RELEASE NOTES

Issue Month: April 2026

Build Details

Server (Full version): 3.1.0

• IDPrimeVirtual_Server_Alpine - supports Luna HSM only

For more information, click here.

Product Description

SafeNet IDPrime Virtual (IDPV) is a PKI-based software authenticator that uses latest innovation in software-based smart token technology to combine the strong two-factor security of a smart card. It is cost effective and convenient for the software authentication. IDPV emulates the functionality of physical smart cards used for authentication, email, data encryption, and digital signing to enable the use cases such as VDI, BYOD, backup, and mobility on any device. It secures user private key on HSM with user authentication from OIDC compatible Identity providers (IDPs).

Release Description

SafeNet IDPrime Virtual v3.1.0 includes new features and bug fixes from the previous version.

New Features and Enhancements

• Tenant Management APIs: Tenant Management APIs have been introduced to enable centralized administration of tenants. To use these APIs, a system tenant must be provisioned within the container, and the API key associated with that system tenant is required for authentication and authorization.

  The following APIs are available:

  • CreateTenant API — Creates a new tenant.

    Post

    /IDPrimeVirtual/SystemTenant/V1/Tenants/{systemTenantId}

  • UpdateTenant API — Updates the details of an existing tenant.

    Put

    /IDPrimeVirtual/SystemTenant/V1/Tenants/{systemTenantId}

  • GetTenant API — Retrieves the details of a tenant.

    Get

    /IDPrimeVirtual/SystemTenant/V1/Tenants/{tenantId}

• UserStatistic APIs: New UserStatistic APIs have been introduced to provide tenant administrators with visibility into user session activity and audit data.

  The following APIs are available:

  • GetActiveUsers API — Gets a list of all users who have active sessions.

    Get

    /IDPrimeVirtual/Provisioning/IDPrimeVirtual/UserStatistic/V1/Tenants/{tenantId}/statistics/activeUsers

  • GetNotLoggedInUsers API — Gets a list of all users who have not logged in from a specific time.

    Get

    /IDPrimeVirtual/Provisioning/IDPrimeVirtual/UserStatistic/V1/Tenants/{tenantId}/statistics/notLoggedInUser

  • GetStatisticsData API — Gets session details of users.

    Get

    /IDPrimeVirtual/UserStatistic/V1/Tenants/{tenantId}/statistics/data

  • GetAuditLogs API — Gets paginated audit logs.

    Get

    /IDPrimeVirtual/UserStatistic/V1/Tenants/{tenantId}/AuditLogs

• Health API: A Health API has been introduced to enable monitoring of the IDPV Server's operational status. This API is not exposed in the Swagger documentation. It returns the health status of the core service components, including the service, database, and HSM connectivity.

  Get

  /IDPrimeVirtual/health

  Response

  
  {
    "service": true,
    "database": true,
    "hsm": true
  }
  

• Enhanced the migrate_tenants utility to support the MariaDB Galera Cluster environment.

• Provided support for HSM version 7.8.2 for FIPS compliant HSM.

• Backward compatibility is retained for IDPV Client 2.10.0 and Luna HSM firmware versions earlier than 7.8.2, ensuring that existing deployments continue to function without requiring configuration changes.

• The following APIs are added:

  IDPV Server API

  • CreateToken API V3

    The CreateToken API enables the creation of tokens using a strong key-wrapping algorithm to support HSM version 7.8.4 or later.

    Post

    /IDPrimeVirtual/V3/Tenants/{tenantId}/Users/{userId}/Tokens

    Response

    
      {
      "tokenID": "string",
      "metadata": "string",
      "keyIDs": [
      "string"
      ],
      "isOfflineModeSupported": true,
      }
    

  Note

  From this release, the CreateToken API will return a new response header, CTAG and ATAG. This tag will contain the token version.

  • UpdateMechanism API

    The UpdateMechanism API changes token Mechanism for user pin or admin key. Before calling this method it is mandatory to login to the token by using challenge-response from 'Sessions' endpoint.

    Post

    /IDPrimeVirtual/V1/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Credentials/{roleName}: UpdateMechanism

    Response

    
    "string"
    

• The following APIs are updated:

  IDPV Server API

  • Get Tokens API V2

    From this release, the GetTokens API V2 will return a new response header, CTAG. This tag will contain the token version.

  • Unlock API V3

    The updated version of the Unlock API unlocks the token user pin if the session is created using version 5.

    Post

    /IDPrimeVirtual/V{version}/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Credentials/{roleName}: Unlock

    Response

    
    "string"
    

  • Put Credentials API

    The Put Credentials API has been updated to use version 3 if the session is created using version 5. Use 1 in the version placeholder, if session created (logged-in) with version 3 or less. Use 2 in the version placeholder, if session created (logged-in) with version 4. Use 3 in the version placeholder, if session created (logged-in) with version 5.

    Put

    /IDPrimeVirtual/V{version}/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Credentials/{roleName}

    Response

    
    "string"
    

  • Get Session API V2

    The updated version of the GetSession API is used when a session is created with login version 5.

    Post

    /IDPrimeVirtual/V{version}/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Sessions/{roleName}

    Response

    
    "string"
    

  • Post Session API V5

    Post Session API version 5 has been added. This version is used when clientConfiguration are fetched with Version 5.

    Post

    /IDPrimeVirtual/V5/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Sessions/{roleName}

    Response

    
    "string"
    

  • Get ClientConfiguration API V5

    Get ClientConfiguration API version 5 has been added. This version is used to get client configuration parameters with a strong algorithm.

    Get

    /IDPrimeVirtual/V{version}/Tenants/{tenantId}/ClientConfig

    Response

    
    {
        "idpvUrl": "string",
        "idpvThumbprint": "string",
        "tenantConfig": {
            "tenantExchangePublicKeyType": "string",
            "tenantExchangePublicKeyModulus": "string",
            "tenantExchangePublicKeyExponent": "string",
            "isAutoCardCreationEnabled": true,
            "isOfflineFallbackEnabled": true,
            "isAutoOfflineBundleDownloadEnabled": true
        },
        "idpConfig": {
            "idpClientId": "string",
            "idpA": "string",
            "idpIssuerUrl": "string",
            "idpRedirectUrl": "string",
            "jwtExpiration": "string",
            "idpThumbprint": "string",
            "identityProvider": "string",
            "refreshTokenExpirationDuration": "string",
            "idpScope": "string",
            "jwtUserClaim": "string",
            "idpRedirectUrl_MAC": "string"
        }
    }
    

  Provisioning API

  • CreateToken API V3

    The updated version of the CreateToken API allows to create tokens, which uses a strong algorithm for key wrapping. New Tokens are created with Version 3 when 3.1.0 server is deployed with 7.8.2 HSM.

    Post

    /IDPrimeVirtual/Provisioning/V3.0/Tenants/{tenantId}/Users/{userId}/Tokens

    Response

    
    "string"
    

  • ResetPin API V2

    Version 2 has been added to reset the token user/admin password with a new mechanism.

    Post

    /IDPrimeVirtual/Provisioning/V{version}/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Role/{roleName}: ResetPin

    Response

    
    204 Success
    

  • ChangePin API V2

    Version 2 has been added to change the token user/admin password with a new mechanism.

    Post

    /IDPrimeVirtual/Provisioning/V{version}/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Role/{roleName}: ChangePin

    Response

    
    204 Success
    

Default Password

Virtual IDPrime cards are supplied with the following default token password: "000000" (6 zeros) and the Administrator Password must be entered using 48 zeros.

Password Recommendations

We strongly recommend changing all device passwords upon receipt of a token/ smart card as follows:

• User PIN should include at least 8 characters of different types.

• PIN character types should include upper case, lower case, numbers, and special characters.

  For more information, refer to the 'Security Recommendations' section in SafeNet IDPrime Virtual Server-Client Product Documentation.

Compatibility Information

Operating Systems

Following operating systems are supported:

Server Operating Systems

• Ubuntu 22.04 and 24.04.3

• RHEL 8,9, and 10

Middleware

• SafeNet Authentication Client R2 10.9.6901.0

• SafeNet Minidriver R2 10.9.6901.0

IDPV Windows Client

• Windows Client: 3.1.0.184

Virtual Smart Card Features

Below table specifies the various features that are supported by IDPV:

Execution of Third-Party Security Tools

• Aqua Trivy 0.66.0

• Anchore Grype v0.100.0

• Open Collective Dockle v0.4.14

• Anchore Syft v1.33.0

• Cisco ClamAV v1.4.3

Compatibility with Thales Applications

Virtual IDPrime cards can be used with the following products:

• SafeNet Authentication Service Private Cloud Edition (SAS PCE) with Keycloak / SafeNet Trusted Access (STA)

• SafeNet Authentication Client (SAC) R2 10.9.6901.0

• SafeNet Minidriver R2 10.9.6901.0

Resolved and Known Issues

This section lists the resolved and known issues that exist in this release. The following table defines the severity of the issues listed in this section.

Resolved Issues

Related Product Documentation

The following documentation is associated with this release:

ThalesDocs

IDPV Documentation Homepage

We have attempted to make the documentation complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.