Strivacity Fusion: Las Vegas Release
This documentation provides all of the information that you need to start using Las Vegas, the latest release of Strivacity Fusion.

New Features:

Admin Console Enhancements

We make it easy to define your customers' experiences in a no-code or low-code fashion. Here are some ways we've made that even easier:
  • You can now disable local login and registration to limit your customers to social or external providers when logging into your applications
  • You can easily see if a notification template is enabled, disabled, or has been customized right from the notification list under the notifications template settings
  • We've added a confirmation step to critical configuration changes that could break your customers' experiences
  • You can now map claims coming from external login providers to the Strivacity Fusion username
  • We've added a configuration that will forward a customer to an external login without them having to click on the external provider during login
  • You can now render a native claim into the Name ID field in a SAML configuration
  • You can now hide attributes from the admin UI that are only used in Lifecycle Event Hooks
  • We've added common work-related attributes to the default identity store, including Job Title, Department, and Company

Enhanced Dashboard and Reporting

The Admin Console dashboard now includes the following enhancements, making data visualization and reporting easier for your customer facing applications:
  • Filter dashboard results by any individual customer facing application
  • Filter dashboard results based upon a custom date and time range, with timezone selection
  • Any time you return to your dashboard, you'll find filters just the way you left them— we save your filter settings for the next time you come back to view statistics
  • Export dashboard widget results to a CSV file with the ability to filter by application, date interval, and time resolution
  • We've added tracking for monthly active users (Active Accounts), so you can track how fully you are utilizing your CIAM spend

Progressive Profiling

Take your progressive data collection strategy to the next level using Progressive Profiling. This allows you to choose additional attributes and account information to request during a customer's next login.
Additional account information requested via Progression Profiling can and can be:
  • Stored as custom attribute for a customer account within the Strivacity Identity Store
  • Used with any claim mapping for synchronization with other applications and other Identity Providers (IdPs)
  • Synchronized to third party systems during any event in the customer account lifecycle, using Lifecycle Event Hooks
You can also add custom text to progressive profiling experiences, allowing you to control the message going to your customers.

Request New or Updated Consents at Login

Customers can now be prompted at login to agree to new consents, or re-certify any existing consents. This is useful if:
  • You wish to ask a customer whether they will consider agreeing to a new consent, such as an email opt-in or other mail-based subscription
  • You wish to ask a customer to re-attest to an existing consent
New or updated consents can then be synchronized to any third party data stores or existing Consent Management Platform (CMP).

Login and Registration Workflow

Your customer's experience is our top priority. To ensure they continue to get all of the identity love they deserve, we have:
  • Updated our login, registration, and account management pages to support auto-fill information from browsers and password managers
  • Added the ability to resend a magic link from the waiting-for-magic-link-response page

Account Management Enhancements

This release contains a number of new capabilities to make it easier for customer service personnel to assist your customers. From within the Admin Console, you can now:
  • Have customer service initiate a password reset email with a secure link from the admin console so your customers can self-service reset their password
  • Easily view the last login date/time and the date/time on when the account was last modified
  • View IP address and the geo-location information associated with your customer's current session
  • Speed up the search for customer accounts by designating account attributes to index on
  • Provide a friendly URL for self-service that is defined by you and easily shared to a customer over a phone call
  • Have customer service add an email address or phone number as an authenticator to any customer account
  • Hide the Dashboard from your customer service personnel so they can easily get to the functionality they need to support your customers
  • Have customer service pick the appropriate branding to use when sending customers notifications of changes to their account

Branding

We are always looking for ways to make it easier to present your unique brand to your customers. You want flexibility and ease of use. In this release we have added:
  • Ability to add your company's logo and primary brand colors to notification emails
  • Added a set of commonly used CSS variables to the advanced CSS editor

Accessibility

We want all of your customers to have a great experience, regardless of accessibility needs. In this release, we added various accessibility fixes to ensure our customer facing pages follow the latest accessibility guidelines, including:
  • Adding skip navigation to the my account experience
  • Updating HTML markup to better support a browser's accessibility features
  • Making HTML element focus changes behave more intuitively

Internationalization

All of our customer facing experiences now support the following languages:
  • English
  • French
  • German
  • Hungarian
  • Italian
  • Portuguese
  • Spanish

Lifecycle Event Hook Updates

Lifecycle Event Hooks make it easy to add customizations and integrations to Strivacity Fusion without having to host your code somewhere else. In the release we've added additional capabilities, development optimizations, and security improvements.

Additional Capabilities

  • You can now trigger an external event or fetch data from an external system after a customer has provided their identifier (email address or username) and before they are asked for any authenticator
  • We've also made location data accessible to event hook code to allow you to make location based decisions in your login and registration flows

Development Optimizations

  • The power and value of event hooks have exceeded our original expectations, outgrowing their tiny genie lamp. So, we granted an additional wish and made that lamp bigger by increasing the maximum size of an event hook to 256k.
  • We've also made your event hook genie faster, and significantly decreased the amount of time to see if your wishes have come true, by increasing the speed of event hook deployment
  • We've added the ability to access the last 10 minutes of event hook production logs from the admin UI
  • You can now monitor the deployment status of each event hook on the Lifecycle Event Hooks page.

Security Improvements

  • We have increased the security of event hooks by providing a callback URL with an expected state value that all supportable hooks can use in the future
  • We also implemented an additional endpoint for pre-Las Vegas release event hooks that accepts connections without the state parameter, ensuring your existing event hook implementation does not break
We encourage all event hook authors to evaluate their existing hooks to take advantage of this enhanced security.

API Security

Strivacity API Security provides a centralized service for all authentication to your homegrown or customer facing APIs. API Security can:
  • Ensure only approved applications can access your data and service
  • Authenticate calling applications and generate tokens that are passed to your APIs
  • Verify tokens that you receive from calling applications that use your APIs
  • Turn-off interactive logins on API-only applications

Attack Protection

We make it harder for malicious actors to compromise your customer's accounts. A few ways we provide this protection:
  • We detect when an attacker tries to login into an account too many times using a bad password or MFA authenticator and we terminate their session
  • We also detect when an attacker from a single IP address tries to perform account related actions too many times resulting in a termination of their session.

Resolved Issues

Description
Tracking Number
Fixed an issue where a 400 Bad Request error sometimes occurred when trying to view Accounts in the admin console.
STY-2053
Fixed stability issues in rate limiting.
STY-2038, STY 2052
Fixed an issue with the identity stores API that was causing null scopes and invalid tokens.
STY-2106
Fixed an issue where the customer and administrator account search was not working for certain attributes.
STY-2129
Fixed a stability issue in SAML federation.
STY-2227
Fixed a security vulnerability in an OAUTH2 error page.
STY-2253
Fixed an issue where a security session appeared to not be deleted when two separate sessions exist simultaneously.
STY-1653
Fixed an issue where adding a new account to a newly created group sometimes caused a 204 or 400 error.
STY-1930
Fixed an log out failure issue that occurs when two sessions exist, the first session logs out successfully, and the second one does not.
STY-1981
Fixed an issue where adding an account attribute to an identity store incorrectly logged the identity store with a CREATE event rather than an UPDATE event.
STY-1984
Fixed an issue where adding certain text into an email notification variable produced an error.
STY-2034
Fixed various issues where error messages leaked information about internal infrastructure.
STY-2039, STY-2239, STY-104, STY 2239, STY 1047
Fixed an issue in our API where the service returns a 500 error if multiple session cookies are present.
STY-2054
Fixed an issue where MFA rate limiting failed.
STY-2094
Fixed an issue where an account could not be created using Facebook as an identity provider when the image URL exceeded 128 characters.
STY-2111, STY-2136
Fixed two issues that caused downloading of personal data to fail.
STY-2134, STY 2207
Fixed an issue where a brand image would sometimes fail to save.
STY-2137, STY-2098
Fixed an issue where an email notification for an MFA change is sometimes not sent.
STY-2160
Fixed an issue where turning off a single MFA authenticator causes an error, appears to be disabled, but is still functional.
STY-2182
Fixed an issue where error messages and other minor text failed to be localized.
STY-2214, STY 2104
Fixed an issue were longer localized words broke the interface layout alignment.
STY-2074
Fixed an issue where My Account setting changes are lost without warning when switching to another menu item.
​STY-1354
Last modified 1mo ago