Release Notes for AdminX Broker
1.09.00
July 31, 2025
Enhancements
1Kosmos now supports generic password reset operations for users in LDAP directory.
1.08.11
June 30, 2025
Enhancements
When requesting certificates, the user's unique object SID is now included in the certificate subject name for improved identity tracking. Certificates are properly issued and stored, ensuring seamless authentication and credential management.
Fixes
Fixed an issue where the Fetch All Basic Users API did not return the correct user count and user details on the last page index.
1.08.10
April 25, 2025
Fixes
Fixed an issue where the broker’s certificate request created by createreq.exe included the same attribute OID twice with different values.
1.08.09
April 11, 2025
New Features
In organizations with a hybrid environment of Windows and Linux brokers, it becomes challenging to send SCEP requests tailored to each broker type, as Linux brokers require an NDES server, while Windows brokers do not. To address this, 1Kosmos has enhanced the broker’s capabilities to include additional payload fields, alongside the existing ones, when sending the initialization message, enabling OS-specific SCEP requests.
- Os
- ScepSupported
- NdesBypassSupportedtool
1.08.08
January 16, 2025
Enhancements
The user principal search has been modified to explicitly exclude locked or disabled users from search results, ensuring only active users are returned during authentication and lookup processes.
1.08.07
August 30, 2024
Enhancements
-
During authentication, some LDAP applications—including GoBroker - perform user authentication by binding with the user's Distinguished Name (DN) and password. However, the current implementation incorrectly extracts the Common Name (CN) from the DN and uses it as the username when querying users-mgmt, causing authentication to fail when the actual username differs. To fix this, the LDAP applications will use the incoming DN to fetch users by distinguishedName without re-escaping it, then perform all subsequent operations using the retrieved username.
-
The LDAP filter escaping has been removed from the broker and deferring all escaping responsibilities to user-management. This will prevent double-escaping of DNs and ensure correct LDAP queries.
1.08.05
July 5, 2024
Enhancements
The broker has been enhanced to return the ms-DS-ConsistencyGuid attribute as a readable GUID string, consistent with how objectGUID is handled. This ensures uniform formatting of GUID-based attributes and improves compatibility with downstream systems that rely on standard GUID representations.
1.08.04.04
July 1, 2024
Enhancements
On Windows, the broker has been updated to limit its reconnection attempts to 1Kosmos. Instead of retrying indefinitely, the broker will now attempt to reconnect for 1 minute (4 retries). If all retries fail, the broker will exit the process, allowing the Windows Service Manager to automatically restart it. This improves stability and ensures recovery without hanging the process in a retry loop.
1.08.04.03
June 28, 2024
Enhancements
- The broker now correctly converts and returns objectGuid attribute in a readable UUID format instead of a raw byte or UTF-8 string.
- GoBroker has been updated to handle unexpected Go panics in LDAP processing, SCEP enrollment, and script execution using the Go recover mechanism. This prevents the broker process from hanging in a panic state and allows it to log the error and continue running normally. Note: This change is focused solely on improving runtime stability and does not involve any broker restart mechanism.
1.08.03
May 9, 2024
Enhancements
Improved the broker's handling of Active Directory (AD) configurations with multiple hosts. Even if one or more AD hosts are unavailable, the broker can now reliably establish a connection with the remaining active hosts, ensuring uninterrupted authentication and directory operations.
1.08.02
April 25, 2024
New Features
When a user's password has expired in Active Directory (AD), the system now detects the status and displays a clear message informing the user that their password has expired.
Fixes
Fixed an issue where AD users with expired passwords were not shown the "Password expired" message during password authentication.
1.08.01
March 28, 2024
Enhancements
-
1Kosmos has enhanced the security of broker creation to prevent misuse of previously authorized broker configuration identifiers. If a new broker connection is established and any potential security risk is detected—such as reuse of old configuration—the system will automatically fail authorization, deauthorize the broker, and notify administrators via email. An E_BROKER_DEAUTHORIZED event is also triggered to indicate broker disconnection due to suspicious activity.
Additionally, the AdminX UI now displays the client IP address of all registered brokers for better visibility. A new security recommendation section has been added on the Download Broker page under Directory Integrations > Brokers to warn admins about insecure access management practices on machines running brokers.
-
The broker has been enhanced to use the encryptionKey—instead of clientId—for encrypting and decrypting data in the YAML file starting from version gobroker_1.08.01. After updating the broker, existing encrypted data can still be decrypted and re-encrypted using the encryptionKey, ensuring secure and seamless upgrades.
-
The go-broker functionality now supports custom JavaScript-based user attribute transformation before sending data to users-mgmt. A new permission, directory.edit.user-transformationjs-management, controls access to this feature. Only users with this permission can access the User Attribute Transformation tab to view and edit transformation scripts. In this tab:
- Admins can write JavaScript to customize user attributes using the built-in editor.
- Saving a script requires OTP verification for added security.
- Scripts can be tested by clicking ‘Test User Attributes’, entering a valid username, and viewing the resulting attributes. Additionally, once the phonenumbers attribute is added via transformation, admins must map the appropriate AD attribute under Directory → Attribute Mapping in AdminX.
1.08.00
February 10, 2024
Enhancements
- The image name of pl_gb broker name has been changed to gobroker.
- The LDAP filter has been modified to include both userPrincipalName and sAMAccountName to support authentication via username, password, and OTP when userPrincipalName is mapped to both username and uid. This ensures successful login through the AdminX UI using the intended identifier.
1.07.06
November 23, 2023
Enhancements
The license.json file has been updated to use tenantDNS for go-broker configuration.
Fixes
- Fixed an issue where the log directory contained more log files than specified by the Log Rotation Count in the Authmodule configuration.
- Fixed an issue where the Linux Broker showed “Broker not configured, waiting for configuration” in the logs and failed to appear in the AdminX UI, despite being properly configured in the Active Directory Authmodule.
- Fixed an issue in Go Broker (version pl_gb_1.07.05) where passwords containing an asterisk (“*”) were incorrectly rejected with an "Invalid Password" error.
1.07.05
September 7, 2023
Improvements
Improved Logging
- Improved logging functionality to allow the broker IP address and port to be available.
Improved Traceability
- Improved traceability to associate every incoming request with its request ID.
Fixes
Error-Handling During Forced Password Resets on Next Logon
- This fix allows AD users who are flagged to change their password on their next login to be detected using the
773 error codefrom AD. When detected, the broker can now send signals to prompt a password reset through BlockID.
1.07.04
August 17, 2023
Fixes
Broker DNS Cache
- Resolved a problem where the Broker DNCache was incorrectly storing queries with filters. This led to a gradual degradation in performance due to the cache being filled with incorrect queries and the broker spending time refreshing this erroneous cache.
1.07.03
June 29, 2023
New Features
Certificate Issuance Without NDES
- Introduced a new feature that allows the Windows Broker to issue a certificate on behalf of the user without the need for an NDES server. This certificate is presented by the BlockID Credential Provider to authenticate a user at the time of Windows workstation login.
Synthetic Heartbeat
- Introduced synthetic heartbeat that allows 1Kosmos to run a diagnostic in case of a connection fault between user management, Kafka, and broker. The heartbeat helps in identifying where a connection is dropped. The synthetic heartbeat also allows for measuring performance by providing insights into how much time it takes for a round-trip across user management, Kafka, and broker.
1.07.02
June 8, 2023
Enhancements
Broker Service on Windows
- Added the ability to run the broker as a service on Windows machines. The Windows broker is now downloadable from AdminX.
1.07.01
May 18, 2023
Fixes
Log Size and Log Rotation Count
- Minor fix to ensure the log size and log rotation count values are updated without requiring a broker restart.
1.07.00.01
May 1, 2023
Fixes
Custom LDAP Port Number
- Fixed a bug where the broker was not able to fetch users from an LDAP directory when a custom port number was used.
1.07.00
January 26. 2023
Enhancements
Floating Value Support for Broker Maximum File Size
- The maximum file size of the broker can be configured to support floating values for increased flexibility. The default maximum file size is 10MB
Improved Broker Logging
- Improved broker logging to ensure the request ID is passed down from the upstream service that requested authentication for a user
1.06.04.02
January 10, 2023
New Features
Log Rotation
- Added log rotation to prevent broker log size from growing indefinitely. Configuration settings are now available to manage:
logfilesizemb: The maximum size the log file can grow before rolling over to a new log. The default size is 10MBlogfilecount: The maximum number of log files that should be retained in the logs directory. When the count is reached, and a new log file needs to be created, the oldest log file in the directory will be deleted. The default count is 10
1.06.03
December 15, 2022
New Features
Password Reset for Active Directory Users
- Active Directory users can now reset their password
1.06.02.01
August 18, 2022
New Features
Kerberos Support
- Support for Kerberos authentication using Kerberos tokens and keytab files
Kafka Topics
- Introduced Kafka topics to ensure continuity if a broker fails, allowing another broker to complete the work
Enhancements
LDAP Query Filter Support
- We now support LDAP query search filters during user search and authentication
Propagation of Broker Request IDs
- Propagation of Broker Request IDs across different loggers for ease of traceability
Search Optimization
- Code optimization to improve performance on search
1.06.01
April 14, 2022
New Features
SCEP Support for Automatic Certificates Issuing
- Support for issuing SCEP (Simple Certificate Enrollment Protocol) certificates automatically when a user attempts to enroll their authenticator
SCEP Agent Password Support for Broker Config
- Ability to provide SCEP agent password directly from the broker config
Upgraded Logging Capability
- Our logging capability has been upgraded to capture certificate generation, certificate expiration, and other information for debugging support