We have improved the uniqueness validation for user attributes providing flexibility for administrators to define the scope of uniqueness for each attribute separately.
This enhancement offers granular control, enabling a more tailored and flexible approach to uniqueness validation.
Asgardeo now offers built-in default roles for users accessing the Asgardeo console, ensuring they have the appropriate level of access.
This feature provides the best console experience for privileged users. As the organization administrator or owner, you can assign default roles to privileged users based on specific requirements.
We’re excited to introduce easy-to-use SSO templates for Zoom and Slack. You can now set up SSO effortlessly in just a few minutes for Zoom and Slack. The process is supported by a comprehensive in-app guide and detailed documentation, ensuring a smooth and straightforward configuration experience. We already offer SSO templates for Microsoft Office 365, Google Workspace and Salesforce.
Asgardeo now supports multiple email addresses and phone numbers in user profiles. You can easily add multiple contacts to your profile and select one email address and one mobile number as your primary choices for notifications and other services. This update offers greater flexibility, making it simpler to stay organized and connected.
We have introduced an improvement to the handling of JWT Access Token attributes
With this enhancement, for new applications, the "Access Token" section now provides an option to explicitly select the attributes to be included in the token. As a result, user attributes configured in the "User Attributes" section will no longer be automatically added as access token attributes. Existing applications will be marked as outdated because the access tokens they issue still include user attributes configured. To apply the new functionality to these applications, use the outdated application warning banner to update them. After the update, the previously configured user attributes will be automatically added as access token attributes by default, ensuring the application's existing functionality remains intact. You can manage the added access token attributes by adding or removing them from the Access Token Attributes section. The access token attributes included in the token are no longer bound to scopes. Previously, only the user attributes associated with a scope were added to the token. Now, regardless of the scopes requested, all selected user attributes will be included in the token. By letting you explicitly select access token attributes, this feature minimizes the exposure of sensitive user information (PII) when sharing access tokens with resource servers and reduces token size for improved performance.
Please note that the behavior of the ID token will remain the same.
The Pre-Issue Access Token action has been upgraded to support more flexible validation use cases during the access token flow. Previously, this action could only modify token scopes and attributes before issuing the token. With this update, you can now validate token scopes, user claims, request context, expiry time, and more. If a validation fails, the action can return a client error directly to the application. We’ve introduced a new ‘FAILED’ state in the response format for external services implementing an action to return client errors. Use the ‘FAILED’ state to indicate validation failures in order to trigger an appropriate error response to the application. This improvement gives you more control over token issuance and strengthens validation workflows.
We are introducing a hard limit on the count parameter for the scim2/Users/.search API. For organizations created after this improvement, the maximum value that can be specified for the count parameter will be capped at 100. Even if a request includes a value greater than 100, the API response will only return up to 100 users. This improvement ensures optimized API performance and maintains system reliability for all users. To retrieve additional users beyond this limit, customers will need to implement pagination in their API requests. We recommend that developers update their integrations accordingly to handle this limit and include support for pagination where necessary.
We are enhancing Asgardeo’s account management by introducing a feature that displays the reason for a user account lock directly within the user profile. Administrators can now view detailed explanations for locked accounts.
Additionally, in the users list, locked accounts are indicated with a lock icon. Administrators can hover over this icon to view the lock reason as a tooltip, providing an alternative way to access this information without navigating to the user profile. This feature simplifies account troubleshooting and improves efficiency, especially for administrators managing a large number of users.
Onfido, a leading identity verification service, is now integrated with Asgardeo. This allows you to securely onboard new users with end-to-end identity verification powered by Onfido, ensuring real-time validation using legal documents such as passports, driving licenses, and national IDs.
By leveraging Onfido's advanced verification technology within Asgardeo, you can strengthen fraud prevention measures, enhance compliance, and deliver a seamless user experience—all within a single platform.
We have made below enhancements to the application access tokens.
The sub claim in application tokens now uses the application's client_id rather than the application owner’s user ID. Previously, the sub claim reflected the application owner’s username. This updated behavior will apply automatically to new OIDC applications. For existing applications, you can update them via the console to adopt this latest functionality.
Application access tokens’ introspection response was enhanced by removing the username claim as this field is not relevant for machine-to-machine communication. The value of the field was previously set as the application owner's user ID. With this update, the username field will no longer be included in the token response. This change will automatically apply to new OIDC applications. Existing applications can be updated via the console to adopt this latest functionality.
Asgardeo has simplified the SSO configuration process for popular workforce SaaS applications by providing a dedicated template for each app. Our ready-to-use SSO configuration templates streamline onboarding for enterprise SaaS apps, requiring minimal setup from administrators and offering clear, step-by-step guidance for vendor-side configurations.
Get users up and running faster with secure, hassle-free SSO integration for your organization’s most trusted applications.
Until now, Asgardeo offered only organization-level branding, which restricted businesses to a one-size-fits-all approach across their applications. Recognizing the need for greater flexibility, we’ve introduced application-specific branding, allowing businesses to create unique, tailored brand experiences for each application directly through the Console. This enhancement not only elevates personalization across login portals and user interfaces but also positions Asgardeo as the go-to solution for businesses seeking to deliver impactful, differentiated user experiences.
Ideal for organizations with multiple applications, this feature strengthens user engagement through differentiated branding.
We’re excited to announce the introduction of Actions, a powerful new feature that allows you to customize specific flows in Asgardeo such as user on-boarding, login and account management by integrating with an externally hosted HTTP endpoint. enable you to modify and extend the behavior of flows to better suit your unique needs.
As the first of many extensions to come, we’ve released the Pre-Issue Access Token Action in Beta. This feature lets you modify access tokens or perform additional checks before they are issued, providing enhanced control over the token issuance process.
Stay tuned for more extensions in the future!
With this improvement, you can use your customer or partner organization user’s email in the “login_hint” query parameter to seamlessly direct users to their organization’s login page. This enhancement simplifies the login process and improves the login user experience, especially when you capture the user’s email through your own user interfaces.
We are announcing several enhancements to the httpGet and httpPost functions in the Asgardeo conditional authentication script!
With this improvement, users can now invoke APIs secured with various authentication methods, including basic authentication, API key, bearer token or client credentials grant with few simple steps. You just need to specify the authentication type, endpoints, and secrets to seamlessly and securely integrate external APIs into your conditional authentication workflows.
Additionally, diagnostic logs are now available to help troubleshoot failures when invoking external APIs.
We are excited to announce the introduction of passkey support for app-native authentication! With this feature, users can enjoy a faster and more secure login experience by authenticating to their mobile apps using passkeys. App-native authentication is an API-based authentication mechanism that allows developers to seamlessly integrate authentication directly within a native app's environment.
We have extended the organization filtering capabilities of Asgardeo to include meta attributes. With this enhancement, you can now filter organizations not only by attributes, such as name, ID, and parent organization name, but also by meta attributes enabling more granular and effective organization management.
We're excited to introduce rule-based password expiry! This enhancement allows administrators to set password expiration rules specifically tailored to user groups and roles, offering a more flexible and precise approach to password security. With this feature, expiration policies can be effectively targeted, ensuring the right rules are enforced for each user segment.
We are excited to announce the launch of User Impersonation, a powerful feature designed to streamline customer support, testing, and troubleshooting processes. This feature allows system administrators or support staff to temporarily access a user’s account, with the user's consent and the administrator's approval, without asking the user's login credentials.
This feature not only enhances the support experience but also offers peace of mind, knowing that user privacy is maintained, and impersonation access is temporary, controlled, and well-audited.
We are excited to announce a significant update aimed at enhancing the security and integrity of our application and improving ongoing maintenance processes. Organizations today face constant risks from potential cyber attacks that can lead to unauthorized access to sensitive information. Such incidents jeopardize the privacy and security of both the organization and its users. To proactively mitigate these risks, we are implementing the following measures:
We are thrilled to introduce the Asgardeo On-Demand Silent Password Migration, enabling a seamless transition of your users' credentials from an existing Identity Provider to Asgardeo. As businesses evolve, organizations may need to migrate from a legacy Identity Provider to a modern solution like Asgardeo. One of the main challenges during this transition is the transfer of user credentials. Because credentials are stored differently across systems, a password stored in one system may not be directly usable in another. Asgardeo On-Demand Silent Password Migration addresses these challenges by ensuring a smooth and secure migration process.
When users log in to the application, they are redirected to the Asgardeo login screen to enter their legacy IdP credentials. If their password has not been migrated yet, Asgardeo authenticates the credentials with the legacy IdP. Upon successful authentication, the password is silently migrated, and the user is redirected back to the application, authenticated through Asgardeo.
Upgrade to Asgardeo today and enjoy a hassle-free transition with our On-Demand Silent Password Migration feature!
We are thrilled to introduce the new getMaskedValue function for Asgardeo conditional authentication scripts! This powerful addition is designed to enhance security by allowing developers to mask sensitive information, such as Personally Identifiable Information (PII), in their adaptive authentication script logs.
We’ve enhanced the configuration capabilities for the self-service portal. Now, administrators can configure the login flow with greater flexibility and share the self-service portal with B2B organizations just as seamlessly as they do with other applications in the organization.
Asgardeo now supports creating roles at the organization level, allowing shared access control across all applications within the organization. This new role management capability centralizes access control, eliminating the need to duplicate roles across multiple applications.
Our latest update introduces the capability to register Machine-to-Machine (M2M) applications, providing robust access control for non-interactive apps using the client credentials grant. This includes IoT devices, CLI tools, and more, allowing for flexible and specific access control. This enhancement enables secure machine-to-machine communication while enforcing granular access, authorization, and security requirements.
We’ve enhanced the access management capabilities of Asgardeo management APIs. With this improvement, organizations now can define fine-grained access controls for management APIs, allowing for more precise and secure management of Asgardeo resources.
Our latest upgrade contains major feature updates for Asgardeo B2B CIAM offering enhancing both security and user experience.
We have introduced a new API category named “Organization APIs”. These APIs simplify the management of organizational-level resources in your B2B SaaS applications with API authorization and Role Based Access Control. Now, you no longer need to create repetitive roles in each organization to manage organizational-level resources. Instead, you can simply create roles in your root organization where the B2B SaaS application is registered with organization API scopes and share them with organizations.
We are pleased to introduce the email domain-based organization discovery functionality tailored for B2B SaaS solutions. This feature facilitates seamless user routing to respective organization logins based on their email addresses.
We have now enabled seamless collaboration between parent organizations and their customer/partner organizations through parent organization user inviting capability. Furthermore, administrators can manage the groups and roles of invited users on an organization-wide basis.
Traditionally, the branding of customer/partner organizations is inherited from the primary B2B business organization. With our latest improvements, organizations now have the freedom and flexibility to tailor their branding to better reflect their own identity and value. Whether it's adjusting logos, color schemes, or messaging, the power is now in their hands!
We have enhanced the Asgardeo Console to support seamless delegated administration for B2B organization administrators. This update enables administrators to efficiently manage and provide delegated administration within their respective organizations. By leveraging the Console, admins can streamline administrative processes, ensuring smoother operations and enhanced control over organizational management.
We have enhanced Asgardeo MyAccount self-service portal by making it available to B2B organization users as well. If your customer or partner organizations handle user management within Asgardeo, you can utilize the enhanced out-of-the-box selfcare application. Further, MyAccount portal can be customized with the organization's branding and tailored login flows based on each organization's preferences.
Our latest upgrade contains major usability enhancements in Asgardeo Console aimed at improving your experience.
We've reimagined the ‘Organizational Settings’ and grouped them under a separate section called `Login and Registration.’ This makes it much easier to dive into configurations like Login Identifier, Login Security, User Onboarding, and Account Recovery.
We've updated the side panel navigations, making it easier for you to access different capabilities. The `Administrators` section now has its dedicated space, and ‘User Stores’ are grouped under `User Attributes and Stores.`
We've moved the `Scopes` section inside `OIDC Attributes` for your convenience.
You'll now experience Asgardeo in your chosen language effortlessly! Instead of manually selecting a language from the footer's language switcher, Asgardeo will now seamlessly adapt to your browser settings.
Documentation: https://wso2.com/asgardeo/docs/references/localization-in-asgardeo/#language-switcher
We are pleased to introduce the “Branding AI” feature, now available in Beta!
Our new “Branding AI” tool simplifies the process of creating a cohesive branding theme by automatically analyzing your website’s visual elements. This feature extracts colors, images, fonts, and styles directly from your website and uses them to craft a branding preference that aligns with your existing digital identity.
We're thrilled to introduce an exciting addition to Asgardeo as in the form of Audit Logs, which is now available in Beta!
Audit logs are designed for organization owners or auditors to access and analyze vital state changes that happen to the resources they own in Asgardeo.
Upgrade your login journey with iProov's cutting-edge biometrics technology. Seamlessly integrate iProov as a multifactor authentication (MFA) option into your application's login flow, offering secure facial biometrics authentication. Elevate user experience by making login convenient and secure.
Documentation:
https://wso2.com/asgardeo/docs/guides/authentication/mfa/add-iproov-login/
We are pleased to introduce the “App-Native Authentication” feature for Asgardeo now. When developing applications (especially native/mobile apps) developers look at implementing their login flows within the apps itself where they target more on UX. To cater to this requirement, App-Native Authentication capability is introduced in which it will provide the app developer the capability to implement a complete authentication capability within the application.
We are excited to roll out the “LoginFlow AI” feature, now available in Beta!
“LoginFlow AI” streamlines the creation of authentication sequences for your applications. By simply inputting your desired login scenario, our AI analyzes and configures the necessary authentication steps based on your specific requirements and context.
Now you can effortlessly integrate your unique user signup portal in the login screen, replacing the default Asgardeo signup. This enhancement offers you unparalleled control over your user registration journey, enabling direct management of registrations through your customized portal.
Documentation: https://wso2.com/asgardeo/docs/guides/branding/configure-ui-branding/#text-preferences
Asgardeo now directly supports your choice of SMS providers, providing another option in addition to doing so through integration with Choreo. This will allow you to plug in your favorite SMS providers as the SMS gateway with minimal configurations for Asgardeo. Asgardeo will utilize the plugged-in SMS provider for sending SMSs in all the scenarios including SMS OTP for login, recovery and for verification.
With this feature, you can plug in Twilio or Vonage as your SMS provider by just providing the proper service ID and the service secret you obtained from respective providers. Is it not Twilio or Vonage? Nothing to worry, by using the custom SMS provider option you can plug in any 3rd party SMS provider vendor by simply providing the endpoint URL and customizing the payload in a few clicks. You can find more information about this in the Asgardeo documentation linked below.
Documentation: https://wso2.com/asgardeo/docs/guides/authentication/mfa/add-smsotp-login/#configuring-sms-providers
Get ready for a significant enhancement in your app's security and login convenience with our latest enhancement to FIDO 2.0 Passkey.
On-the-fly passkey enrollment:
Say goodbye to the hassle of navigating away from your login flow for passkey registration. With our on-the-fly passkey enrollment feature, users can now seamlessly register their FIDO 2.0 passkeys as part of the login process, enhancing convenience without sacrificing security.
Flexible passkey management:
While we're excited about the new on-the-fly enrollment capability, the trusted My Account portal for passkey registration remains available, offering flexibility and choice to users based on their preferences.
Passkey as a multi-factor authentication option:
Elevate your application's security by leveraging FIDO 2.0 Passkey as a robust MFA option. This addition not only fortifies your security posture but also provides a user-friendly authentication method that's both fast and secure.
Documentation:
Now you can conveniently onboard multiple users to the organization by adding a set of users manually or via CSV file upload.
Documentation: https://wso2.com/asgardeo/docs/guides/users/manage-customers/
In today's dynamic landscape, where users access applications from multiple devices and application instances, ensuring the security and integrity of user sessions poses a significant challenge. Traditional back-channel grant types, such as token exchange or password, often struggle to associate user sessions with specific devices or instances. Recognizing this challenge, Asgardeo has developed Client-Request Token Binding, a sophisticated solution that empowers developers to explicitly associate user sessions with specific devices or client instances. This feature offers flexibility and security, addressing a critical need in the realm of identity and access management.
Documentation: https://wso2.com/asgardeo/docs/references/app-settings/oidc-settings-for-app/#access-token
You can now easily customize the text content in login, registration and recovery Screens for maximum impact.
Craft a unique brand identity by tailoring messaging to perfection. From setting the tone to offering precise instructions, our intuitive customization tools put you in control. Personalize crucial screens effortlessly with customization options for common, login, OTP, sign up, and recovery screens.
Documentation: https://wso2.com/asgardeo/docs/guides/branding/configure-ui-branding/#text-preferences
Now you can experience Asgardeo's SMS OTP as your first-factor authentication option, simplifying application access without the burden of password memorization.
Documentation: https://wso2.com/asgardeo/docs/guides/authentication/passwordless-login/add-passwordless-login-with-sms-otp
Get ready to elevate your application's login flow to new heights with our latest innovation – the Sign-in Method Visual Editor. This groundbreaking tool empowers users to effortlessly craft visually appealing and efficient login experiences. Here's what you can expect from this exciting update:
Dive in and unlock the full potential of the Sign-in Method Visual Editor. Your application's login flow has never looked better.
Documentation Link : https://wso2.com/asgardeo/docs/guides/authentication/conditional-auth/configure-conditional-auth/#enable-conditional-authentication
With this latest update, we've reimagined the Asgardeo Console's navigation structure. We've transformed it from a flat structure into a highly organized one, eliminating the need for endless scrolling to locate specific features. This enhancement ensures a more intuitive and optimal user experience, making it easier than ever to access the full range of Asgardeo Console capabilities.
Our latest upgrade empowers you to delve deeper into user login insights by introducing two powerful filters:
Connection Type: Tailor your analysis by filtering logins based on the user's chosen authentication method. For instance, you can select 'Google' to uncover insights specific to users who logged in using their Google credentials.
Connection ID: Fine-tune your insights by filtering logins based on the unique UUID of the connection used during the login process. With these enhanced filters, you'll gain a more comprehensive understanding of user logins and their associated authentication methods, allowing you to make data-driven decisions with precision.
Consider for dev rel activities to cover a holistic story
Documentation Link : https://wso2.com/asgardeo/docs/guides/organization-insights/#filter-insights
We've taken our Asgardeo Token Exchange grant type to the next level by adding robust support for refresh tokens. Now, in scenarios where the client of the token exchange requires ongoing access to a resource, even after the original credentials have expired, you can seamlessly obtain a refresh token.
Documentation Link : https://wso2.com/asgardeo/docs/guides/authentication/configure-the-token-exchange-flow/#enable-token-exchange-in-your-app
With this exciting update, we're introducing powerful capabilities that redefine the way you handle idle accounts.
Expanded Remote Userstore Integration: Our Idle Account Identification API response now brings you a comprehensive view by including inactive users from remote userstores. Gain deeper insights into account activity across your entire network, all within a single, unified interface.
Unparalleled Sub-Organization Level Insights: We've taken it a step further! Not only can you now identify idle accounts across your primary organization, but our extended capabilities also cover sub-organization-level users. Seamlessly manage and maintain account activity across various hierarchies with utmost ease.
https://wso2.com/asgardeo/docs/apis/idle-account-identification/
Sub-org API documentation: https://wso2.com/asgardeo/docs/apis/organization-management/idle-account-identification/#/
We are excited to announce the launch of a new feature for Asgardeo organization admins: login and registration insights. This feature provides admins with valuable insights into the login and registration activities of the users in their organizations.
With login and registration insights, admins can:
To access the login and registration insights feature, organization admins can log in to the Asgardeo console and click on the "Insights'' tab. Visit our documentation for an in-detail guide.
Note: The organization insights feature is currently in beta, so only a predefined set of filters are available. We plan to add more insights and filters in the near future.
Documentation Link:https://wso2.com/asgardeo/docs/guides/organization-insights/
We're excited to announce that now, customers/partners can seamlessly self-subscribe to B2B applications and effortlessly create their sub-organizations. With this enhancement, we put the power in your hands, making the onboarding process quick and convenient, adhering to your specific needs.
Key Features:
Benefits of the Approaches:
Choose the Approach that Suits You: Both approaches have their merits, and we offer the flexibility to choose the one that aligns best with your organizational structure and processes.
We're thrilled to announce an upgrade to the Asgardeo My Account application - introducing our brand-new, ultra-responsive Oxygen UI! This update is designed to provide you with a smoother experience to have a consistent experience with the new console design.
The Asgardeo console just got a major upgrade with our brand-new, lightning-fast Oxygen UI! Get ready for a seamless and breezy user experience like never before. But that's not all, we have even more exciting tweaks and upgrades planned in the coming months. Stay tuned!
OxygenUI project link: https://wso2.github.io/oxygen-ui/
Introducing Asgardeo's email OTP as your first-factor authentication option! Say goodbye to password headaches and enjoy a hassle-free login experience. Check out our documentation to learn how to enable this feature in your consumer-facing applications and elevate your security game!
Introducing powerful enhancements in Asgardeo for seamless API authorization and robust application role management in B2B organizations! Here's what you can do now:
Experience enhanced control and collaboration with Asgardeo's latest feature update!
Application roles for shared applications -
Role assignments in sub-organization -
We're excited to announce that Asgardeo organization admins now have the power to customize email notification templates directly from the user interface (UI). This update empowers admins to tailor their organization's email communications to meet specific needs and preferences.
Key features of this update include
Customize email templates effortlessly and deliver a tailored communication experience to your users with Asgardeo's enhanced email template customization.
Documentation Link: https://wso2.com/asgardeo/docs/guides/branding/customize-email-templates/#customize-email-content
We're excited to announce that Asgardeo now offers a seamless way to retrieve your user profile data, including linked account details, in compliance with privacy guidelines. By utilizing the MyAccount and self-service API, you can conveniently access your information in a JSON file format.
Key benefits of this update include
Experience the convenience and privacy of accessing your user profile data with Asgardeo.
Export profile information via My Account: https://wso2.com/asgardeo/docs/guides/your-asgardeo/asgardeo-self-service/#export-profile-information
Self-service API Documentation for admin users: https://wso2.com/asgardeo/docs/apis/administrators/export-admin-info/#/paths/me/get
Self-service API Documentation for business users: https://wso2.com/asgardeo/docs/apis/register-mfa/export-user-info/#/paths/me/get
We are thrilled to announce that Asgardeo now offers comprehensive support for the API Authorization and Application Roles Management capabilities in B2E applications.
Key features -
API Authorization - https://wso2.com/asgardeo/docs/guides/api-authorization/
Assigning application roles to groups - https://wso2.com/asgardeo/docs/guides/users/manage-groups/#assign-grops-to-application-roles
We are delighted to introduce the new multi-level organization creation feature, designed specifically for businesses with hierarchical models. With this capability, Enterprise-B2B subscribers can now create nested sub-organizations, enabling a more dynamic and structured organization hierarchy.
Key features of this update include:
Please note that this feature is exclusively available to our Enterprise-B2B tier subscribers, providing them with advanced organization management capabilities. Take advantage of this powerful feature to enhance your organizational structure and optimize your business operations.
With this functionality, administrators can configure their preferred SMTP providers with ease, granting them the ability to send emails related to business user flows directly from their preferred email provider. This will allow your organization to streamline the email management workflow and use your own email domain for better branding presence.
Configuring documentation can be found here.
We have recently made improvements to Asgardeo application login process by introducing backup code authentication for business users. Previously, only administrator users had access to backup codes via My Account. Now, business users can also generate, regenerate, and remove backup codes from their self-service (My account) portal.
For steps on how to enable this feature, check the Enable TOTP for app section in online documentation.
We are excited to announce the availability of Asgardeo organization UI branding configurations to apply on the My Account app.
Previously, organizations could leverage the branding feature to create a consistent look and feel for user login across applications. Now, we have extended the same capability to the organization's My Account, ensuring a unified branding experience throughout your users journey.
If you do not have experience on how the organization branding was configured, you can check the online guide for the details.
Asgardeo has made enhancements to its business user registration process, introducing a new feature that allows organizations to register users with non-email alphanumeric usernames. Unlike the previous requirement of an email address, business users can now easily sign up with a simple alphanumeric username. This improves the accessibility of our platform, expanding business users who may not have an email address.
For additional information on how to configure, see the online documentation.
We have on-boarded HYPR as a passwordless authentication option for Asgardeo. This enables organization administrators to add HYPR as an authentication option for their business applications allowing end-users to login to business apps using HYPR’s passwordless authentication. This authentication approach replaces passwords with biometric-based authentication using personal devices such as smartphones, providing enhanced security and a convenient user experience.
Documentation: https://wso2.com/asgardeo/docs/guides/authentication/passwordless-login/add-passwordless-login-with-hypr/
Along with this feature, four new languages are available as supported translations for user Login and Registration pages:
For additional information on languages and localization, see the online documentation.
And we look forward to continuing to improve Asgardeo for our users around the world!