Release Notes 4.10.0¶

Overview¶

This document outlines the updates, improvements, and fixes introduced between versions 4.9.0 (released on May 7, 2025) and 4.10.0 (released on Jun 23, 2025) of the Excalibur v4 software.

New Features¶

Robust Security Policies¶

Definitions¶

Security Policy: an entity that includes a required name, description (optional), target type, action type, list of user groups, list of rule sets.
Depending on the action and target type, a security policy may relate to Dashboard, SAML service provider groups or PAM target groups.
- Additionaly, user can add optional description and validity period (nonstop, date-time range, or recurring intervals), assign one or more rule sets, enable / disable status (disabled policies are excluded from validation).
Evaluation Logic: an action is considered valid if the user fulfills all conditions of at least one complete rule set. Partial fulfillment across multiple rule sets is not sufficient.
Rule Sets: define a collection of authentication rules and conditions, assignable to Security Policies.
- Each rule set includes required name, optional description, configuration of authentication factors such as PIN & biometry, option to allow passkey usage and additional conditions, including Time range, IP range, geolocations and geolocation groups, phone status, device integrity check.
Policy Management: can be created, modified, copied, or deleted by users with appropriate permissions. System-scope administrators can manage all policies. Tenant-scope administrators can manage only policies created within their tenant. Default policies can be modified or copied, but not deleted.
Rule Set Management: can be created, modified, copied, or deleted by users with the appropriate permissions. System-scope administrators can manage all rule sets. Tenant-scope administrators can manage only rule sets created in their tenant. System-scope Rule Sets are visible in tenant scope in read-only mode and can be reused in tenant policies. Default Rule Sets can be modified or copied, but not deleted.

When a user attempts to edit a default security policy or a default rule set, a warning dialog will appear to confirm the action, ensuring that users are aware they are modifying a system setting.

Geofences¶

Default geofences / geofence groups are pre-configured for global regions of Europe and the Middle East, North America, South America, Africa, Asia, Australia. Each region's time zones are mapped to a corresponding default geofence object. When a user selects a time zone during the setup process , the appropriate default geofence or geofence group is automatically mapped to the default rule set.

Registration¶

A registration security policy defines the rules a user must meet during the registration process. This policy is always tied to the dashboard as its target and includes mappings to user groups and rule sets. Every registration policy must have at least one user group assigned to it.
In the system scope, a default registration policy is automatically created during database initialization. It includes all three default user roles and has no time or date restrictions. It uses the default rule set and can be edited by authorized users, but not deleted.
Administrators can also create or copy custom registration policies in the system scope. In addition, from the system-level tenant detail view, they can manage tenant-specific registration policies—similar to how tenant Active Directories are managed.
In the tenant scope, a default registration policy is created when the tenant is created and removed if the tenant is deleted. It mirrors the system default but links to the tenant’s default user groups and can be deleted if needed.

Validation

During the registration process, the system uses the tenant ID and user ID from the QR code to select the relevant registration security policies and their associated rule sets. If at least one complete set of rules within a policy is successfully validated, the user is authorized to register. If no rule sets pass validation, registration is denied. and the system records which rules prevented registration.
Additionally, the system keeps track of the rules that were successfully completed. The registration action details will show the policies used to validate the user and the results of those validations.
Note: Since rule sets with the same name may exist in both the system scope and tenant scope, the system clearly indicates which scope each rule set belongs to, ensuring transparency.

Authentication¶

An authentication security policy defines the rules users must follow during login. There are two types: one for dashboard access and another for SAML service provider authentication via the Excalibur SAML IdP. Both support login using tokens (QR codes) or passkeys. Dashboard policies require at least one user group, while SAML policies require at least one user group and one SAML service provider group.
In the system scope, default dashboard and SAML authentication policies are created automatically during setup. These include all default user groups and have no time restrictions, using the default rule sets. Authorized users can edit these policies but cannot delete them.
Tenant-level authentication policies are managed similarly. When a tenant is created, default dashboard and SAML policies are set up with tenant-specific groups and can be edited or deleted. Tenant administrators can also create their own policies and use system-defined rule sets within tenant scope.
For emergency access, a rescue authentication policy can be created only by system administrators via command line. This policy has no restrictions, is used solely for emergency logins, and deletes itself after a successful login. Tenant scopes do not have a rescue policy, but tenant policies can be managed directly by system administrators.

Validation

The validation process varies depending on the target type. For SAML authentication, security policies are selected based on the tenant ID, user ID, user groups, and SAML service provider groups. For the Dashboard target, policies are selected based solely on user groups.
The system validates the selected security policies and their related rule sets. If at least one complete rule set passes validation, the user is authorized to authenticate. If no rule sets pass, access is denied and the system records which rules prevented authentication.
The action details display the policies used to validate the user during registration and the outcomes of each validation.

Authorization¶

An authorization security policy defines the rules a user must follow during the PAM authorization process. It targets PAM and requires at least one PAM target group, one user group, and one rule set to be assigned. Users can authorize by scanning a QR code or using their passkey.
In the system scope, a default authorization policy is created during system setup. This policy has no time limits and links to the three default user groups, a default PAM target group, and a default rule set. While it can be edited, it cannot be deleted.
System administrators manage tenant authorization policies through the tenant’s Security Policies tab. When a tenant is created, a default authorization policy is also created for that tenant and deleted when the tenant is removed. This tenant-specific default policy connects to the tenant’s default user groups, PAM target group, and rule set, and can be edited but not deleted.
Tenant administrators can create, edit, delete, or copy their own authorization policies, which must include at least one PAM target group, one user group, and one rule set. Rule sets defined at the system level are also available within tenant scope, allowing tenant admins to use or copy them for their policies.

Validation

When a user initiates access using a QR code or passkey, the system checks their identity and group membership to determine which authorization policies apply. Based on these policies, it evaluates the necessary security rules. If at least one complete set of rules is successfully validated, the user is authorized and a PAM session is created. If no rules are fully met, access is denied, and the system logs which rules were attempted and which ones failed.
System also records any rules that were successfully completed. For added efficiency, if the user already passed certain rules during the login process, those validations are reused and not repeated during authorization.
The user’s access details clearly show which policies were applied and the results of each validation, ensuring transparency and easier troubleshooting.

Validation Result in Action detail¶

The Validation Result tab in the Action Detail shows all the security policies involved in the action. Each policy is displayed as an accordion with its name visible. When you expand an accordion, you’ll see all the rules within that policy. Rules that were successfully met are marked with a green checkmark, while rules that were not met show a red cross. Each policy also displays additional details like the date and time, the phone’s IP address, and its connection status. By default, all the accordions are expanded for easy viewing.

Reorganized User Interface¶

The application’s navigation has been streamlined for a more intuitive and organized experience. The Profile submenu has been removed from the side menu. Now, the Preferences and Passkeys pages are accessible exclusively from the user icon dropdown. Preferences appears between the profile name and logout, and Passkeys follows Preferences.
The Users submenu has been replaced with a single menu item leading to a unified page that includes tabs for both Users and Groups. The Invitations page now stands alone as its own menu item.
PAM-related pages such as Targets, Groups, Sessions, and Full-Text Search have been merged into tabbed pages for easier access. Identity Stores and OAuth Clients are now located under the Setup section.
Geofences, Service Providers, and Groups are combined under the Security section using tabs, and Security Policies and Rule Sets are similarly unified into a single tabbed interface.
The Statistics section has been consolidated into one menu item with tabs for General, Devices, and Actions. The Others section has been renamed to Settings, and all settings-related pages are now top-level menu items instead of being under a submenu.
The System section now includes Expiration Times and Map as tabs within a single menu item.

Tunnel improvements¶

added tunnel client installer for windows
- The tunnel detail page now features a new Windows tab with a clear guide for installing and setting up the tunnel on Windows devices. Users can switch between two installation options using a Button Group: Download Installer or Download via Command.
- With the Download Installer method, users can download the installer via a button, select their preferred shell type through radio buttons to activate the tunnel, and then check the tunnel’s status to ensure it’s working correctly.
- The Download via Command option provides commands for downloading and installing the MSI file via the command line. Users choose their preferred shell type to activate the tunnel and verify its status afterward.
- This addition simplifies the Windows tunnel setup process, catering to both graphical interface users and those comfortable with command-line installation.

added tunnel client support for connection over a forwarder proxy
- Added functionality that allows the Tunnel client to configure proxy settings and establish both control and data channel connections through the specified proxy. This enhancement is especially useful in environments where internet access requires routing through a proxy server.
added tunnel support for VNC sessions
- You can now connect to VNC targets using a tunnel for added flexibility and security. To test this feature, select a tunnel for a VNC target, then try adding or removing tunnels, switching between them, and establishing a session. Once a tunnel is selected, connect to the VNC target to verify the connection works as expected.
added improved logging
- Added logging mechanism with possibility to change logging level seamlessly by using the command "sudo excalibur-tunnel setup" and choosing the desired logging level. On windows installer was added log rotation, each 50mb the log is compressed and older logs than 7 days are deleted.

Multiple Server Configurations For One Identity Store¶

added ability to set up multiple configurations for a single identity store either during the initial setup or directly from the dashboard. All these configurations stay active and are regularly checked, so if any become unavailable, the UI will clearly indicate this.
Managing configurations is simple and user-friendly. Can be added or edited through convenient pop-up modals where connection tests happen before saving to ensure everything works smoothly.
In the list of identity stores, the overall status is displayed. Whether all configurations are connected, at least one is working, or none are available. Expanding any entry reveals detailed info about each configuration.
Configurations can be duplicated or deleted. Multiple configs at once for efficient management. A Disable button is being added soon for even better control.
The system is designed to automatically switch to another configuration if the current one becomes unreachable, such as when a firewall blocks its port, ensuring uninterrupted service.

Figure 9. Identity Stores Configurations

Added Passkeys page¶

A new "Passkeys" page has been introduced, allowing administrators to view and manage (auditors only view) passkeys for all users within their tenant. Administrators can delete any of these passkeys.
Another new section "Profile > Passkeys" page, where users manage their own passkeys.
Administrators can only view passkeys for users within their own tenant. For example, an administrator from Tenant A cannot see passkeys belonging to users from another tenant.

Mobile Application¶

Token¶

A new version of the mobile application (minimum version 4.5.7) is now required. Please ensure that users update to at least this version to maintain compatibility and access all features.

Display Expiration Times On QR Codes¶

Added expiration date and time

PIN Keyboard Size Optimization¶

The PIN keyboard layout has been optimized to prevent overflow issues on certain devices. This ensures the keyboard now fits properly on all screen sizes, improving usability and providing a consistent experience across different devices.

Usability Improvements¶

Indication for already registered users when sending invitations¶

On the "Invite User" page, there’s an update to how user avatars are displayed. If the invited user is already registered, their avatar now appears with a green background and a "registered" icon, making it easy to visually identify existing users at a glance.

Figure 14. 'Already Invited User' Indicator

New Scaling Options in Web Client Settings¶

The Web Client now offers improved display controls through a new scale mode setting in the menu. Users can choose how their remote session is displayed by selecting from options like fit to window, fit to width, fit to height, or custom scaling. When the custom option is selected, a zoom slider appears, allowing users to manually adjust the session scale anywhere between 25% and 175%, ensuring an optimal viewing experience on any screen size.

…and more minor fixes and improvements