Philadelphia
The Philadelphia release introduces major platform capabilities for inbound connections and account lifecycle management, along with improved token exchange visibility and customer self-service.
This release includes changes that may impact your Strivacity deployment.
See Important notes for details.
New features and enhancements
Inbound connection
You can now synchronize accounts from external data sources into Strivacity using configurable inbound connections.
The synchronization process supports scheduled and on-demand synchronization, configurable attribute mappings, change detection, and account lifecycle updates while maintaining account links through configurable correlation identifiers.
Key capabilities include:
- Synchronize accounts from external relational databases
- Configure attribute mappings between external data and Strivacity accounts
- Schedule full and incremental synchronization jobs
- Trigger manual synchronization for individual accounts or full data sets
- Detect account updates and deletions
- View synchronization activity through account events
Token exchange event visibility
Account events have been enhanced to provide better visibility into Token exchange impersonation and delegation scenarios.
The updated event view displays the subject and actor involved in the exchange, helping administrators understand how tokens were exchanged and identify the identities participating in each request.
- View subject and actor information for Token exchange events
- Distinguish between impersonation and delegation requests using event labels
- Navigate directly to related accounts and applications when identities can be resolved
- View third-party token identities when external tokens are used
Customer notification preferences
Customers can now manage which account notifications they receive through My Account.
Brand administrators can enable or disable this capability through the self-service policy. When enabled, customers can choose whether to receive supported account notifications, while notifications disabled by the brand remain unavailable, and mandatory security notifications continue to be delivered.
- Allow customers to manage supported email notification preferences in My Account
- Enable or disable customer notification management through the self-service policy
- View and manage customer notification preferences in the Admin Console and Organization Portal
- Continue delivering mandatory security notifications that cannot be disabled
Password change reminders
Administrators can now configure password change reminders separately from password age enforcement.
Password change reminders encourage customers to update their passwords during login without requiring them to complete the change immediately. Customers can choose to change their password or be reminded again later, based on the configured reminder frequency.
- Configure when password change reminders begin based on password age
- Define how often reminders are shown after a customer selects Remind me later
- Keep password change reminders separate from required password age enforcement
- Continue requiring password changes only when password age enforcement is enabled
Other enhancements
- Dashboard widgets for response times and registration duration now support percentile views (P50, P95, P99, and P100) to provide greater insight into application performance and identify performance outliers.
- Token exchange now supports additional subject token types, including JWTs and ID tokens, enabling broader third-party token exchange scenarios.
- Improved handling of default translations to preserve localized text for existing configurations after upgrading.
- Username reminder flows now follow the same Adaptive Access account recovery policies as password recovery, providing consistent validation across supported email and phone recovery methods.
- Added support for custom API-based email providers, allowing organizations to integrate outbound email delivery with external email services alongside the built-in Strivacity and SMTP providers.
Bug fixes
- We fixed issues where:
- Event streaming retry attempts could affect instance stability.
- MFA enrollment SMS messages were not properly translated in some cases.
- Device biometrics and passkey enrollment could fail.
- Disabled languages could still appear in customer-facing applications.
- Account activation emails were not sent automatically for newly synchronized LDAP accounts.
- Consent versions were reported incorrectly in account details and statistics.
- Organization policy overrides displayed incorrect login providers.
- Changing an account password could make the Organization Portal unresponsive.
- JWT token requests could fail with legacy Before ID token generation hooks.
- Mobile login could fail when using hostless redirect URIs.
- Manual identity verification could fail in the Organization Portal.
- Phone identifiers could not be configured as mandatory in some cases.
- Account management performance degraded for accounts with many active sessions.
- Password lockout was not applied to accounts without passwords.
Important notes
This release contains potential breaking changes for some customers.
These include:
- The Forgotten username feature now respects Adaptive access/Attribute-based account recovery settings.
- If a customer is configuring custom email providers via API, they must change their implementation and use the new Email configuration API.
Deprecations
- All CSS classes that were deprecated in the Geneva release have now been removed.

