January 31st, 2023

Prague

Released: January, 2022

The Prague release of Strivacity Fusion is packed with features that make you and your customers more secure— without sacrificing great customer experience. We’ve also thrown in great experience improvements in our administration console for brand administrators and customer support personnel.

Here is what you can expect from our Prague release:

Security updates

In Prague, we implemented the following features to continue our mission to keep your applications and your customers secure.

Breached password analysis

We implemented Breached Password Analysis to help mitigate against customers who use passwords that have been leaked by a security breach.

When turned on this feature analyzes the password customers enter during registration, password changes, or password resets, and compares it to a database of known breached passwords. If the password is on this list, the user is prevented from using that password. This keeps both you and your brand safe from this particular attack vector.

Multi-factor enrollment at registration and login

Next to bad password practices, the single best way to protect customer accounts against malicious activity is to require multi-factor authentication for logins. Brand administrators can now require customers to enroll in multi-factor authentication during login or the account registration process. And, we’ve done the work to make it as easy as possible for your customers to successfully add their phone number, email address, or a soft-token during as authenticators.

Enhanced Adaptive Authentication Policy rules

We added additional adaptive authentication policy rules to help you further secure your applications and customers. These rules provide you with tools to determine the risk level of a login or registration attempt and define an appropriate action depending on that risk.

In Prague we have added the ability to block, require a second factor (step up), or allow access with no second factor (step down) based on and IP address range and a geo-location.

Customer journey improvements

Security and usability are not mutually exclusive. You can have your cake AND eat it too. Here is how we’ve made your customer’s experience better

Domain-bound passcode tokens in text messages

We’ve updated our standard text message templates to include domain-bound passcode tokens. This helps ensure that passcodes from text messages are available for autofill on all devices that support this.

Date picker options

Not all date input methods are alike. Some are better for picking a recent date and other are best for entering a known date that is far in advance. Now you can determine the best date input method for the context when setting up an attribute in an identity store. Entering a known date such as a birthdate is now much easier for your customers.

Improvements for you, the brand administrator

Import/export/copy policies

Need to duplicate a policy configuration? Hate copying and pasting? We have you covered. You can now simply duplicate an existing policy and save the configurations you need and change the ones you don’t. You can also export a policy configuration and import it into the same or different Strivacity cluster.

Account activity logs in the account lookup

Looking up a user? Want to know what they’ve been up to? Tired of navigating back and forth between the account activity logs and the account page? Me too. Now you don’t have to. All of the account activity logs associated with a customer are available in a tab right next to the customer’s account information.

Additional account events

In addition to making account events easier to find for customers, we’ve added additional events to give you more information about what is happening when a customer is registering and logging in.

Resolved Issues

The following are a list of bugs we fixed that you might be interested in.

Description	Tracking Number
Fixed an issue in Safari where editing the middle of a string in an input field would cause the cursor to jump to the end of the string	STY-2464
Fixed an issue in Safari where required fields were not marked	STY-2462
Updated some error messages to be more clear	STY-2427
Fixed an issue where some account events were not being logged for admin accounts.	STY-2415
Fixed an issue where searching for an account was case sensitive when it really shouldn't be	STY-2414
Fixed an issue where the enrollment count on the dashboard is not updated when authenticators are removed from an account	STY-2401
Fixed an issue where the default admin passowrd reset email is not sent when creating a new cluster	STY-2400
Fixed an issue where changing group assignments were not logged	STY-2399
Fixed an issue in autofill where password managers would not work correctly if the identifier field was configured as "email" or "email or username"	STY-2393
Fixed an issue in Safari where the calendar picker icon would not appear in the date input field	STY-2392
Fixed an issue where iOS was not autofilling passcodes from text messages	STY-2391
Fixed an issue where the location assocaited with a device session was incorrect	STY-2386
Fixed an issue where the "back to login" button was not found on the logout page	STY-2385
Fixed an issue where the Roles filter in the admin account search rendered incorrectly for read-only users	STY-2374
Fixed an issue where an admin account change email had incorrect information	STY-2341
Fixed an issue where soft-token apps were ignoring token lengths	STY-2330

January 31st, 2023

Las Vegas

Released: November, 2021

New Features:

Admin Console Enhancements

We make it easy to define your customers' experiences in a no-code or low-code fashion. Here are some ways we've made that even easier:

You can now disable local login and registration to limit your customers to social or external providers when logging into your applications
You can easily see if a notification template is enabled, disabled, or has been customized right from the notification list under the notifications template settings
We've added a confirmation step to critical configuration changes that could break your customers' experiences
You can now map claims coming from external login providers to the Strivacity Fusion username
We've added a configuration that will forward a customer to an external login without them having to click on the external provider during login
You can now render a native claim into the Name ID field in a SAML configuration
You can now hide attributes from the admin UI that are only used in Lifecycle Event Hooks
We've added common work-related attributes to the default identity store, including Job Title, Department, and Company

Enhanced Dashboard and Reporting

The Admin Console dashboard now includes the following enhancements, making data visualization and reporting easier for your customer facing applications:

Filter dashboard results by any individual customer facing application
Filter dashboard results based upon a custom date and time range, with timezone selection
Any time you return to your dashboard, you'll find filters just the way you left them— we save your filter settings for the next time you come back to view statistics
Export dashboard widget results to a CSV file with the ability to filter by application, date interval, and time resolution
We've added tracking for monthly active users (Active Accounts), so you can track how fully you are utilizing your CIAM spend

Progressive Profiling

Take your progressive data collection strategy to the next level using Progressive Profiling. This allows you to choose additional attributes and account information to request during a customer's next login.

Additional account information requested via Progression Profiling can and can be:

Stored as custom attribute for a customer account within the Strivacity Identity Store
Used with any claim mapping for synchronization with other applications and other Identity Providers (IdPs)
Synchronized to third party systems during any event in the customer account lifecycle, using Lifecycle Event Hooks

You can also add custom text to progressive profiling experiences, allowing you to control the message going to your customers.

Request New or Updated Consents at Login

Customers can now be prompted at login to agree to new consents, or re-certify any existing consents. This is useful if:

You wish to ask a customer whether they will consider agreeing to a new consent, such as an email opt-in or other mail-based subscription
You wish to ask a customer to re-attest to an existing consent

New or updated consents can then be synchronized to any third party data stores or existing Consent Management Platform (CMP).

Login and Registration Workflow

Your customer's experience is our top priority. To ensure they continue to get all of the identity love they deserve, we have:

Updated our login, registration, and account management pages to support auto-fill information from browsers and password managers
Added the ability to resend a magic link from the waiting-for-magic-link-response page

Account Management Enhancements

This release contains a number of new capabilities to make it easier for customer service personnel to assist your customers. From within the Admin Console, you can now:

Have customer service initiate a password reset email with a secure link from the admin console so your customers can self-service reset their password
Easily view the last login date/time and the date/time on when the account was last modified
View IP address and the geo-location information associated with your customer's current session
Speed up the search for customer accounts by designating account attributes to index on
Provide a friendly URL for self-service that is defined by you and easily shared to a customer over a phone call
Have customer service add an email address or phone number as an authenticator to any customer account
Hide the Dashboard from your customer service personnel so they can easily get to the functionality they need to support your customers
Have customer service pick the appropriate branding to use when sending customers notifications of changes to their account

Branding

We are always looking for ways to make it easier to present your unique brand to your customers. You want flexibility and ease of use. In this release we have added:

Ability to add your company's logo and primary brand colors to notification emails
Added a set of commonly used CSS variables to the advanced CSS editor

Accessibility

We want all of your customers to have a great experience, regardless of accessibility needs. In this release, we added various accessibility fixes to ensure our customer facing pages follow the latest accessibility guidelines, including:

Adding skip navigation to the my account experience
Updating HTML markup to better support a browser's accessibility features
Making HTML element focus changes behave more intuitively

Internationalization

All of our customer facing experiences now support the following languages:

English
French
German
Hungarian
Italian
Portuguese
Spanish

Lifecycle Event Hook Updates

Lifecycle Event Hooks make it easy to add customizations and integrations to Strivacity Fusion without having to host your code somewhere else. In the release we've added additional capabilities, development optimizations, and security improvements.

Additional Capabilities

You can now trigger an external event or fetch data from an external system after a customer has provided their identifier (email address or username) and before they are asked for any authenticator
We've also made location data accessible to event hook code to allow you to make location based decisions in your login and registration flows

Development Optimizations

The power and value of event hooks have exceeded our original expectations, outgrowing their tiny genie lamp. So, we granted an additional wish and made that lamp bigger by increasing the maximum size of an event hook to 256k.
We've also made your event hook genie faster, and significantly decreased the amount of time to see if your wishes have come true, by increasing the speed of event hook deployment
We've added the ability to access the last 10 minutes of event hook production logs from the admin UI
You can now monitor the deployment status of each event hook on the Lifecycle Event Hooks page.

Security Improvements

We have increased the security of event hooks by providing a callback URL with an expected state value that all supportable hooks can use in the future
We also implemented an additional endpoint for pre-Las Vegas release event hooks that accepts connections without the state parameter, ensuring your existing event hook implementation does not break

We encourage all event hook authors to evaluate their existing hooks to take advantage of this enhanced security.

API Security

Strivacity API Security provides a centralized service for all authentication to your homegrown or customer facing APIs. API Security can:

Ensure only approved applications can access your data and service
Authenticate calling applications and generate tokens that are passed to your APIs
Verify tokens that you receive from calling applications that use your APIs
Turn-off interactive logins on API-only applications

Attack Protection

We make it harder for malicious actors to compromise your customer's accounts. A few ways we provide this protection:

We detect when an attacker tries to login into an account too many times using a bad password or MFA authenticator and we terminate their session
We also detect when an attacker from a single IP address tries to perform account related actions too many times resulting in a termination of their session.

Resolved Issues

Description	Tracking Number
Fixed an issue where a 400 Bad Request error sometimes occurred when trying to view Accounts in the admin console.	STY-2053
Fixed stability issues in rate limiting.	STY-2038, STY 2052
Fixed an issue with the identity stores API that was causing null scopes and invalid tokens.	STY-2106
Fixed an issue where the customer and administrator account search was not working for certain attributes.	STY-2129
Fixed a stability issue in SAML federation.	STY-2227
Fixed a security vulnerability in an OAUTH2 error page.	STY-2253
Fixed an issue where a security session appeared to not be deleted when two separate sessions exist simultaneously.	STY-1653
Fixed an issue where adding a new account to a newly created group sometimes caused a 204 or 400 error.	STY-1930
Fixed an log out failure issue that occurs when two sessions exist, the first session logs out successfully, and the second one does not.	STY-1981
Fixed an issue where adding an account attribute to an identity store incorrectly logged the identity store with a CREATE event rather than an UPDATE event.	STY-1984
Fixed an issue where adding certain text into an email notification variable produced an error.	STY-2034
Fixed various issues where error messages leaked information about internal infrastructure.	STY-2039, STY-2239, STY-104, STY 2239, STY 1047
Fixed an issue in our API where the service returns a 500 error if multiple session cookies are present.	STY-2054
Fixed an issue where MFA rate limiting failed.	STY-2094
Fixed an issue where an account could not be created using Facebook as an identity provider when the image URL exceeded 128 characters.	STY-2111, STY-2136
Fixed two issues that caused downloading of personal data to fail.	STY-2134, STY 2207
Fixed an issue where a brand image would sometimes fail to save.	STY-2137, STY-2098
Fixed an issue where an email notification for an MFA change is sometimes not sent.	STY-2160
Fixed an issue where turning off a single MFA authenticator causes an error, appears to be disabled, but is still functional.	STY-2182
Fixed an issue where error messages and other minor text failed to be localized.	STY-2214, STY 2104
Fixed an issue were longer localized words broke the interface layout alignment.	STY-2074
Fixed an issue where My Account setting changes are lost without warning when switching to another menu item.	STY-1354

January 31st, 2023

Capetown

Released: June, 2021

New Features:

Lifecycle Event Hooks

Lifecycle Event Hooks (LEH) provides a complete integration capability so that you can can integrate your customer facing applications with any other homegrown systems or 3rd-party products that you may own, such as CRM or Marketing Hubs. With Lifecycle Event Hooks you can;

Take Fine Grained Control of the Customer Lifecycle
Migrate or Synchronize Customer Profile Data
Automate and Trigger Events Externally
Consume Threat Information From Any Source

Claim Dialects

Claim Dialects provide the ability to map native customer attributes in an Identity Store to OIDC claims. Claims can be assigned on an application by application basis.

Social Login Claim Mappings

In addition for OIDC Claim Dialects, admins can now manage claim mappings for any social login providers, providing full control over the scope of what customer account information is synchronized and stored from social platforms with Fusion and any other Fusion integration applications, like CRM.

Updated Regional Availability

Strivacity Fusion is now deployed and able to provide data sovereignty in Seoul, South Korea.

Identity Store Attribute/Schema Management

The Strivacity Identity Store now has a fully extensible schema, providing administrators the ability to easily add or modify an attribute for a customer account or group.

Enterprise OIDC and OAuth2 Identity Provider (IdP) Support

Fusion now supports the ability to add any enterprise OIDC or OAuth2 provider, supporting SP-initiated Inbound Federation using an external identity provider.

Enterprise SAML Identity Provider (IdP) Support

Fusion now supports the ability to add any enterprise SAML provider, supporting SP-initiated Inbound Federation using an external SAML identity provider.

Role-based Access Control

The Fusion Admin Console now includes Role-based Access Control so that brands can setup their own roles and rights to achieve a least-privilege approach to managing their CIAM configuration and appropriate separation of duties.

Google Authenticator and Soft-token Support

Google Authenticator and other Soft-token applications are now supported as Multi-factor Authentication Methods.

Voice Call Passcode

Passcodes via a voice call is now a supported Multi-factor Authentication method, so customers can receive passcodes via voice to either a mobile or landline number.

Group Management

Administrators can now easily manage static Group membership using Identities and Groups within the Admin Console.

Support for Multiple Custom Domain Names

Additional flexibility for custom domains (vanity URLs) is now provided. Brands can not only choose want DNS domain is used for their Fusion instance (e.g. login.yourdomain.com), but DNS domains can now be configured and chosen on an application-by-application basis. This provides full flexibility for customers that may support multiple brands and have multiple DNS domains.

Customer Notification Improvements

The following general improvements/additions have been made to Customer Email Notifications:

Customer Notification Email's can now be individually enabled or disabled within a Notification policy providing greater flexibility on how brands would like to communicate with customers
An additional notification Email has been added to notify customers as they opt in or opt out of any Consents. This gives brands the ability to better notify customers based on their consent wishes
An additional notification Email has been added to notify customers based on any account updates, such as changing their name or updating their address details.
The sender address can now be defined on a per-Notification policy basis.

Resolved Issues:

Description	Tracking Number
Notification email line spacing is incorrect due to extra <P> and <BR> HTML tags.	STY-1246
Dashboard Widgets may not align correctly due to Adaptive MFA widget showing multiple methods.	STY-1375
The Password Policy does not always prevent the use of the Username being used in the password field.	STY-1501
The MFA Changed notification emails may not be sent correctly after the customer has made changes to their MFA settings.	STY-1461
After editing Notification templates within a policy, the template listing order to seem to randomly rearrange.	STY-1612
When tabbing between attribute fields in any hosted interface, the tab order will be out of order when the next field is the Phone Number attribute.	STY-1742
Fastpath login (which bypasses the identifier request screen if 'Remember Me' is selected) will still prompt for the customer to choose a remembered account even if only one account is present.	STY-1722
Strivacity Fusion's SAML2 Identity Provider will fail to parse a multi-line base64 SAML request, and therefore restrict integration with some SAML applications.	STY-1719
The Magic Link parameter is not mandatory within Magic Link based email notifications.	STY-1622

January 31st, 2023

Budapest

Released: October, 2020

New Features:

Extended Regional Availability

Strivacity Fusion is now deployed and providing data sovereignty in the following additional countries: Australia, Canada, Germany, Ireland and the United Kingdom.

ServiceNow - Customer Service Management Integration

Strivacity Fusion now supports integration with ServiceNow's Paris Release - so you can extend your ServiceNow Customer Service Management (CSM) using all of the functionality of Fusion.

Social Login Support (with Customer Data Handling)

Strivacity Fusion now provides self-service registration and login for customers using Facebook, Google, Twitter, Github, and Microsoft Logins. Fusion can now use the authentication and authorization services from these social providers and can also synchronize and store customer social attributes within the Strivacity Identity Store.

Consent Management

Strivacity Fusion now includes Consent Management which makes it easy for to add option or mandatory opt in or opt out consents to the customer registration process. Fusion then stores receipts for those consents so that admins can see when they were granted and when they were revoked.

Customers can then use Self-Service Account Management to manage those consents as they wish to opt in or opt out.

Anonymous Visitor and Consent API

Strivacity Fusion now has an Anonymous Visitor API that can create, update, get and delete anonymous visitor information and create, update, get and delete consents associated with anonymous visitors.

Dashboard Updates

The dashboard now has new widgets that show the number of social logins (by provider), the number of social registrations (by provider), consents granted/revoked, and total number of anonymous visitors (to a web application).

Add and Manage Additional Identity Stores

You can now add and manage additional instances of the Strivacity Identity Store (Fusion's own built-in identity store). As an example, this is useful if for example you wanted to use Fusion to manage multiple applications and each application uses its own separate and isolated identity store.

Customize SMS Wording and Alpha Tags

You can now add custom wording to the SMS notifications for Multi-Factor Authentication (and enrollment) and request Alpha Tags for SMS messages (supported by most carriers in most countries).

Session Management

Both administrators and customers can now view and terminate sessions within the admin console or Self-Service account management. Both roles can now viewing the browser type, the geographic location and the IP address from where the session originated and end the session if required.