The Seoul release introduces major platform capabilities focused on extensibility, developer flexibility, and improved operational visibility, along with the general availability of AI Assist.

This release includes changes that may impact your Strivacity deployment. See Important notes for details.

New features and enhancements

AI Assist

AI Assist is now available to all customers.

LLM-powered, chat-based assistance directly in the Admin Console
Trained on Strivacity documentation and APIs
Enables faster access to product knowledge and guidance
No customer data is used in training or query processing

Identity and data model

Complex attributes

You can now define structured and multi-valued attributes in identity stores using simple list and complex list attribute types.

Simple list attributes: store multiple values of a single type (for example, a list of email addresses or phone numbers).
Complex list attributes: store structured objects with multiple fields (for example, multiple addresses with street, city, and country fields).
Support for nested and repeatable data (for example, multiple addresses or account numbers)
Enables richer customer profiles and flexible data modeling
Supports advanced use cases such as preferences and metadata
Improves extensibility for evolving requirements

Token and authorization

Token exchange

Token exchange is available to all customers, enabling the secure exchange of tokens across systems and applications.

Modify scopes during exchange
Target different audiences (resource servers)
Enrich or transform claims
Support delegation (act_as) and impersonation (may_act) scenarios
Support for additional token types, including JWT and ID tokens (Build 1)

Access token customization

You can now add custom data to the root level of the access token.

Enables direct inclusion of custom claims without using the ext object
Configured using the “Before ID token generation” hook

Event visibility and debugging

Account event experience overhaul

The account event experience has been redesigned for improved usability. The updated UI structure and navigation patterns are also applied to audit logs and hook logs, providing a more consistent investigation experience across log views.

Clear step-by-step progression of authentication journeys
Improved visibility into API calls and responses
Easier navigation to failed events
Enhanced JSON viewer for debugging

Account event replay

You can now replay customer journeys for troubleshooting and analysis.

Visualize the exact steps experienced by a customer
Step through each screen with PII masking
Preview journeys in the branding editor
Currently available in developer mode

Admin Console usability

Cross-entity navigation and contextual filtering

The Admin Console now provides improved navigation between related configuration entities.

Navigate directly to related entities such as applications, policies, hooks, and groups
Apply filters automatically when navigating between views to preserve context
Access related entity identifiers without leaving the current view

Provisioning and integrations

Outbound provisioning (Build 1)

Initial support for outbound provisioning is now available.

Automatically synchronize users to downstream systems
Define rules that trigger actions based on account changes
Supports integration with systems such as CRMs and ERPs
Create and manage outbound provisioning configurations in the Admin Console

Other enhancements

Support for importing hashed passwords via the Create Account API
Verified email addresses and phone numbers are now indicated in the ID token
Brand policy enhancements for masked input fields
Ability to pass generic parameters to external login providers
Support for configuring a display name for system-generated email notifications in the Notification policy, displayed alongside the sender address
JavaScript-based login widget for embedding the Strivacity login and registration experience into existing web applications
Improved handling of remembered devices and SSO sessions in fast-path login scenarios (Build 1)
Ability for admins and users to unlink external accounts (Build 1)
Increased the maximum allowed password expiration period in password policies (Build 1)
New account lock notification via email and SMS when accounts are locked due to failed sign-in attempts (Build 1)

Bug fixes

We fixed issues where:

Hook management and execution were unstable
MFA enrollment passcode messages were not properly translated
Back-channel logout could be configured with invalid local addresses
Biometric authenticator creation failed in My Account
Admin UI was not scrollable on mobile devices
Password lockout failed for accounts without passwords
Identity verification dashboard widgets could break after policy changes
Security headers interfered with Admin Console validation
Disabling translations was not working
Phone identifier could not be set as mandatory
Bulk invitation exceeding the invitee count gave a wrong result
Organization portal was handling manual verification improperly
Organization portal would crash when attempting to change an accounts password
Organization portal would not allow account creation
Name filter on the Admin Console did not reset the search input after clicking clear

In Build 1, we fixed issues where:

User identifier could be remembered despite the “Never remember user identifier” setting being enabled
The '+' character in login_hint was not handled correctly, causing incorrect pre-filled identifiers
Audit log filtering could result in timeout or gateway errors
Token exchange incorrectly required the requested_subject parameter for impersonation flows
Identity verification dashboard totals could display incorrect values when filters were applied
Updating complex attribute values with invalid formats could result in server errors instead of validation messages
Complex attribute select values could accept invalid whitespace entries, bypassing uniqueness validation
Complex attribute validation errors could incorrectly report multiple field failures instead of only the affected fields
Complex attribute validation errors were not displayed correctly in the UI
Complex attribute checkbox fields could be configured with conflicting validation rules
Disabled complex attribute fields could still appear as enabled in the Admin Console
Identity stores containing complex attributes could not be deleted
AMR value could not be set in ID tokens using the "Before ID token generation" hook
Phone identifiers could fail during login on hosted pages when multiple identifier types were enabled
Directory connector uptime status and failure dashboard widgets could show no data

Important notes

This release includes updates to token handling and hook behavior. While most changes are backward compatible, some configurations may require review.

“Before ID token generation” hook changes

A new AdditionalTokenData structure simplifies claim handling.
Root-level access token claims are now supported.

Impact:

No action is required by default (fully backward compatible).
If adopting the new structure:
- Replace the previous class with AdditionalTokenData
- Use access_token_claims instead of access_token_ext
- Wrap claims in ext if maintaining current behavior

Back-channel logout restriction

Product instance internal addresses can no longer be used as back-channel logout endpoints.

🚧
Please review custom hooks and logout configurations before upgrading.

Deprecations

Attribute hook-based JavaScript execution

Attribute hook-based JavaScript execution is now deprecated. This change is part of ongoing improvements to platform security, maintainability, and future extensibility of attribute-related features.

This capability will remain available in the Seoul release and the following release, and will be fully removed in the Q4 release.

Developers using this feature should begin migrating away from attribute hook-based JavaScript execution.