We are pleased to announce Topicus KeyHub 14.1. This release greatly enhances the auditor dashboard and brings several long-standing features. As usual, a number of smaller improvements have been made and several issues have been fixed. Before upgrading to 14.1 be sure to read the following important notices.
Important notice: SSO with Google G-Suite
TKH-1191 We strongly recommend all installations using SSO with a Google G-Suite directory to be upgraded to 14.1. An error in the validation of the hosted domain could allow a user from a different hosted domain to register an account when this was not allowed. In 14.1 the hosted domain attribute is again checked correctly and now also support multiple hosted domains.
TKH-1160 One small checkbox for KeyHub, one giant leap for our customers. Topicus KeyHub now supports static provisioning. This feature allows groups to stay active as long as a user is member of a group. The group is automatically activated when the user joins the group and deactivated when the user either leaves the group or the account is disabled.
The following smaller improvements were made w.r.t. account provisioning:
TKH-1172It is no longer possible to force a rotating password when using source directory provisioning.
TKH-1186Accounts created by Topicus KeyHub now have a description containing a notice and the directory they were created from.
TKH-1170 Working with the feedback we received on our first iteration of the auditor dashboard we have packed an improved version in 14.1. It is now possible to search for groups by name or by member. Per group the date of the last audit is shown next to the date of the next audit and important configuration issues are shown (for example, when none of the members of a group can access the vault). On the detail screen, an overview of the members and vault records was added.
OAuth 2.0 Device flow
TKH-1195 Topicus KeyHub now implements the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices. This allows us to perform a user login from the command line. Any user of Topicus KeyHub can now download and run the CLI and access records in his or her vault. As described in the specification, this new endpoint is exposed in the (also newly added) OAuth 2.0 Authorization Server Metadata.
The following smaller improvements and bug fixes were made:
TKH-995The styling when opening a vault record with a closed vault has been improved greatly.
TKH-996It is now possible to access the 2FA code when editing a vault record.
TKH-1163A toggle all link was added to the check boxes for selecting audit months.
TKH-1166When enabling auditing for the first time, Topicus KeyHub no longer complains about expired audits for previous months.
TKH-1168When a vault record with an expiry date and no reminder in advance expires, this is now also shown on the dashboard.
TKH-1171An error was fixed when navigating back and forth between the vaults and records.
TKH-1176It is now possible to search for groups with a certain account.
TKH-1177An error was fixed when searching with some very specific queries.
TKH-1181An error was fixed when switching tabs while selecting a certificate for a server.
TKH-1182Several rendering issues for audit records on the dashboard were fixed.
TKH-1187An error was fixed when enabling 2FA and entering an incorrect code many times.
TKH-1188The user interface for access management has been improved w.r.t. removing access.
TKH-1190Handling of some corner cases during the login flow was improved.
TKH-1193My groups now uses the entire width of the screen to improve readability with long group names.
TKH-1196The number of different screen widths has been reduced, creating a more uniform user experience.
To the appliance, the following smaller improvements and bug fixes were made:
TKH-1150The IP-table rules were redesigned to put the LDAP port in the management zone.
TKH-1173The button to generate a certificate during install is now hidden when Let's Encrypt is enabled.
TKH-1174The browser session is now kept alive during the install.
TKH-1178The Topicus KeyHub appliance now supports multiple network interfaces. The primary interface will be renamed from
TKH-1180Problems with the DNS will no longer cause SaltStack to timeout.
TKH-1185Automatic recovery of a stale database lock was added.
TKH-1189The number of available system updates is now correctly updated immediately after installing them.
TKH-1192Upgrading docker could lead to a snapshot recovery due to a version mismatch.
TKH-1200It is now possible setup a public key for SSH for the backup user.