25.2 enhancements and patches
Version | SaaS | On premises | Fixed issues | Updates and enhancements |
---|---|---|---|---|
25.2.02 | ✅️ | None | 25.2.02 | |
25.2.01 | ✅️ | Known and corrected issues | 25.2.01 | |
25.2.00 | ✅️ |
|
For a list of recent updates and enhancements across multiple versions, see Release notes and notices.
BMC Helix, Inc. applies upgrades as described in the BMC Helix Upgrade policy. BMC Helix, Inc. applies upgrades and patches during Maintenance windows.
25.2.02
Version 25.2.02 includes internal performance and accessibility enhancements with no changes to the user interface.
25.2.01
Use JWKS URI to validate JWTs for preauthentication
Use an alternative method for verifying JSON Web Tokens (JWTs) in BMC Helix applications protected by preauthentication. Instead of using a static certificate, you can configure a JSON Web Key Set URI (JWKS URI). This option eliminates the need for manual certificate updates because the URI is constant and is managed by a trusted third party. Also, key updates and rotations are handled automatically by the third-party provider, reducing maintenance overhead and improving security. For more details, see Configuring preauthentication.
The following image shows the JWKS URI field in the realm settings:
Customize token payload for external authentication
As an administrator, customize the token exchange payload by using data extracted from OpenID Connect or the SAML authentication responses. This enhancement enables you to fetch more information about the user from the token, such as email address, telephone number, company, and other details from the external identity provider. Attributes for external authentication, see Registering OAuth clients.
The following image shows the mapping grid. The Attribute field specifies the session attribute to include. The Claim field defines the custom name for that attribute in the external token payload.
Improved email security configuration
This enhancement introduces more flexibility for configuring email communication in BMC Helix applications that use Local authentication. Select the appropriate SMTP Security Connection type based on the security protocols supported by the organization's email server. The supported options are TLS, STARTTLS (Required or Optional), or None (for standard SNMP connections). For more details, see Configuring Local authentication.
The following image shows the SMTP Security Connection type setting:
25.2.00
Achieve an uninterrupted SSO experience by enabling JWT access tokens
Enhance the fault tolerance of BMC Helix SSO during periods of instability, such as database outages, network latency, or intermittent system disruptions, by enabling the JWT Access Token capability for OAuth clients. After you enable this capability and generate new JWKs (RSA and EC) for the OAuth flow, the BMC Helix SSO server generates JWTs that maintain session validity independently of backend connectivity. This enhancement improves the overall resilience of the authentication process.
To navigate to the JWT Access Token setting, see Registering OAuth clients. To generate a new set of JWKs after JWTs are enabled, see Generating JSON Web Keys for the OAuth flow.
The following image shows the JWT Token feature in the OAuth client configuration:
Single logout for BMC Helix applications
Enable users to seamlessly work in a connected ITOM and ITSM environment. With this feature, users have a shared session for all BMC Helix applications, which means that all active sessions can be terminated through a centralized global logout endpoint. By implementing this feature, organizations benefit from enhanced data privacy, reduced session fragmentation, and streamlined user experience across the BMC Helix ecosystem. To configure the global logout endpoint, specify the BackChannel Logout URI during OAuth client registration. The URI is always <rsso_server_url>/rsso/oauth2/backchannel-logout where rsso_server_url is the BMC Helix SSO server on the ITOM side.
For detailed steps, see Registering OAuth clients. Additional information about logout workflows is available in Login and logout experience for end users.
The following image shows the BackChannel Logout URI field when registering a new OAuth client:
Validation of third-party JWT tokens in the preauthentication flow
Enforce an additional layer of protection for BMC Helix applications accessed through the SSO preauthentication flow. You can do it by applying custom validation logic to JWT tokens from third-party providers. You can define a SpEL validation expression that checks if a token is trustworthy and customize the validation expression to your business needs.
To learn more about how JWT validation can be amplified and ways to implement it, see Configuring preauthentication.
The following image shows the Validation expression field on the realm configuration page: