24.1 enhancements and patches
Version | SaaS | On premises | Fixed issues | Updates and enhancements |
|---|---|---|---|---|
24.1.01 | ✅️ | |||
24.1.00 | ✅️ | ✅️ |
For a list of recent updates and enhancements across multiple versions, see Release-notes-and-notices.
BMC applies upgrades as described in the BMC Helix Upgrade policy. BMC applies upgrades and patches during Maintenance windows.
24.1.02
Access to view custom templates for users with read-only permissions
Administrator users with read-only permissions now have access to custom templates defined for SAML based authentication.
24.1.01
BMC Helix SSO agent sends 401 responses with a special header for unauthenticated javascript client requests
BMC Helix SSO agent distinguishes between javascript requests and requests from the user application forms. When a session timeout occurs, BMC Helix SSO agent responds to the javascript client request with a special header and the 401 HTTP code. Application developers can use this header and the response for their applications. This is also applicable for multi-domain configurations.
For more information about enabling the functionality to respond with the appropriate error code based on the source of the request, see ajax-requests-support.
Support for launching Auth Proxy authenticated applications in iframes
Applications hosted on different domains and configured to use the same BMC Helix SSO server can be launched in iframes. Auth Proxy authenticated application requests for iframe use OAuth2 multi-domain clients to access the application.
For more information about launching applications from other domains in iframes, see Allowing-BMC-Helix-SSO-to-open-applications-in-iframes.
24.1
Optimize BMC Helix Single Sign-On server configuration
Use the new api/v2.0-beta/validate/config REST API endpoint to validate BMC Helix SSO server configuration or tenant configurations of BMC Helix SSO servers. The API endpoint validates the following BMC Helix Single Sign-On server configurations and provides recommendations where applicable:
- Secured Cookie is not set
- Same-site None is not set
- SAML federation metadata is specified
- SAML Assertion time skew is not greater than 5 minutes
- HTTPS URLs are specified in the OpenID Connect IdP
- LDAPs URLs are specified in the LDAP IdP
- LDAPs URLs are specified in Admin External Configuration
- Recommends to switch to SAML for OpenIDConnect when possible
- OpenID Connect Issuer is not set
- OpenID Connect JWK's list is empty
- The keystore with signing alias is configured when SAML enable signing is enabled
- The keystore with encryption alias is configured when SAML encrypt is enabled
Immediate logout from all applications when the session quota is exceeded
Session quota limit is set for a realm and applied to users logged in to different applications via the realm. When the session quota limit for a realm is exceeded, BMC Helix SSO logs out users from the exceeded applications by using immediate logout. Exceeded user sessions and related OAuth access tokens are invalidated. Immediate logout, along with the session quota limitation ensures that user session caching is avoided.
You must enable immediate logout and configure the server and agent with a Redis server for immediate logout to work for the session quota.
For more information about configuring session quota, see Configuring-general-settings-for-a-realm.
For more information about configuring immediate logout with Redis server configuration, see Configuring-BMC-Helix-SSO-to-support-immediate-logout-from-all-applications.