Upcoming Releases

PM-16894 – Dynamic Role Management with Fine-Grained Access Control

The Axiad Conductor Role Management framework now supports fine-grained access control with dynamic, rule-based role assignment and context-aware scoping using attribute-driven logic. Administrators can define Role Mapping Rules (which users receive a given role, based on SCIM attributes, directory attributes, or group membership), Scope Rules (which users an operator role grants access to manage), and Priority values that control evaluation order when multiple rules apply. Key capabilities include logical AND/OR operators for complex rule criteria, automatic rule evaluation at login for real-time role and scope assignment, manual assignments that override rule-based assignments, and an updated permission model that prevents self-privileged actions.

PM-18624 – FIPS 140-3 Level 3 HSM Support for Thales IDPrime MD 830/MD831 and Virtual Smart Card Operations

Axiad Conductor now supports FIPS 140-3 Level 3 Hardware Security Modules for Thales IDPrime MD 830/MD831 and Virtual Smart Card credential flows. Legacy 3DES/TDES cryptographic operations have been eliminated and replaced with AES-based key derivation, bringing these card types into compliance with current FIPS standards. Existing Thales IDPrime MD 830/MD831 and Virtual Smart Card devices remain fully operational through a backward-compatible fallback mechanism. New Virtual Smart Cards use AES-based key derivation and are fully FIPS 140-3 compliant. Thales IDPrime MD 830/MD831 hardware does not support AES, so issuance of new cards of this type will no longer be supported after the migration is complete.

PM-18314 – Globally Unique Card Identification (CUUID) for IDEMIA OCSv8

IDEMIA OCSv8 cards can now be identified using CUUID (a globally unique identifier per physical card) instead of the legacy CUID derived from CPLC. Because CUID is not guaranteed to be unique across cards, customers issuing IDEMIA OCSv8 at scale could occasionally encounter collisions during enrollment; CUUID eliminates this class of issue. A new Legacy Unique Identifier (CUID) checkbox has been added to the OCSv8 Credential Profile configuration: existing Credential Profiles have it checked by default (legacy CUID behavior preserved); new OCSv8 Credential Profiles have it unchecked by default (new enrollments use CUUID). The toggle is one-way — once a Credential Profile is saved in CUUID mode it cannot be reverted to legacy CUID mode. When CUUID mode is enabled, card-present interactions perform CUUID-first resolution with CUID fallback to preserve compatibility with existing inventory.

PM-16556 – Virtual Smart Card 6-Character Minimum PIN

The Virtual Smart Card (VSC) Credential Profile now supports a minimum PIN length of 6 characters (previously restricted to 8), aligning VSC PIN policy with other device types and supporting Windows compatibility scenarios.

Prerequisites: Conductor OS Bridge v1.9.0 or later and Conductor Browser Extension v1.9.0 or later. Both components must be upgraded for 6-digit PIN issuance to work end-to-end. Existing Credential Profiles configured with PIN length 8 or above are unaffected.

PM-16451 – Secure, Privacy-Preserving Self-Service Account Recovery

A public, unauthenticated recovery entry point allows users to securely initiate account recovery without revealing whether an account exists. Users submit a configured identifier and, if valid, receive an email that triggers a standard Axiad Confirm identity verification flow. The experience is intentionally privacy-preserving: the same response is shown regardless of identifier validity, preventing account enumeration. Upon successful verification, users can recover access through administrator-defined mechanisms (such as temporary access credentials or password resets), with all expiration, retry limits, and verification rules enforced by existing Confirm configurations.

PM-16470 – Active Directory Parity for Axiad Confirm

Axiad Confirm now supports Active Directory as a first-class identity source, achieving functional parity with Entra ID where technically feasible. Administrators can configure AD as a direct datasource integration, map attributes, and use AD-sourced users across Confirm onboarding, verification, and recovery workflows. Where permitted, workflows can generate Temporary Access Passes for Entra-synced users and reset Active Directory passwords, including enforcing password policy and "change at next logon" behavior.

PM-16463 – Help Desk Visibility and Control Over Identity Verification State

Help Desk operators now have actionable visibility into a user's identity verification (IDV) status directly from the Unified Portal's User Details page. Operators can view current IDV state, initiation and completion timestamps, and — based on permissions — take controlled actions such as initiating verification, reconfirming identity, or deleting confirmation data. All actions are fully audited.

PM-16459 – Workflow-Driven Identity Verification Outcomes in Conductor

Conductor workflows can now natively incorporate Axiad Confirm with configurable post-verification outcomes, turning identity verification into an enforceable, reusable workflow primitive rather than a one-off step. Administrators can enable Confirm per workflow, define success/failure messaging, and configure post-verification actions such as generating Temporary Access Credentials or issuing initial Active Directory passwords. These actions can be combined and tailored per workflow type, allowing identity verification to directly drive secure onboarding, recovery, and access enablement.

PM-17945 – Always Redirect to IdP on Expired SSO Session

When a user's SSO session expires inside the Unified Portal, UP now consistently redirects them to the configured Identity Provider for re-authentication and returns them to the screen they were on. This applies to GET, POST, PATCH, and GraphQL calls (including credential search), removing prior cases where an expired session surfaced as an error or stale state instead of a clean re-auth.

PM-19136 – Configurable Master Key for Virtual Smart Card Offline PUK Generation

The Virtual Smart Card (VSC) Credential Profile now exposes a new Offline unlock key option that controls which master customer-admin key is used to generate the PUK for the offline unlock challenge/response flow. The option is only presented and applied when both a TDES master customer-admin key and an AES master customer-admin key are configured on the Credential Profile, and accepts two values: AES (default, preserves existing behavior) and TDES (uses the TDES-derived customer-admin key to generate the PUK). Credential Profiles configured with only one master key are unaffected, and existing Credential Profiles continue to behave as before until the new option is set.

PM-17425 – Default Country Fallback for Identity Verification

A new Default Country field has been added to the Verification Server configuration (Configuration > Verification Server). Administrators can define an organization-wide fallback country using a 3-letter ISO 3166-1 alpha-3 country code (e.g., USA, GBR, DEU), eliminating identity verification failures for users who are missing a country attribute in their profile.

PM-17220 – Branding-Based Table Column Visibility

The Unified Portal now supports configuring default table column visibility through branding.json. Administrators can define which columns are shown or hidden by default for each table across the portal, enabling a tailored interface experience aligned with organizational preferences.

PM-16181 – Selective SID/Custom SID per Certificate Type

It is now possible to configure, for each certificate type, whether to include the SID X.509 extension, which directory/SCIM attribute to use for its value, and whether that attribute is mandatory or optional.

PM-16832 – Intermittent Null-Pointer Error During Certificate Issuance.

Resolved an intermittent problem which previously led to null-pointer errors during certificate issuance.

PM-19109 – EJBCA Credential Server Authority ID Not Preserved.

Resolved an issue where the Authority ID value was not preserved when editing an EJBCA Credential Server configuration, and could appear pre-populated when creating a new EJBCA Credential Server. The Authority ID now persists exactly as entered and is empty by default for new configurations.

PM-16667 – PIN Length Exceeded Policy Maximum.

Resolved an issue where users could enter PINs exceeding the maximum length defined in the PIN Policy, causing verification failures.

PM-18041 – Axiad ID iOS Credential Profile Save Error.

Resolved an issue where the Axiad ID iOS Credential Profile could not be saved because a permission validation failure and a duplicate name conflict occurred simultaneously.

PM-17674 – FIDO2 Credential Issuance Reported a Spurious Error.

Resolved an issue where FIDO2 credential issuance failed with the error "The Identity Provider was unable to process the request," preventing the credential from appearing under the user's identities even when the underlying registration in Entra ID had completed.

PM-17596 – FIDO2 / Passkey Registration Reported a Spurious Error.

Resolved an issue where FIDO2 / Passkey registration failed with the error "The Identity Provider was unable to process the request," even when the passkey was successfully registered in Entra ID. The credential was not being reflected in the My Identities view.

PM-15972 – IDEMIA Legible ID Mismatch on Enrollment.

Resolved an IDEMIA Legible ID mismatch that caused enrollment failures.

PM-17150 – Refreshing the Unified Portal Returned a Forbidden Error.

Resolved an issue where refreshing the Help Desk page incorrectly showed a "Forbidden" error. The page now reloads smoothly and works as expected.

PM-17153 – Help Desk Portal Missing or Unexpected UI Elements.

Resolved an issue in the Help Desk Portal where some expected UI elements were missing and others appeared unexpectedly. The page now displays clearly and works as intended.

PM-17866 – Internal Logging Component Upgrade.

Upgraded the internal logging component to a newer, more secure version. This update strengthens overall system security and helps protect customers.