New features

• 2026-05-20 New feature: filter holder groups at the IdP login
• 2026-05-20 New feature: set password when enabling an account

2026-05-20 New feature: filter holder groups at the IdP login

The new feature

From now on, the service providers who have selected the “Ask for group membership after authentication” option will be able to filter which of these should be selectable with the attribute "Script to filter out group memberships".

Bear in mind

Please note the following points:

• The holder groups must be correctly configured in Soffid.

• If there is only one possible holder group, it is selected automatically and is not displayed to the user.
  

How to configure it?

The following components must be installed:

• Addon federation 4.0.25 (or higher)

Let's look at an example

Let’s look at an example, here we have the user "user4" who has already set up the holder groups.

 

We had a service provider that was already selected the option "Ask for group membership after authentication".

 

The holder groups have several custom attributes (startDate, endDate and status).

 

We now want to filter the holder groups with the attibute status with the Active value.

 

So we're going to create a script in the "Script to filter out group memberships" of the service provider.

 

This is the script.

// Return the groups whose “status” attribute has the value "Active"
//
l = new java.util.ArrayList();
lug = serviceLocator.getGroupService().findUsersGroupByUserName(user.userName);
for (i=0; i<lug.size(); i++) {
  ug = lug.get(i);
  if (ug.attributes!=null &&
      ug.attributes.get("status")!=null &&
      "Active"===ug.attributes.get("status"))
  {
    l.add(ug.group);
  }
}
return l;

Please note that if the script fails or is not configured correctly, the holder groups page will not be displayed.

 

Now, to test it, we’ll log in to the application (the service provider), and these are the IdP’s login pages

 

2026-05-20 New feature: set password when enabling an account

The new feature

Now, when an account is disabled, its password is deleted. Afterwards, if the user changes his password, the disabled account will still have no password. If the disabled account is enabled, the agent of the account will set the password of the password domain to the account and send it to the target system.

Bear in mind

Please note the following points:

• The user's password domain will have value once at least one password has been assigned.
  
• The account must be a single-user account; these are the ones that can be viewed in a user’s accounts tab.

How to configure it?

The following components must be installed:

• Console 4.0.57 (or higher)
• Syncserver 4.0.35 (or higher)
• SAP plugin 4.0.2 (or higher)

Let's look at an example

Let’s look at an example, here we have the user "ethan_miller" to whom we are going to assign the password "Dummy01.".

You can check your password on the "My accounts" page, click on the "View password" of the "app-demo" account.

Now let's disable the "app-demo" account.

Check the password again, it must be empty.

We are going to assign a new password "Dummy02.".

 

The other account has the new password.

Enable the "app-demo" account.

Check the account with the new password.