Identity Provider

Adds support for Microsoft External Authentication Methods (EAM) when used together with Access Gateway. This enables organizations to take fuller advantage of Entra ID conditional access policies while leveraging Pointsharp Access Management authentication methods.

Introduces a new Identity Broker that reads user data from a client certificate and creates or connects it with a Keycloak identity, supporting certificate-based SSO flows.

Allows administrators to set the authentication class in SAML assertions (AuthenticationContextClassRef) so that service providers can verify that users authenticated with the required class.

Enables access control for SAML service providers directly in the IdP based on group membership:

Adds support for users who have access to multiple accounts (for example, employee, consultant, or functional accounts). When the incoming username maps to multiple accounts via a configurable directory attribute, the user can select which account to proceed with, avoiding shared passwords for functional identities.

Improves the login experience with better support for selecting between multiple authentication methods, including FIDO, within the IdP.

Updates the BankID QR code flow and animations to the latest specification, improving the user experience and compatibility.

Improves Entra ID tenant federation support by allowing Pointsharp IdP modules (primarily SSO) to transform an IdP user attribute into Entra ID’s immutable ID and store it in an attribute that can be exposed as a claim.

Updates the login theme to better support built-in browser engines used by operating systems, VPN clients, and desktop clients that may have older script engines.

Enhances BankID authentication so that users must already exist in the user database. The IdP searches a configured attribute to find an existing user and sets it as the current user in context, and it will not create new user objects based on BankID sign-ins.