We are excited to share that we have completed our 2.0 idemeum release that packs a ton of new features and enhancements. 

Billing and tenant management

We have updated our pricing that you can check on our website. Right now you can navigate to idemeum pricing page, choose the license that you would like to try and immediately start playing with idemeum. We have enabled 2-week trial for all licenses, no credit card required. Once you make a decision you can easily sign up for license right from idemeum admin portal Billing section. 

What is more, we introduced Admin notifications, that admins will be able to receive when billing / subscription events happen, such as trial expiring, account suspended, subscription cancelled and more. Notifications can be accessed from the admin portal page by clicking on the bell icon in the menu.

SOC2 Type 1 compliance

We have achieved a milestone of becoming SOC2 Type 1 compliant. We are committed to our highest level security practices, and we continually improve our security posture, including penetration testing, compliance, and mode. You can always refer to our security page and security white-paper. 

TOTP support for password applications

Our Passwordless Password Manager now support Time-based one-time password (TOTP) algorithm. If an application you are using supports TOTP, you can now add it as a second factor. For instance, you can login to GitHub by auto-filling credentials and also autofilling TOTP code as a second factor. 

Admin controlled user recovery

We have now added support for another recovery method with admin approval. Today we support two options: 

1. User self-service recovery - this option does not require any admin actions. User can self-recover using recovery QR-code that they store offline or in Cloud storage.

2. Admin controlled user recovery - this option is useful when users no longer have access to recovery QR-code. Users can request recovery from new device, and admins can approve the recovery request from admin portal.

Learn more in our documentation portal.

Passwordless Password Manager for any application

Previously we were supporting only certified applications with idemeum password manager. Right now we opened it up, so that users can add any password application they like. Simply create an app, provide URL, enter credentials and you are good to go. You can learn more here. 

Local biometrics

Oftentimes employees do not have a phone nearby or do not want to use mobile device every single time they access applications. What is more most laptops today offer what is called platform biometric authenticators. For example an Apple MacBook will have a local fingerprint reader that can be used to authenticate employees. 

That is why idemeum offers an option for employees to use these platform authenticators, which we call local biometric sensors to access applications and company resources without passwords from laptops, tablets, and desktop devices.

Application auto update

Auto detect mobile app upgrade and notify the user. Feature allows forced upgrade of the mobile application as well if the new version is available. 

Fixes and improvements

• Admin UI security settings to configure onboarding, local biometrics, and session duration
• Automatically refresh the user portal on installation of browser extension
• Reduce page zoom to 80%, increase viewport size, fix column padding and minor UI fixes
• Fix critical and high CVEs found in the 3rd party libraries
• Show alert to save QR code to the photo gallery when permission is denied for apple iCloud
• Allow password applications to be added without user explicitly adding https scheme
• Disable native HTML autocomplete in search fields
• Improved product documentation and integration portals

Let us know if you have any questions. 

New features

• Certify 85+ new password applications to a total of 175+ business password applications
• Support for SAML single sign-on from Android native apps that use webview 
• User management feature extended to passwordless SSO and MFA solutions
• Added support for admin approval in the recovery flow when user changes or loses a device

Fixes and improvements

• Add show button to view sensitive data like passwords on the user interface. Default is masked data until show button is clicked
• Added support for URL redirect after logout for MFA solution
• Do not autofill on non-TLS password applications

We are excited to share that we released first version of our Passwordless Password Manager. You can now have your employees easily store, autofill, and share passwords across organization using browser, extension, or mobile app.

We have iOS and Android mobile apps that support password applications, as we all Chrome and Safari browser extensions to auto fill passwords on desktop

New features

• User management support added in admin portal for password manager 
• Admin can manually promote / demote user role and trigger user off-boarding
• Add support for requesting new password application in web portal and mobile app
• Add biometrics check for credential provider extension in android and iOS
• Certify 80+ applications for password manager
• LIVE chat integration in the user portal and idemeum website

New integrations

• Integrate with Okta as a source for verifying user identity and retrieving user attributes for single sign-on and automatic provisioning
• Integrate with Google workspace as a source for verifying user identity and retrieving user attributes for single sign-on and automatic provisioning

Fixes and improvements

• Implement CSRF defense in depth techniques like SameSite cookie, double submit cookies, custom request headers
• Added support for Shamir’s Secret Sharing (SSS) cryptographic algorithm for securely storing data in client local storage
• Android bundleId support in password manager credential provider extension
• Password autofill fix for Samsung S21+ device
• iOS app crash fix when searching for application to add
• Speed up safari extension for large number of password applications
• UI fixes in safari and chrome extensions 
• Improve autofill algorithm to address single and multiple page flows
• Portal and mobile app enhanced to add Help Link in the password application catalog 
• Welcome email sent to the tenant admin after onboarding
• Strong password criteria for adding new password application
• Improved domain matching algorithm to protect user accounts on service provider login

New features

• Self-service licensing on the website. Trying the product now offers an option to choose what license of the product to try for 14 days.

Fixes and improvements

• Implemented cross origin resource sharing restrictions
• Addressed security CVEs and updated to latest stack (Java, AL2, libraries etc.)
• Sandbox login flow to prevent session highjacking
• Implemented static code analysis for additional security
• Fixed logout error when session is timeout
• Various admin portal UI fixes

New features

• Certificate fingerprints in metadata - introduced the option for admin to download SHA1 or SHA256 certificate fingerprint from idemeum metadata section. Some apps require fingerprint values instead of actual certificate.
• Support for jailbroken Android devices - idemeum offers the flexibility to allow employee onboarding with jailbroken Android devices. idemeum MFA is build with security first principles, and we employ various checks before even allowing idemeum mobile app to install on an Android device. Now we offer a flexibility for admins to choose whether to allow jailbroken devices or not.

New integrations

• Microsoft 365 (Office 365) - idemeum now supports passwordless SSO for Office 365. idemeum can automatically provision users, assign licenses, and delete user accounts when employees are off-boarded. We also give admin flexibility to choose how to remove user accounts (disable, revoke license, or delete user account completely).
• YouTrack Jetbrains - idemeum now supports passwordless SSO integration with YouTrack.
• Metabase - idemeum now supports passwordless SSO with Metabase.
• Google Directory - idemeum now supports ability to onboard users using Google Workspace directory as a user store.
• Okta passwordless SSO - idemeum now integrates with Okta to enable passwordless onboarding and login experience. Customers who have Okta deployed can simply enable idemeum passwordless MFA on top of existing infrastructure.

Fixes and improvements

• Fixed the issue with dropdown misaligned in entitlement section
• Introduced ability to remove entitlement rules when all groups are removed from that rule
• We added support for custom variables in provisioning section to simplify provisioning configuration for admins
• Added documentation link for every app pointing to the detailed step by step integration guide
• Introduced automated domain discovery for Zendesk integration
• Fixed custom SAML app icon and simplified configuration section
• Fixed first user provisioning error for all custom provisioning connectors
• Enhance SAML metadata parsing to enable EntitiesDescriptor parsing
• Enhanced oAuth module to support client credentials in authorization header
• Fixed refresh token issue with Box provisioning connector
• Fixed issue of entitlement UI not showing display values

New features

• Group provisioning - idemeum can now provision groups into target applications and assign users into appropriate groups. Admins can define groups in admin portal and use those groups in entitlements to define what groups need to be pushed into target application. We support group provisioning for applications that support SCIM 2.0 protocol.
• Dynamic configuration attributes - introduced a new concept of automatically pulling configuration information from application when admin authorizes API access. For instance, once API access is authorized, idemeum can pull information about what account to use for provisioning to offer that configuration option to admin on the fly. This simplifies the admin application configuration experience.
• HRMS connection test - introduced ability to test HRMS connection when it is first enabled. If connection can not be established, admin will be informed with appropriate error message.
• Direct user entitlement - we now support entitlement of applications directly to users. Admins can now have a flexibility of assigning an application to a group or a user directly.

New integrations

• Docusign - idemeum now offers passwordless SSO and automated provisioning for Docusign.
• Gitlab - we now support passwordless SSO and automated provisioning with Gitlab.
• Workplace from Meta - idemeum now supports passwordless SSO and automated provisioning with Workplace from Meta.
• AWS SSO - idemeum now supports group provisioning into AWS.
• Atlassian - idemeum now supports group provisioning into Atlassian.

Fixes and improvements

• Fixed the issue of entitlements being restored for deleted users
• Fixed the issue of deleted app not being handled correctly
• Updated recovery error messages to be more descriptive and user friendly
• Updated error messages related to app deletion to make them more descriptive
• Added search capability to user entitlement table (for admin portal as well as idemeum browser extension)
• Fixed the circular issue of login approval on mobile device when QR code is expired
• Introduced SCIM 2.0 configuration options to support lookup by external ID or username, update user via PATCH or PUT call, and delete user via DELETE or PATCH call
• Fixed the issue of failed user update with Slack SCIM 1.1
• Fixed the issue of not automatically creating corporate email address when it is missing in PeopleForce HRMS
• Introduced entitlement rules validation in admin portal: non-empty name, at least one resource id, etc.
• Introduced the capability to deprovision the user from application when entitlement is removed
• Fixed the issue of local storage clean up after user logout
• Added search capability to My applications section in the admin portal

New features

• Recovery for mobile identity- if mobile device is lost or stolen, we allow employees to preform self-service recovery process that does not involve any admin support. When idemeum mobile app is installed, users are asked to store secure recovery code. There are two options:
  • Store recovery code to cloud storage (iCloud or Google Drive). When device needs to be recovered, all users needs to do is to allow idemeum mobile app to access recovery code.
  • Store secure recovery QR code in photos so that it can be printed. When device needs to be recovered users scan the recovery QR code with idemeum mobile app.

New integrations

• PeopleForce - idemeum now integrates with People Force HRMS for user onboarding and entitlements.
• Humaans - idemeum now integrates with Humaans HRMS for user onboarding and entitlements.
• Zendesk - idemeum now offers Passwordless SSO and automated provisioning for Zendesk.
• Datadog - idemeum now offers Passwordless SSO and automated provisioning for Datadog.
• PagerDuty - idemeum now offers Passwordless SSO and automated provisioning for PagerDuty.

Fixes and improvements

• For additional security we allow users to onboard into a tenant with the same claims only once
• When HRMS is configured we automatically onboard and verify admin information against HRMS data
• Enhanced SAML configuration to support expression syntax across all field, including custom mappings
• Centralized error messages configuration to make error messages more friendly and easier to update
• Fixed issues with provisioning after the entitlement rule is deleted
• Introduced warning prompt for sensitive actions such as deleting an app or entitlement rule

New features

• Simplified SAML and provisioning configuration - we significantly simplified how admins configure SAML and provisioning integrations. We hid all advanced fields and made sure admins only need to input the minimal set of parameters. For some apps we truly preconfigured them where nothing needs to be manually entered. 
• Simplified HRMS integration - we simplified and enhanced the UI for how to connect idemeum to your HRMS systems. All systems come preconfigured, and all that is needed is to enter an API key or Authorize idemeum to access HRMS APIs. 
• SCIM 1.1 support - we added support for SCIM 1.1 protocol as some apps are still not supporting version 2.0. 
• Cloud staging environment - we creating staging environment so that we can seamlessly test new features, launch beta programs, and ensure stability and reliability of our production environment.

Fixes and improvements

• Fixed HRMS connectors returning group attributes with external names
• Enforced only fully onboarded users to have entitlements evaluated
• Ensured entitlement rules get disabled when HRMS in not configured
• Fixed the issue when switching to admin portal was visible to non admin users
• Fixed issue of oAuth provisioning pop up not working on Safari and Firefox
• Fixed Google Workspace provisioning for initial admin user
• Fixed logos missing for staging environment
• Fixed the issue of misaligned idemeum icon in the admin portal
• Added additional log messages for HRMS troubleshooting
• Made entitlement errors for users more friendly
• Added the ability to onboard admin in the background when HRMS is first configured
• Implemented Amazon SQS for asynchronous entitlement evaluation
• Implemented Amazon SQS for asynchronous provisioning

We are excited to share that we updated our integrations catalog.

Now it can be accessed via separate URL - https://integrations.idemeum.com 

We have improved styling, navigation, search, and discoverability of idemeum integrations. With top bar counters you can easily see how many and what types of integrations we are supporting today. 

We are constantly adding new integration across various categories.

You can learn more about integrations portal here. 

Rule based entitlements

With Rule Based Entitlements you can assign application to certain groups of users and have granular control for who has access to what. 

idemeum integrates closely with HR system of your choice and will pull information such as role, department, or country. You can use this information to assign applications to employees. 

The rules are organized based on if/then statements for ease of creation and maintenance. For instance, you can create a rule that entitles every Operations Manager to certain set of applications. 

idemeum stays in sync with HRMS system, and if the information in your HR system changes (new departments, updated employee records, etc.) idemeum will automatically readjust and recalculate entitlement rules, and conduct all necessary provisioning / deprovisioning.