assign which groups are responsible for processing certain administrative request.

Additional changes when moving groups to another organisational unit


Assorted improvements

The following larger and smaller improvements and bug fixes were made:

  • TKH-2677 Accounts shown in manual now have more readable display names.

  • TKH-2707 Display names of accounts are used for modification requests instead of usernames, to improve readability for the request processing party.

  • TKH-2725 Hide non-editable fields when creating a new namespace, to avoid confusion.

  • TKH-2730 Dropdown menu options with a very long name are no longer cut-off.

  • TKH-2748 Further expand validation on creation of certain transfer requests.

  • TKH-2759 It's now possible to activate the group directly from the vault record page, if group activation is required to read the vault record.

  • TKH-2765 KeyHub password prompt pages now include prefilled hidden username fields, to provide more context for password managers with multiple KeyHub login credentials stored.

  • TKH-2766 TKH-2843 TKH-2864 Started working on implementing SCIM v2 support.

  • TKH-2776 Upgraded to Shiro 2.0.

  • TKH-2777 The header of the confirmation panel when leaving a group no longer implies you are removing the group.

  • TKH-2784 TKH-2812 Further improved and expanded our automated tests.

  • TKH-2793 A concurrency issue could occur when unlocking your vault, caused by multiple background processes trying to update the same records.

  • TKH-2800 The SAML endpoints now return HTTP 400 response on invalid SAML requests, instead of HTTP 500.

  • TKH-2801 Back-navigation to large pages was fixed. A limit in WildFly would block the deserialization of larger object structures.

  • TKH-2802 Exceptions occurring when recording OAuth2/OIDC client API version usage are now logged and no longer break the process.

  • TKH-2810 Added support for EntitiesDescriptors in SAML metadata.

  • TKH-2811 Started laying groundwork for access profiles.

  • TKH-2813 TKH-2825 TKH-2826 TKH-2827 Improved validation checks on integrity of transfer requests when the request is being processed, to avoid creating invalid scenarios.

  • TKH-2814 The option to clear the recorded list of used API versions of OAuth2/OIDC applications was incorrectly visible for all, now only the technical administrators can clear the list.

  • TKH-2816 Processing of certain requests would always log the KeyHub administrators group in the audit log as the processing party, instead of the group which processed the request.

  • TKH-2818 Minor performance optimisations to our database connectivity were made.

  • TKH-2819 First time provisioning a user to multiple LDAP systems using the same number sequence no longer triggers a unique constraint violation.

  • TKH-2821 Release versions now start at xy-0 for improved version comparison when checking for updates.

  • TKH-2824 Retrying WebAuthn authentication now works again. This was broken in the previous release.

  • TKH-2828 Screenshot of expired vault record notification also incorrectly included different notification.

  • TKH-2830 Included information on daily synchronisation of account status to 'Clean up accounts' chapter in manual.

  • TKH-2831 TKH-2832 Upgrading cluster could sometimes create a scenario where the database on one node would become out of sync and not automatically recover.

  • TKH-2834 An incorrect error message would be shown if there was a mismatch between the organizational unit of a group-on-system and the group requesting access.

  • TKH-2835 Licence-role of an account is now included when an export of accounts is made.>

  • TKH-2837 Further described where and how a classification of a group can be changed in the manual. We've also added a visual indicator that the classification field is mutable on the auditor dashboard.

  • TKH-2842 It was possible to retrieve secrets for multiple vault records at once via the REST API, which should have been blocked.

  • TKH-2844 More logs of our various docker containers are included in our support dumps.