New features

• 2026-05-20 New feature: clear and set passwords
• 2026-05-20 New feature: filter holder groups at the IdP login

2026-05-20 New feature: clear and set passwords

The new feature

From now on, passwords for disabled accounts will be cleared and we will set them up again when the account is reactivated.

This new feature consists of two steps:

• Clearing the password in Soffid when an account is no longer active.
  
• Resetting the password in Soffid when an account is reactivated.

Bear in mind

To understand this behaviour, it is necessary to bear in mind several concepts within Soffid:

• The password is updated in Soffid within the user’s password domain, and the password domain is responsible for replicating the new password across all of the user’s accounts belonging to the same password domain.
  
• The password is cleared only for the account, not for the user's password domain.
  
• The cleared or set up password synchronisation to the end system depends on Soffid’s. synchronisation engine and the agent’s configuration; the engine should be set up to automatic, the agent sep up to write mode and enabled, and there should be no preUpdatePassword trigger to block the change.
  
• When the account is reactivated, the password can be set up again because it exists in the password domain.

How to configure it?

The following components must be installed:

• Console 4.0.57 (or higher)
• Syncserver 4.0.35 (or higher)

From these versions onwards, this new feature will run automatically..

Let's look at an example

Let’s look at an example with the agent app-demo connected to a small database.

We have the user david_wilson with accounts on several systems, one of them app-demo.

First, we set the password to Dummy01.

We confirm that the password has been updated directly on the end system (the database).

 

Now we disable the account and confirm that the password has been cleared.

TODO

 

Finally, we reactivate it and confirm that it has been reset correctly

TODO

 

2026-05-20 New feature: filter holder groups at the IdP login

The new feature

From now on, the service providers who have selected the “Ask for group membership after authentication” option will be able to filter which of these should be selectable with the attribute "Script to filter out group memberships".

Bear in mind

Please note the following points:

• The holder groups must be correctly configured in Soffid.

• If there is only one possible holder group, it is selected automatically and is not displayed to the user.
  

How to configure it?

The following components must be installed:

• Addon federation 4.0.25 (or higher)

Let's look at an example

Let’s look at an example, here we have the user "user4" who has already set up the holder groups.

 

We had a service provider that was already selected the option "Ask for group membership after authentication".

 

The holder groups have several custom attributes (startDate, endDate and status).

 

We now want to filter the holder groups with the attibute status with the Active value.

 

So we're going to create a script in the "Script to filter out group memberships" of the service provider.

 

This is the script.

// Return the groups whose “status” attribute has the value "Active"
//
l = new java.util.ArrayList();
lug = serviceLocator.getGroupService().findUsersGroupByUserName(user.userName);
for (i=0; i<lug.size(); i++) {
  ug = lug.get(i);
  if (ug.attributes!=null &&
      ug.attributes.get("status")!=null &&
      "Active"===ug.attributes.get("status"))
  {
    l.add(ug.group);
  }
}
return l;

Please note that if the script fails or is not configured correctly, the holder groups page will not be displayed.

 

Now, to test it, we’ll log in to the application (the service provider), and these are the IdP’s login pages