Release v2.10.0 – August 2025

Overview

This release introduces major features and enhancements focused on strengthening access control and improving usability.

New Feature

Email Domain–Based Access Management
We have introduced Email Domain-Based Access Management to strengthen application security and provide admins with greater control over user access

Key Features

• Domain Whitelisting – Only users with configured domain emails can log in.
• Error Handling – Invalid domain users are denied access.
• Granular Control – Admins manage allowed domains directly.
• Enhanced Security – Only trusted domains are permitted.

Enhancement

Revamp UI/UX for Group and Role Permission Mapping
The Group and Role Permission Mapping module has been redesigned with an enhanced UI/UX to improve usability, accessibility, and user experience for admins managing groups, roles, and permissions. This revamp aims to streamline role-permission assignment, group creation, and user role assignment, making the workflow intuitive and faster.

Release v2.9.0 – July 2025

Overview

This release enhances security and system reliability with two key features: the App-Based Token Utilization Report, giving admins real-time visibility into token activity for improved monitoring and audit readiness, and Rate Limiting & Throttling, which safeguards against abuse, ensures fair usage, and strengthens protection against DDoS attacks.

New Feature

1. App-Based Token Utilization Report:
We have introduced a new App-Based Token Utilization Report to provide administrators with a centralized view of all access tokens issued within the system. This feature improves visibility into token usage, aiding both security monitoring and audit readiness.

Key Highlights:

• Automatic Tracking – Every access token issued is automatically logged in the report.
• Detailed Metadata – Report includes Name, Email, Client Name, Client Type, Last Used Time, and Token Expiry.
• Real-Time Updates – Token usage details are refreshed each time a token is used.
• Enhanced Security – Helps identify unused, stale, or potentially compromised tokens.
• Admin-Only Access – Restricted visibility based on role-based access control.

2. Rate Limiting and Throttling
We have introduced Rate Limiting and Throttling to improve security, stability, and fair usage of our platform.

Key Features

• Request Control– Limits the number of requests a user can send to the server within a defined timeframe
• Error Handling – – If the request limit is exceeded, the user will receive a “Too Many Requests” error message
• Cooldown Period– Users must wait for the defined timeframe before they can access the application again.
• Abuse & Overload Prevention – Stops excessive traffic, ensuring consistent performance for all users
• DDoS Protection – Acts as a safeguard against distributed denial-of-service (DDoS) attacks.

Release v2.8.0 – June 2025

Overview

This release introduces Time-Based Restrictions and Geo-Fencing Restrictions, enabling administrators to control user access by specific time windows and geographic locations for enhanced security and compliance.

New Feature

1. Time-Based Restriction:
Time-Based Restriction feature enables administrators to enforce login access rules based on specific time windows. This improves security and operational control by limiting user access to the application during permitted hours only.

Key Highlights:

1. New Module in Admin Portal:

• Added under Settings → Time-Based Restriction.

2. Blueprint-Level Configuration:

• Admins can create time-based restrictions for each configured blueprint.

3. Restriction Types Supported:

• Common: Applies to all users in the selected blueprint.
• User-Specific: Restriction applies only to selected users.
• Group-Based: Applies to users mapped to selected groups only.

4. Time Window Configuration:

• Define specific login start and end times (e.g., 09:00 - 18:00).
• Users outside the defined window will be restricted from logging in.

5. Smart Validation:

• Restrictions are enforced only for the selected scope (common, user, group).
• Other users/groups not included are not impacted.

6. Access Control:

• Login attempts outside the allowed time display appropriate restriction messages.
• No restriction is enforced if no rule is configured.

7. Admin Capabilities:

• Create, Edit, Delete restrictions.
• View all restrictions per blueprint in a tabulated format.

2. Geo-Fencing Restrictions

The GeoLocation-Based Login Restriction feature in Skillmine Auth allows administrators to enforce login access policies based on the user's geographical location. This feature enhances security by ensuring that users can only log in from permitted physical locations.

Key Highlights:
Supported Restriction Types :
Administrators can configure geolocation restrictions at three levels:
Common - Applies to all users within the selected blueprint.
User - Applies only to specific users added during configuration.
Group - Applies only to users who are part of the mapped groups.

1. GeoLocation Modes:

Geo-restriction can be applied using two types of geographic configurations:

• Point Type
• Requires Latitude, Longitude, and a Radius (in kilometre's).
• Defines a circular area within which logins are allowed.
• Polygon Type
• Requires three or more sets of latitude and longitude coordinates.
• Defines a custom-shaped geographical boundary.

2. Configuration Steps :

• 1. Go to Admin Portal → Settings → GeoLocation Restrictions.
• 2. Click on the “Create New Restriction” button.
• 3. Select a Blueprint.
• 4. Choose the restriction type: Common, User, or Group.
• 5. Based on the selected type:
• Common: Directly provide coordinates and radius or polygon points.
• User: Select users and then define location parameters.
• Group: Select group(s) and define location parameters.
• 6. Click Save to apply the restriction.

3. Login Behavior:

• During login, the user’s current location is compared against the configured geolocation restrictions.
• If the user is within the allowed boundary, login is successful.
• If the user is outside the allowed boundary:
• An "Access Denied due to Location" error is shown.
• If no restriction applies to the user, login proceeds normally.

4. Limitations :

• Device GPS Dependency
• GeoLocation-based restrictions rely on the availability of a GPS chip or location services on the user's device.
• Most mobile devices (smartphones, tablets) have built-in GPS and provide accurate location data.
• Some laptops or desktops may not have GPS hardware and will rely on less accurate methods such as:
• IP-based geolocation
• Wi-Fi triangulation
• In such cases, the detected location may be inaccurate or unavailable, which can lead to:
• False denials (users unable to log in from valid locations)
• Inconsistent login experiences across devices
• Browser/OS Location Permissions
• The user's browser or OS must grant permission to access location.
• If permission is denied, the system will get the geolocation based on the ipaddress

Release v2.7.0 - May 2024

Overview

This release introduces Suspicious IP Throttling, a comprehensive set of security features that safeguard applications against unauthorized access, brute force attacks, and malicious IP activities. This release introduces enhanced detection, throttling, and blocking mechanisms to ensure trusted access while mitigating suspicious behavior.

Key Functionality

Trusted IPs

• Allows administrators to configure a whitelist of trusted IP addresses.
• Users connecting from trusted IPs can bypass security challenges.
• Ensures a smooth login experience for corporate networks or approved remote IPs.

Anomaly Detection Check

• Monitors incoming traffic against historical user activity patterns.
• If a request comes from an IP previously marked as blocked or suspicious, the system will automatically deny access.
• Prevents attackers from reusing compromised IPs.

Brute Force Attack Check

• Detects multiple failed login attempts from the same IP.
• Automatically marks the IP as suspicious and triggers CAPTCHA or IP blocking.
• Reduces risk of credential stuffing and password spraying attacks.

Activity Event Criteria

• Provides fine-grained control over login failure thresholds.
• Admins can configure:
• Event Type (e.g., user_login_failure)
• Time Range (seconds) - period in which attempts are counted
• Attempts - number of failures allowed
• Cooling Period (seconds) - block duration after threshold is reached
• Example: If 3 failed login attempts occur within 30 seconds, the IP is blocked for 10 minutes.
External IP Threat Providers
• Integrates with third-party threat intelligence databases.
• If an IP is flagged as malicious in the external DB, the system will automatically block it.
• Ensures proactive defense against known global attack sources.

Release v2.6.0 - April 2024

Overview

This release introduces several major features and enhancements designed to improve user authentication and security, streamline admin reporting, and enhance system flexibility.

New Feature

Export Option for Reports in the SSO Dashboard:
We have implemented the Export Option (Download Report) functionality in the Audit Trail Page of the SSO Dashboard Portal. This feature allows administrators to easily download and analyze audit logs in Excel format, facilitating efficient tracking and reporting of user activities.

Enhancement

Bot Detection:
We have enhanced the Skillmine Auth System by integrating Bot Detection into the Password Reset process. A new option, "Enable CAPTCHA", has been added to the Customize User Password Reset Behavior settings. When this option is enabled, users requesting a password reset link will undergo a bot detection check, ensuring enhanced security against automated attacks.

Release v2.5.0 - March 2024

Overview

Breach Password Integration
The latest release introduces the Breach Password Integration to enhance the security of user accounts by preventing the use of compromised passwords. This feature ensures that users create and maintain secure credentials, reducing the risk of account breaches.
Key Highlights:
Breach Password Validation:
The system checks passwords against a breached password database to prevent users from using compromised passwords.
Implemented Pages:

• User Side:
• Registration Page
• Forgot Password Page
• Profile Reset Password
• Admin Side:
• Create User Page
• User Profile
• Admin Setting
• Report (Table, Notification, Reset Password & Breach Password)

Error Messaging:

• Clear and user-friendly error messages are displayed when a breached password is detected, guiding users to choose a stronger password.

Anomaly Detection

We have introduced Fraud Anomaly Detection in Skillmine Auth to enhance security by preventing unauthorized access. This feature works when Adaptive MFA is selected in MFA settings and verifies user identity based on login patterns.

Key Functionalities:
Direct Findings:

• Compares with the last logged-in user agent (device) and location.
• If there is a mismatch, Multi-Factor Authentication (MFA) is triggered for the user.

Prediction Findings:

• Analyzes user login behavior based on three parameters.
• User Agent Check: Compares with historical device usage.
• Location Check: Monitors if the login is from a new or suspicious location.
• Time Range Check: Detects unusual login times.

If any one of these conditions is met, the system sends a security notification to the user.
Continuous Monitoring:

• Every login attempt is evaluated using Direct Findings and Prediction Findings to detect potential fraud.

User Notifications & Actions:

• If an anomaly is detected, the user will receive an alert message
• "If you logged in, please click here to confirm. If you did not, please click here to deactivate the current session and block future logins from this device."
• If the user confirms the login, future logins from the same device, location, and time range will not trigger MFA.
• If the user blocks the login, the system terminates the session and prevents future logins from the flagged device.

Adaptive Authentication
We have introduced Adaptive Authentication to enhance security while providing a seamless user experience. This feature dynamically adjusts authentication requirements based on risk factors such as user behavior, device, location, and login patterns.

Enhancement

Reset Password Link Sent as Per Flow Settings
We have introduced a new enhancement in Blueprint → Customize Users Password Reset Behavior, allowing administrators to configure how users receive the password reset link based on flow settings.
New Option: Notification Preference

• Added a Notification Preference setting under Password Reset Behavior in Blueprint customization.
• Administrators can now select how users should receive the password reset link.
• Two Notification Options Available:
• 1. Email
• 2. SMS
User Experience Enhancement:
• When an admin enables both Email and SMS options, users will be prompted to choose their preferred method when requesting a password reset.
• Based on the user’s selection, the reset link will be sent via the chosen method (Email or SMS).
Admin Configuration Steps:
• Navigate to Blueprint → Customize Users Password Reset Behavior.
• Enable the Notification Preference setting.
• Select either Email, SMS, or Both as available options.
SAML Logout Request Handling from IdP
Skillmine Auth now supports SAML Logout, ensuring that when an Identity Provider (IdP) initiates a logout request, all active sessions for the user are properly terminated across connected applications. This enhancement improves security and session management by enforcing a consistent logout experience.

Release v2.4.0 - January 2025

Overview

This release introduces several major features and enhancements designed to improve user authentication and security, streamline admin reporting, and enhance system flexibility.

New Feature

1. Authentication Profile:
We introduce the Authentication Profile feature in the login settings of our Auth application. This new capability streamlines the login experience by dynamically redirecting users to the appropriate login method based on their domain.
Key Highlights:

• Domain-Based User Identification: The system identifies the user's domain during login.
• Dynamic Redirection: Users are redirected to their respective login pages based on pre-configured settings
• Social Providers:Login via social authentication (e.g., Google).
• Auth Classical Login: Standard login with username and password.
• Passwordless Login: Secure login without a password, leveraging alternative authentication methods.

Benefits:

• Seamless User Experience: Reduces friction in the login process by automatically determining the appropriate authentication method.
• Improved Flexibility: Administrators can configure multiple authentication options tailored to user domains.
• Enhanced Security: Users are directed to domain-specific, pre-approved authentication flows.

How It Works:

• When a user enters their email address on the login page, the system identifies the domain
• Based on the configured Authentication Profile, the user is seamlessly redirected to:
• Social Provider Login (e.g., Google, Microsoft, etc.)
• Auth Classical Login
• 2. Passwordless Login

1. WhatsApp Integration
We are introducing WhatsApp Integration as part of our Multi-Factor Authentication (MFA) settings. This enhancement allows users to leverage WhatsApp for 2-Step Verification, adding convenience and an additional layer of security to the authentication process.
Key Highlights:

• WhatsApp as an MFA Option: Users can now receive verification codes via WhatsApp during the 2-Step Verification process.
• Enhanced User Convenience: In addition to existing MFA options (e.g., SMS, Email), WhatsApp provides a seamless and widely used communication channel.
• Improved Security: Strengthens authentication by offering another secure and trusted verification method.

Benefits:

• User-Friendly Experience: Users can receive OTPs directly on their WhatsApp, eliminating reliance on SMS or emails.
• Broader Reach: Allows global users to authenticate securely, especially in regions where SMS delivery may be unreliable.
• Flexible MFA Options: Administrators can now enable WhatsApp as part of their organization's MFA policy.

How It Works:

• Enable WhatsApp MFA: Administrators can configure WhatsApp as an MFA option in the MFA Settings under the Admin Portal.
• User Enrolment: During MFA setup, users can select WhatsApp as their preferred 2-Step Verification method and verify their phone number.

2-Step Verification:

• During login, users receive a verification code on WhatsApp.
• Users enter the received code to complete the authentication process.

Export Option for Reports:

We are implemented the Export Option (Download Report) functionality across multiple pages in the Admin Portal. This feature enables administrators to easily download and analyze critical data in Excel format for streamlined reporting

Pages with the Export Option:

• Search User Page
• Login Failure Report
• Inactive User Report
• Audit Trail Report

Enhancement

Token-Based Webhook Integration:
This modern approach enhances security by encrypting the webhook payload. The API key is not required in this method.
Configuration Steps:


• During webhook configuration, choose JWT as the authentication type.
• Map a server-to-server client to the webhook.
• The client secret key is used to encrypt the request body, and the resulting encrypted payload
User-Based Search:
We are introducing the User-Based Search functionality in the Audit Trail Reports. This enhancement allows administrators to efficiently search and filter activities for a specific user, enabling faster access to relevant information and improved system audit capabilities

Release v2.3.0 - September 2024

Overview

Skillmine Auth is now equipped with SCIM (System for Cross-domain Identity Management) API support. This update simplifies and automates user and group management for organizations integrating with external identity providers.

Key Highlights of the SCIM:

• SCIM API Integration: Full compliance with SCIM 2.0 specification (RFC 7644) for seamless user and group provisioning.
• User Lifecycle Management: Ability to create, modify, retrieve, and delete users via SCIM API.
• Group Management: Full support for group creation, modification, and group and member management.
• Bulk Upload Operation: Added support for bulk user and group operations, allowing administrators to provision or update large sets of users and groups in a single API call.
• PATCH Operation Support: Implemented PATCH operations for partial updates to both users and groups. Efficiently update specific attributes without needing to send the entire resource payload, improving performance and flexibility in user management.
• SCIM Discovery: Skillmine Auth implements SCIM discovery endpoints, allowing client applications to retrieve metadata about supported resources.
• Enhanced Security: SCIM endpoints are secured with OAuth 2.0 tokens, ensuring safe and secure communication between Skillmine Auth and identity providers.

Release v2.2.0 - 2024

Overview

Introduced RADIUS Settings under Admin Panel → Settings → RADIUS Settings to configure RADIUS server details and integrate them with blueprints for secure authentication.

Key Features

• Blueprint Selection: Mandatory selection of a blueprint before configuring RADIUS.
• RADIUS Server Configuration:
  
  • Configure RADIUS Server URL, Port (default: 1812), and Shared Secret.
  • Option to securely regenerate the Shared Secret.
• MFA Integration:
  • Supports multi-factor authentication (MFA) during RADIUS login.
  • Prompts user to select MFA option (Email/SMS) and validates OTP for secure access.
• Testing Support:Step-by-step testing flow provided using NTRadPing application for authentication, MFA initiation, and verification.

Purpose: This feature simplifies RADIUS server integration with blueprints, ensures secure authentication, and provides administrators with streamlined configuration and testing capabilities.

Release v2.1.0 - 2024

Overview

Introduced Kerberos integration within Skillmine Auth, enabling user lifecycle management and synchronization between Auth and Kerberos servers.

Key Features

• Kerberos Setup & Configuration:
  • Support for KDC URL, Realm (uppercase), and Admin Password configuration.
  • Customizable krb5.conf and script support within connector service.
  • Dockerized Kerberos setup with preconfigured admin principal and KDC server startup.
• Admin Panel Integration:
  
  • Added Kerberos Providers under Settings → Authentication Methods.
  • Webhook configuration for event-driven communication with connectors.
• User Lifecycle Operations:
  • Create User: Users created in Auth are automatically provisioned in Kerberos.
  • Password Change: Password updates in Auth are propagated to Kerberos.
  • Delete User:User deletions in Auth remove corresponding Kerberos entries.
  • Sync Users: On-demand sync from Auth to Kerberos via API trigger.
• Testing & Verification:
  • Client and server login validation using kinit and klist.
  • Integration testing steps provided for user creation, password change, and deletion.

Purpose: This release provides a complete integration pathway between Skillmine Auth and Kerberos, ensuring secure authentication, centralized user management, and smooth synchronization across systems.

Release v2.0.0 - 2024

Overview

We are excited to announce the release of the new MAC Address Restriction feature. This feature is designed to enhance network security and control by allowing administrators to manage access restrictions through the specification of MAC addresses. By ensuring that only authorized devices can connect, this feature significantly improves the security of your network.

Key Highlights of the MAC Address Restriction Feature:

• Access Control: Collect and specify the MAC addresses of devices you wish to grant or deny access to. Only authorized devices can connect, ensuring heightened security.
• Enhanced Network Security: By implementing MAC address restrictions, unauthorized devices will be prevented from accessing your network resources.
• User-Friendly Interface: Easily add and manage MAC addresses through a straightforward settings page.
• Tracking and Reporting: Track MAC address restriction reports, including the number of authorized and unauthorized requests, detailed information on each request, status, MAC address ID, browser, and IP.

Admin Configuration Instructions:

• 1. Create MAC Address Groups: Set up MAC address groups and add the allowed MAC addresses under these groups.
• 2. Blueprint Mapping: Map the MAC address groups in the blueprint. The login process will occur successfully if the user tries to log in from the Skillmine browser and the MAC address is allowed.