What's new

Look here for the new features and other information that is specific to the current release of IBM® Security Verify.

Note: The new features might not be available in your location yet.

July 2024

IBM Security Verify now supports adding access policies to profile management. See Create a user profile.
The attributes for password dictionary were added to the payloads for management and authentication events. See Management event payload and Authentication event payload.
IBM Security Verify now supports generating a users list report. See Generating a users list report.
IBM Security Verify Gateway for Windows Login has updates to the config.json file. See The config.json file.
IBM Security Verify Gateway for Linux PAM and AIX® PAM has updates to system configuration modules. For information see, "pam":{}, "ibm-auth-api":{}, and The PAM system configuration file.
IBM Security Verify Gateway for Linux PAM and AIX® PAM supports additional operating systems. See Overview.
IBM Security Verify now supports Verifiable credentials. See Managing verifiable credentials.
The Configure your application in Google topic was updated. See Configuring your application in Google.
Notification webhooks now support JWT and mTLS authentication types. See Creating a notification webhook.
The user invitation option for identity providers is now available in the Add identity provider flow. For examples, see Adding a SAML Enterprise identity provider, Configuring an OIDC Enterprise identity provider, Adding a MaaS360 Cloud Extender identity provider, and Configuring an on-prem LDAP provider.
Updated list of supported application templates. Added support for the following applications:
- None
See Supported connectors for applications.

Notifications

Generic User Count and CSV Download features are not yet deployed in the following environments.
- Australia
- Canada
- Japan
If these features are included in the plan for your tenant, but your environment is not yet updated, the features do not work correctly.
When a POST request is sent to the /oidc/endpoint/default/* and /v1.0/endpoint/default/* endpoints, the parameters must be sent in a POST body and not in the query parameters. Enforcement of this restriction begins 20 July 2024 to ensure that security standards are followed.
To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
Application grants v1.0 APIs /v1.0/appgrants are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements.
The Subscription Usage Dashboard is currently still in preview mode. Some inaccuracies were discovered in the usage statistics. The levels of consumption for your subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.

June 2024

No new features were added in June.
Updated list of supported application templates. Added support for the following applications:
- No new applications were added.
See Supported connectors for applications.

Notifications

When a POST request is sent to the /oidc/endpoint/default/* and /v1.0/endpoint/default/* endpoints, the parameters must be sent in a POST body and not in the query parameters. Enforcement of this restriction begins 20 July 2024 to ensure that security standards are followed.
To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
Application grants v1.0 APIs /v1.0/appgrants are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements.
The Subscription Usage Dashboard is currently still in preview mode. Some inaccuracies were discovered in the usage statistics. The levels of consumption for your subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.

May 2024

Enhanced the Access certification to allow the user to end and delete campaigns. For more information, see Access certification.
Enhanced the support to mark consents as required, automatically grant them and globally store them across all applications. For more information, see OpenID Connect request mapping for consent requests.
Password policies that are assigned to a user can now be managed from the User & groups > Profile tab. See Managing users.
The following modifications are done in the Admin Activity report to enable the administrator to trace the actions taken in accordance with the flow designed in the Flow designer:
- A record gets displayed whenever a flow is created, modified, exported, imported, published, deleted, or Trace URL is generated by a user logged in the admin console.
- The Event details under Management Event is enhanced to display the Flow name, Flow reference and Trace URL validity.
For more information, see Generating an administrator activity report.
A new attribute data.authenticatorattachment was added to management event and authentication event payloads. See Management event payload and Authentication event payload.
You can now enforce client authentication on a device authentication /oauth2/device_authorization endpoint for device flow. See Configuring OIDC application general settings.
With context to Flow designer, now when the Function task execution fails, its details get saved in error object inside context and the flow continues instead of displaying the error page.
A new attribute Refresh token fault tolerance lifetime option was added to OIDC general settings. See Configuring OIDC application general settings.
Two filter , API client ID and API client name were added to MFA reports. See Generating a multi-factor authentication activity report.
Updated list of supported application templates. Added support for the following applications:
- None
See Supported connectors for applications.

Notifications

To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
Application grants v1.0 APIs /v1.0/appgrants are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements.
The Subscription Usage Dashboard is currently still in preview mode. Some inaccuracies were discovered in the usage statistics. The levels of consumption for your subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.

April 2024

Enhanced the procedure to configure Microsoft 365 for user provisioning. For more information, see Configuring provisioning for Microsoft 365.
An update procedure was added for IBM Security Verify Bridge for Directory Sync. See Upgrading the IBM Security Verify Bridge for Directory Sync.
A public preview CI-131380 is available for digital badge provisioning for Apple and Google wallet. See Managing physical access badge.
You can now modify invite new user pages for federated users in IBM Security Verify. For more information, see Modify invite new user pages.
A public preview CI-108233 for user invitations is now available. With this feature, you can send others an invitation to register as new users. Upon accepting the invitation, the users are created and added to the specified groups. Through the users' group memberships, they are automatically given the roles and permissions that are assigned to those groups. See Inviting users.
The V1.0 management APIs for identity sources are being deprecated. See Deprecated APIs. To view the new APIs, see https://docs.verify.ibm.com/verify/reference/updateidentitysource.
Note: If an identity provider has V2 properties, either created with or updated by the V2 API, use of the V1 API to set or modify it results in an error.
Reports are now tagged according to category, either Audit or Status. See Managing reports.
A public preview, CI-117151, is available for assigning password policies to individual users and groups. See Assigning password policies to users and groups.
The following modifications and additions are introduced in the Flow designer:
- The Flow designer look and feel is enhanced for better user experience, thus, providing more canvas area for flow construction. The General section is now displayed as a panel that opens on the click of icon provided in the screen. For more information, refer Managing flow designer.
- Requires callback input parameter is introduced in the User form, Redirect and Page task to auto generate a Message node post these tasks. For more information, see Managing tasks.
IBM Security Verify now supports configuring threat detection and remediation policies. The policy enables the Admins to set their Verify SaaS environment to alert and/or proactively block login traffic that results from identified attacks. For more information, refer Managing threat detection.
IBM Security Verify now supports modifying threat detection email notification pages. For more information, see Modify threat detection email notification pages.
IBM Security Verify Adapter now supports PostgreSQL Server - v12.0. For more information, see Managing endpoints by identity adapters. The target applications can now be configured for provisioning endpoints managed by Identity Adapters from IBM Security Verify to the PostgreSQL Server application. For more information, see Configuring provisioning for Postgres.
IBM Security Verify Adapter now supports MySQL Server - v8.0.19. For more information, see Managing endpoints by identity adapters. The target applications can now be configured for provisioning endpoints managed by Identity Adapters from IBM Security Verify to the MySQL Server application. For more information, see Configuring provisioning for MySQL.
IBM Security Verify now supports allowing access tokens to be exchanged for SSO session. For more information see, Configuring OIDC application general settings, Managing STS clients, Configuring single sign-on in the OpenID Connect application, and Configuring single sign-on in the OpenID Connect for Open Banking applications.
Threat detection is now supported by the IBM Security Verify user interface. See Managing threat detection.
A new grant type is provided for OIDC applications. Context-based authorization is a multi-stage grant type. The API client is prompted to perform an authentication factor. The JWT bearer grant must be enabled to perform the authentication factors that are determined by the access policy attached to the application. See Configuring single sign-on in the OpenID Connect application and Configuring single sign-on in the OpenID Connect for Open Banking applications.
Attribute-based access control through dynamic roles now is supported by IBM Security Verify. This feature is available as part of a requestable public preview, 46644. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. If you have permission to create a support ticket, create a support ticket with the public preview number. Note: IBM Security Verify trial subscriptions cannot create support tickets. See Creating a dynamic administrator role and Creating a dynamic application role.
The following modifications have been done in the Admin Activity report to provide the administrator with traceability to all changes done to an Access Policy:
- A record gets displayed whenever Access policy is created, modified or deleted either by a user logged in the admin console or through APIs.
- The Event details under Management Event is enhanced to display the Policy name, Policy ID and Modifications made to an Access Policy. This provides the administrator with traceability to all changes done to an Access Policy.
For more information, see Generating an administrator activity report.
IBM Security Verify now supports modifying user profile pages. For more information, see Modify user profile pages.
Updated list of supported application templates. Added support for the following applications:
- None
See Supported connectors for applications.

Notifications

To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
Application grants v1.0 APIs /v1.0/appgrants are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements.
The Subscription Usage Dashboard is currently still in preview mode. Some inaccuracies were discovered in the usage statistics. The levels of consumption for your subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.

March 2024

New Certificates are available for *.ice.ibmcloud.com tenants. See Product requirements.
IBM does not support the customization of alphanumeric senderIds SMS in Australia and Singapore. For these restrictions, see Supported countries for SMS and Voice.
Updated list of supported application templates. Added support for the following applications:
- None
See Supported connectors for applications.

Notifications

To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
Application grants v1.0 APIs /v1.0/appgrants are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements.
The Subscription Usage Dashboard is currently still in preview mode. Some inaccuracies were discovered in the usage statistics. The levels of consumption for your subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
The mtlsidaas global tenants for device managers are now deprecated and will be removed after March 2024. Go to Obtaining a vanity hostname to request a vanity domain. For more information, see Adding a device manager.
The RSA-v1.5 Encryption key transport algorithm will not be supported after March 2024. See the Encryption options table in Configuring SAML single sign-on in the identity provider.

February 2024

IBM Security Verify supports SMS and Voice one-time passwords for many countries depending on the type of plan that you have for your tenant. This feature is supported for paid tenants only. It is not available for trial tenants. For a list of countries and any restrictions, see Supported countries for SMS and Voice.
OIDC and OAuth token lengths are not fixed. See Tokens in Table 1 Single Sign-on.
Updates to the logo.png and the page_style.css pages can take up to 5 min. For more information, see Create common branding.
Information was added about SAML2 application metadata export URLs. See Configuring SAML single sign-on in the identity provider What to do next.
The process for obtaining a vanity hostname was updated. See Obtaining a vanity hostname.
Updated list of supported application templates. Added support for the following applications:
- None
See Supported connectors for applications.

Notifications

To improve security, the state and nonce query parameters in the OpenID Connect authorization request must be at least 8 characters long. This change becomes effective 30 June 2024. Ensure that your applications are updated.
Application grants v1.0 APIs /v1.0/appgrants are deprecated. The end of life is 30 June 2024. See Deprecated APIs. The new APIs require the application ID to be specified and either "Manage OIDC and OAuth application grants" or "Read OIDC and OAuth application grants" API entitlements.
The Subscription Usage Dashboard is currently still in preview mode. Some inaccuracies were discovered in the usage statistics. The levels of consumption for your subscriptions might be incorrectly displayed in the dashboard. The issue is being worked on.
Note: The inaccuracies in the data that is displayed do not affect your billing in any way.
New certificates for *.verify.IBM.com were deployed on 11 December 2023. The previous certificates expired on 09 January 2024. See Product requirements.
The mtlsidaas global tenants for device managers are now deprecated and will be removed after March 2024. Go to Obtaining a vanity hostname to request a vanity domain. For more information, see Adding a device manager.
The RSA-v1.5 Encryption key transport algorithm will not be supported after March 2024. See the Encryption options table in Configuring SAML single sign-on in the identity provider.
Access policy management v3.0 APIs /v3.0/policyvault/accesspolicy are deprecated. The end of life was 23 December 2023. See Deprecated APIs. The new APIs are at https://docs.verify.ibm.com/verify/reference/listaccesspolicyrevisions.