PAS 6.1.0

: 10 November 2025

Greater clarity, control and confidence for modern IAM

We’re thrilled to announce the release of PAS 6.1.0, building on the major technical foundation from version 6.0 with smarter tools that make identity management more transparent, flexible and intuitive than ever.

This release transforms core areas of the platform: SAML metadata handling, ADCS workflows, authentication logic and overall configuration visibility. The result is a simpler, clearer and more powerful administrator experience.

A new era of SAML Metadata management

In PAS 6.1.0, we introduce a completely rebuilt engine for SAML metadata handling. The goal is simple: more transparency, more control and fewer limitations.

Highlights:

Full metadata status page in the admin GUI
See overall SAML module status, detailed metadata source status, load times, validity windows and more.
Per-entity insights
Understand which repositories have loaded a specific entity, certificate expiration details and additional metadata signals.
Advanced configuration options
Custom refresh intervals, cache durations, validity enforcement and signature rules.
Metadata Repositories
Configure subsets of trusted metadata tailored for specific integrations.
Direct trusted entity configuration
Add individual SAML entities even without a file or URL source.
New metrics for even deeper operational insight.

New valves for seamless ADCS integration

A frequently requested capability is now here: smoother integration with ADCS directly inside your pipes. PAS 6.1.0 adds several new valves that enable certificate generation workflows, including PDF signing scenarios.

New valves:

AdcsRequestCertificateValve
CSRGeneratorValve
DNCombinerValve
KeyPairGeneratorValve
PKCS12GeneratorValve
PKCS12ToTemporaryKeystoreValve

An example configuration demonstrating PDF signing with ADCS-generated certificates is now available.

Smarter Selectors, Dispatch and SSO

This release brings powerful new conditional logic to authentication selectors, making it easier to build dynamic user journeys and fine-tune SSO behavior.

New capabilities:

Expression-based conditions controlling which authentication options appear
Shorthand rules for allowed issuers (SPs, RPs, etc)
forceAuth and useAssertionProfile support in both Selectors and Dispatch
Improved SSO logic ensuring SSO only triggers when the original authentication method is available

Example configurations, including LoA-based SSO flows, are now included in the documentation.

Interactive authentication flowcharts

Complex authentication sequences can be difficult to visualize. PAS 6.1.0 solves this with interactive flowcharts directly in the configuration GUI.

You can now:

See full authentication flows at a glance
Drill into sequences, branches and sub-flows
Print complete flowcharts (including sub-charts) as PDFs
Access this visualization at each SAML IdP, OIDC Provider and internal auth endpoint

This gives administrators a clearer understanding of how everything fits together.

Additional improvements

PAS 6.1.0 includes a long list of enhancements across the admin GUI, authentication frontend, SAML, OIDC, certificate handling and more. A few highlights:

Upload new certificates directly to existing keystores in the WebUI
New PropertyExtractValve for RegEx-based property extraction
New internal signature flows for internal auth endpoints
Updated guides, including a new PRISM FedSigning configuration scenario
Configurable client authentication methods in RPBroker
Improved frontend accessibility, icons and focus states
Updated default BankID API version to 6.0
Extended handling of OneID, Nias, Freja and mobile authenticator flows

A full list of improvements is available in the release notes below.

Bug fixes

This release also resolves issues across mobile authenticators, admin GUI, OIDC discovery, SAML flows, legacy browser handling, keystore inspection and more. The fixes ensure greater stability and a smoother user experience.

Included improvements and fixes from PAS 5.1.9

PAS 6.1.0 also includes all improvements and bug fixes from PAS 5.1.9, such as:

Better UX for relay session login
EC key support in OIDC integrations
Updated OneID logo
Stability improvements in DynamicAuthenticator, legacy relay, and OIDC discovery
Fixes for SMS/Mail OTP masking, Freja OrgID, WindowsSSO fallback and more

See the full list in the detailed notes below.

Summary

PAS 6.1.0 expands the capabilities introduced in PAS 6.0 and brings major upgrades to metadata handling, authentication visualization, selector logic and ADCS workflows. With clearer insight, stronger control and improved user experience, this release helps organizations manage secure access even more effectively.

Read the full release notes ›

Maint

PAS 6.0.1

: 08 September 2025

Accessibility at the Forefront

We’re excited to announce PAS 6.0.1, a maintenance release that puts accessibility and user experience first while also rolling up security and stability fixes from PAS 6.0.0 and PAS 5.1.8.

Key Improvements

WCAG-compliant QR codes in mobile authenticators
All QR codes used by BankID, Freja, OneID and SITHS eID now follow BankID’s accessibility guidelines. Administrators can also configure maximum QR-code duration and appearance, making it easier for everyone to scan and authenticate while giving organisations more control over the process.
Flexible mobile authentication flows
New configuration options allow you to skip the QR step entirely or choose between QR-code mode and “same device” mode for an even smoother user experience.
Configurable HTTP header and field sizes
Previously hard-coded maximums are now configurable, giving greater flexibility when deploying PAS in diverse environments.
Rebranding “OneTouch v2” to “OneID”
The working title “OneTouch 2” has been replaced with “OneID” throughout the product, with localisation keys and enrolment components automatically updated.

Stability and Security Enhancements

PAS 6.0.1 also incorporates numerous fixes from 6.0.0 and 5.1.8, including:

Improved audit logging and metrics for mobile authenticators.
Updated documentation for SAML SP parameters, including ForceAuthn.
Resolved issues in NiasAuth, SPBroker discovery service, duplicate trace_id handling and more.
Multiple dependency updates to mitigate known vulnerabilities (CVE-2025-52999, CVE-2025-53864, CVE-2024-7254, CVE-2025-7962, etc.).

For the complete list of included bug fixes from PAS 5.1.8, please see the detailed release notes.

Why Upgrade

Upgrading to PAS 6.0.1 gives you the most accessible, secure and stable version of PAS to date. You’ll benefit from WCAG-compliant QR codes, more flexible mobile authentication flows, and the latest security patches — all in one release.

Read the full release notes ›

Maint

PAS 6.0

: 27 May 2025

Fast, transparent and ready for the future

We’re proud to announce the release of PAS 6.0, a major step forward for performance, monitoring, user experience, and security. This release is packed with valuable upgrades designed to help you run smarter, gain deeper insight, and deliver a better experience for both administrators and users.

Key highlights

Upgraded to Java 21 for performance, security and long-term maintainability
Brand new audit log system with detailed traceability and SIEM integration
New metrics and dashboards for real-time operational insight
Modern OneTouch enrollment portal — WCAG-compliant and mobile-first
New internal application guides with simplified setup and better flexibility
Improved logout flows and SP/RP configuration — more secure, less complex

Reminder: As always, please read the upgrade notes before updating your environment.

Java 21 — Power and performance

PAS now runs on Java 21, the latest Long-Term Support (LTS) version. This upgrade brings:

Up to 40% faster server startup and API response times
Better security and dependency management
A future-proof foundation for continued innovation

Full Visibility with New Audit Logs

Our new audit log system provides significantly richer and more consistent data, enabling:

Integration with SIEM platforms for centralized security visibility
Proactive monitoring to detect issues before users are impacted
Detailed traceability to investigate events when something goes wrong

Read the deep-dive: Audit logs / Event logs in PAS 6.0

New Metrics & Dashboards — Ready Out of the Box

PAS 6.0 expands our monitoring capabilities with:

New metrics for authentication flows, pipe execution, license status, and more
Pre-built dashboards to visualize recommended metrics instantly
Faster root cause analysis and operational insights without extra setup

Read more: Recommended metrics and visualization

OneTouch Enrollment — Now Accessible for All

With the upcoming launch of OneTouch 2, we’re also releasing a new WCAG-compliant enrollment portal with:

A cleaner, more accessible user interface
Compatibility with both OneTouch 1 and 2
A more flexible enrollment experience across all devices

Read more: OneTouch Enrollment

Smarter Admin Experience

New Internal Application Guides

When creating new guide scenarios, the UI now leverages the modern authenticator architecture (introduced in PAS 5.1), offering:

More flexibility in selecting authenticators
Streamlined setup for internal apps like SelfService or Enrollment

Improved Logout & Federation Configuration

We’ve made logout handling more robust and SP/RP setup more straightforward:

Automatic logout from external IdPs (via SPBroker / RPBroker)
Auto-management of SLO/ACS/Redirect URIs
Full Single Logout (SLO) support and bug fixes in federation flows

Read more: SPBroker article

Fixes & Smaller Improvements

From improved container logging to new preset MFA sequences, PAS 6.0 includes many under-the-hood improvements. A few highlights:

JSON-based logs with MDC fields for containers
New method for end user IP resolution
New metrics for license expiration and pipe congestion
OTTokenVerifierValve now compatible with OneTouch 2

See the full changelog in our Release Notes

Ready to Upgrade?

PAS 6.0 is built to help you grow with confidence — more insight, better performance, and a smoother user experience. Make sure to review the upgrade instructions, and don’t hesitate to reach out if you need guidance.

Major

PAS 5.1.7

: 07 May 2025

PAS 5.1.7 – Maintenance release is now available

This is a maintenance release that includes a selection of stability improvements and bug fixes, as we continue preparations for our upcoming major version, PAS 6.0, which is just around the corner.

What’s New in 5.1.7

While this release doesn’t introduce any major new features, several enhancements and fixes have been made to ensure a more stable and secure experience:

Improved support for Freja eID: New attributes such as uniquePersonalIdentifier and loaLevel are now supported, offering greater flexibility for organisations using Freja eID for authentication.
Better security insights: The included Software Bill of Materials (SBOM) now lists the Java Runtime Environment, making it easier to track vulnerabilities at a deeper level.
Improved user experience options: A new setting allows administrators to disable automatic sorting of authenticators based on last use, giving more control over the user flow.

Stability and Bug Fixes

This release addresses a number of issues related to performance, error handling, and edge cases in authentication flows. Highlights include:

Fixes for occasional token generation errors in OIDC authentication.
Improvements to large file uploads and stability in PRISM applications under load.
Adjustments to authenticator sequences, including a fix that may impact nested flows. If you are using nested SequenceAuthenticators, we recommend reviewing your configuration after upgrading.

For full details, please refer to the PAS 5.1.7 release notes.

If you have any questions or need support, don’t hesitate to reach out to your PhenixID representative or our support team.

Maint , Patch

Latest posts