10Duke Enterprise release notes

Learn about new features, enhancements, and fixed issues in the most recent 10Duke Enterprise releases.

If you need release notes for other releases, go to the release’s documentation site from the top toolbar. ___

Release 6.0.0

Release date: September 19, 2025

10Duke is pleased to announce the new major release 6 for 10Duke Enterprise, which introduces:

  • New features and improvements, including:

    • Breaking: Support for passwordless sign-in using passkeys, providing a faster and safer way to sign in.

    • Breaking: All email templates have been standardized for improved consistency, modern design, enhanced branding support, and uniformity across outgoing emails. Emails can be customized based on your requirements.

      10Duke will handle the migration of your existing email configurations as part of the upgrade process.

    • Support for enforcing organization-wide multi-factor authentication (MFA).

    • Centralized access to 10Duke applications and services is now available via the 10Duke Portal, which simplifies navigation by providing a single point of entry.

      This portal is intended for software vendors and their authorized users, not end customers. Hence, access to the Portal is controlled by a specific client role (created by 10Duke), assigned to authorized users as needed. Users with this role will be automatically redirected to the Portal after signing in at the base service URL.

    • License consumption responses now include a new grantedItems claim that returns all aggregated licensed items granted by the license token.

    • Updated default password policy for stronger security practices and improved password management.

    • Optimizing license request handling by making it faster and more efficient.

  • Significant changes that break compatibility with the previous major releases, including changes in events.

    Please review the release notes marked with the Breaking label.

  • The 10Duke SysAdmin version now supports enforcing multi-factor authentication (MFA) for all users within an organization. It also enables managing OAuth 2.0 client configurations, downloading licenses for device clients, and referencing organizations using external system identifiers.

  • A 10Duke OrgAdmin version with features to support entitlements and improved visualization of license usage.

  • The release includes minor security improvements. We recommend updating to this release.

  • Bug fixes and performance-related improvements.

Check out the comprehensive list of breaking changes and new features under each solution component below.

For any changes to your deployment configuration due to breaking changes or new features, please contact the 10Duke Integration Support team.

10Duke Identity Management REST API 3.0.0

Enhancements:

  • Breaking: User emails are now validated by default to contain at least three characters when creating a user, importing users to the system, or adding users to an organization.

    If needed, the email validation rules can be changed in your deployment configuration.

  • Breaking: Updates made to permission requirements for certain user management actions. Affected operations may now require additional access rights.

    For details, please contact the 10Duke Integration Support team.

  • A new endpoint /organizations/{organizationId}/settings/requireStrongUserAuthentication allows retrieving and updating the value of the multi-factor authentication setting for an organization’s users.

  • The endpoint retrieving users has been optimized.

  • Multiple logout callback URLs are now supported for OIDC / OAuth clients. The first callback URL is used as the default one when no other callback URL is requested by the client.

  • A new externalId field has been added in the Organization resource. The externalId value can be set by the client when creating and updating organizations. Organizations can also be queried by the externalId value.

  • Documentation improvements in the API reference.

Bug fixes:

  • Breaking: When creating device clients, refresh tokens are not anymore granted by default.

    If needed, the earlier behavior where refresh tokens are granted by default can be restored with a configuration change.

  • Other minor fixes.

10Duke Entitlement Management REST API 4.0.0

Enhancements:

  • Breaking: If a user has a seat reservation for a license, the user’s access is no longer validated if the access to the license is also granted via the organization group membership.

    If needed, the earlier behavior can be restored by a configuration change in your 10Duke Enterprise deployment.

  • Breaking: When blocking a user or device client from consuming a seat-based license that requires a reservation, the user or device client is now explicitly prevented from consuming the license. Previously, only the user’s or device client’s seat reservation was removed if they had one.

  • Breaking: When querying licenses of an organization, available licenses for a user or device client, or the usage of a particular license, the response no longer returns license usage or assignments for expired licenses.

    If needed, the earlier behavior where license usage and assignments are returned for expired licenses can be restored with a configuration change.

  • Breaking: If contract information is specified in a license provisioning request, the system verifies that the owner of the contract (based on the externalContractId) matches the organization or user ID specified in the request path.

    If the externalContractId already exists and is associated with a different organization or user, the request will now fail with an error by default.

    This validation ensures consistency and prevents assigning the same contract to multiple licensees. If needed, the earlier behavior where no error was given can be restored in your deployment.

  • Breaking: When querying the usage of a license, the response no longer returns the seat usage for use count-based or use time-based licenses.

    If needed, the earlier behavior where seat usage is returned for use count-based or use time-based licenses can be restored with a configuration change.

  • Breaking: The value null is now returned for the following fields when they are not applicable to the license credit type: seatsTaken, seatsConsumed, seatsTotal, useCountConsumed, useCountTotal, useTimeConsumed, useTimeTotal, seatReservationsConsumed, and seatReservationsTotal.

  • In the queries for available licenses for a user or device client, the response now also contains the active sessions.

  • The License object, returned by API operations such as listing an organization entitlement’s licenses, contains new credit-related fields: seatReservationsConsumed and seatReservationsTotal that specify the seat reservations consumed from the license and the total number of seat reservations granted in the license.

  • The License object, returned by API operations such as querying usage of a license, contains a new field: seatsConsumed that specifies the number of seats consumed in the license.

  • Performance improvements in license management.

  • The seatsTaken, seatsReserved, seatsConsumed, seatReservationsConsumed, UseTimeConsumed, and useCountConsumed fields have been deprecated. While these fields are currently returned by all relevant endpoints, they will only be returned by the queryLicenseUsage endpoint starting from release 7. Therefore, we recommend that new implementations avoid relying on these fields outside of the queryLicenseUsage endpoint.

  • The license check performance has been improved by running a quota check only when acquiring a new license seat.

  • A license provisioning request with an empty product package is now rejected.

  • The query retrieving information on the license activations associated with a reseller organization has been optimized.

  • Documentation improvements in the API reference.

Bug fixes:

  • Breaking: Resetting a user’s assignments for a license now correctly returns all active assignments.

  • Fixed an issue where provisioning organization licenses created a new default entitlement, even when a non-default entitlement existed and was specified in the transaction.

  • Querying entitlements, license consumer groups, activation code grants and provisioning configurations now returns a complete list of queried items. Previously, the query results were limited to a maximum of 10 items.

  • Fixed an issue in the schema object inheritance hierarchy in the API reference.

  • When the same id is used for multiple license transaction items in the same request, the HTTP status code 400 is now correctly returned.

  • When an id of an existing object is used for another object in a request, the HTTP status code 409 is now returned.

  • Fixed an issue where license provisioning granted zero seat reservations to a license although the product package granted unlimited seat reservations.

  • When retrieving a license transaction, the effective license model and aggregated seat usage are now returned for the licenses.

  • Other minor fixes.

10Duke License Consumption API

Enhancements:

  • Breaking: When requesting to consume a license and multiple licenses are available for a user, the criteria used for selecting the license to be consumed have been adjusted to prioritize seat-based licenses over other license types. See more on license prioritization.

  • Breaking: An error is now shown if impersonation fails.

    If needed, the earlier behavior can be restored by a configuration change in your 10Duke Enterprise deployment.

  • Breaking: The kid field has been added in the header of license tokens. See more on fields in the license token header.

    This change is spec-compliant and should be safely ignored by compliant JWT parsers. Most clients using standard JWT libraries will not be affected. However, because we have known client implementations (especially for License Tokens) that rely on rigid expectations of the JWT structure, we are marking this as Breaking.

  • License consumption responses now include a new grantedItems claim, which returns the aggregated items that the license token grants access to.

    If needed, the aggregated items feature can be enabled in your deployment configuration.

  • Support added for improved license handling for single license requests that include multiple licensed items by using intermediate commits. This reduces license lock duration and improves overall performance.

    If needed, this functionality can be enabled in your 10Duke Enterprise deployment.

Bug fixes:

  • When one license serves more than one requested licensed item, all returned tokens now contain the correct lease id (the jti claim).

  • Other minor fixes.

10Duke Login Application

Enhancements:

  • Breaking: Passwordless sign-in is now supported using passkeys. A passkey is a modern, secure, and user-friendly key designed to replace passwords. It is a secret stored on your device, unlocked with biometrics or other screen lock method.

    Unlike a password, passkeys cannot be shared, remembered, or written down. This makes them a phishing-resistant alternative to traditional passwords.

    The system informs a user by email about the passkey being activated or deactivated for their user account.

    Two new email templates are available for customizing the content of these emails in your deployment. If needed, the emails can be disabled in your deployment.

    See more on passkeys.

  • Breaking: When accessing 10Duke Enterprise using the base URL, the default behavior related to the redirection of users has been changed. By default, users are now directed to 10Duke Portal. Previously, users were always directed to the profile page after login.

  • Breaking: Support added for configuring the redirection of users after login, allowing the default redirection to any desired URL.

    If needed, the page where the users are directed after login can be defined in your deployment configuration.

  • Breaking: The language code used for the Norwegian locale has been changed from “no” to “nb”, in line with current standards.

  • Breaking: The default theme used in the 10Duke Login Application has been aligned with the 10Duke branding.

  • Breaking: The same favicon file is now used by default across the Login Application, My Licenses and OrgAdmin.

    If needed, different favicon files for each UI application can be defined in your deployment configuration.

  • For added security, the default password policy has been updated to control the expiration of passwords and to prevent end users from re-using their previous passwords when changing a password.

    If needed, the password policy can be changed in your deployment configuration.

  • Support added for enforcing the use of multi-factor authentication (MFA) for all users of a specific organization, if enforcing has been enabled for the organization.

  • Users will now be notified by email when two-factor authentication is deactivated for their account.

    A new email template is available for customizing the content of these emails.

    If needed, customizations can be made or the emails can be disabled in your deployment.

  • Improvements to invitation handling to ensure a link to the invitation welcome page, if configured, is presented to invitation recipients.

    If needed, the welcome pages can be enabled in your deployment configuration.

  • The registration form now includes a single sign-in call to action.

  • Multiple logout callback URLs are now supported for OIDC / OAuth clients. The first callback URL is used as the default one when no other callback URL is requested by the client.

  • @internal/providerOrganizationId can now be used for mapping an external organization ID received from an external provider to an organization in 10Duke Enterprise. The mapping can be configured in 10Duke SysAdmin.

  • Support added for defining when user registration is allowed. The options include allowing anyone to register (default), allowing only invited users to register, and disabling the registration.

    If needed, changes to the user registration can be made in your deployment configuration.

  • A new OIDC scope https://apis.10duke.com/auth/openidconnect/organizations is available. It returns all user’s organizations based on the “employees” user group(s) they belong to.

    Due to introducing the new OIDC scope, the https://apis.10duke.com/auth/openidconnect/organization OIDC scope has been deprecated in 10Duke Enterprise 6.0.0. While we recommend using the new OIDC scope, you can continue using the deprecated https://apis.10duke.com/auth/openidconnect/organization OIDC scope in your deployment configuration. This doesn’t require any actions from you.

  • Support added for a /.well-known/change-password endpoint for helping users change their passwords easily.

  • The /user/oauth20/signout endpoint for supporting single logout has been added in the OIDC discovery.

  • A new optional parameter prompt=login for forcing reauthentication can be specified for client applications using OIDC with browser-based login.

Bug fixes:

  • Fixed an issue where email validation accepted a previously validated email address that no longer matched the user’s current email address after changing the email address of a user using the REST API.

  • Other minor fixes.

10Duke My Licenses

Enhancements:

  • Breaking: The language code used for the Norwegian locale has been changed from “no” to “nb”, in line with current standards.

  • Breaking: The same favicon file is now used by default across the Login Application, My Licenses and OrgAdmin.

    If needed, different favicon files for each UI application can be defined in your deployment configuration.

  • Styles in 10Duke My Licenses have been unified by using consistent naming and structure for style definitions.

  • The underlying build setup and libraries for 10Duke My Licenses have been modernized. These internal changes improve performance, maintainability, and compatibility with the latest technologies without affecting the user experience.

10Duke SysAdmin

Enhancements:

  • A new Security tab with an option to enforce the use of multi-factor authentication (MFA) for all users of a specific organization has been added for organizations in 10Duke SysAdmin. When MFA is enforced, both new and existing users must set up MFA when signing in with a password. Otherwise, login will not be completed. This affects both end users and the administrator users of the 10Duke SysAdmin and OrgAdmin tools.

  • You can now manually refresh role and permission changes in the 10Duke SysAdmin Roles and Permissions section. After editing a role, click the new Refresh cache button above the tables to apply changes to users with that role. The changes take effect within a few minutes.

  • Support has been added for configuring the allowed range for the Quantity field in license transaction items. This allows the use of zero or negative values, which are not permitted by default.

    If needed, this feature can be enabled in your deployment configuration.

  • The License > Manage Reservations view now offers a more comprehensive overview of seat usage. It displays the number of seats currently in use (those being consumed or reserved), as well as details on seat reservations.

    The number of reservations made is shown as a number out of the total available reservations in the license. If seat reservations are not limited, this value is shown as Unlimited. This information is displayed alongside the total, reserved, and unreserved seats in the license.

  • The order of the tabs for organizations has been rearranged in 10Duke SysAdmin. The tabs now include, in order, details, security, user invitations, device client invitations, device clients, external IDs, and custom properties.

  • The table listing the license transactions in the Licenses section now shows by default the most recent transactions at the top, ordered by the timestamp in the Created column. In addition, you can now sort the Created and Updated columns in this table by clicking the double arrow icon next to the column titles.

  • You can now define multiple logout callback URLs for OAuth 2.0 clients. This enhancement provides greater flexibility for applications that require different post-logout redirection endpoints.

  • You can now manage configurations, such as token lifetime configurations, for OAuth 2.0 client applications in the new Configuration tab, available in the Client applications section. These client-scoped configurations override the configurations used by 10Duke Enterprise. The configuration keys related to token lifetime configuration are readily available for selection within the application, but you can add any other key-value pairs as needed.

  • A new option has been added for target entitlement selection when provisioning licenses: Not set (uses current default). Selecting this option ensures new licenses are always stored in the current default entitlement, which may change over time. This mirrors the behavior of the 10Duke Entitlement Management REST API when entitlementId is not specified or set to null when provisioning licenses.

  • A new Seat Reservation Quota column has been added to organization licenses views. Seat reservation quotas only apply to seat-based licenses with a license model that enforces reservations and limits the number of times reservations can be made.

    This new column shows the number of reserved seats out of the total allowed, for example, 5 / 20 or 3 / Unlimited.

    If the license model is not compatible or does not limit the number of reservations, the column shows -/–, meaning not applicable.

  • You can now assign external IDs to organizations in the new External IDs tab, available in the Organizations section. By using external IDs, you can reference organizations using identifiers from external systems instead of their native 10Duke Enterprise ID.

  • Support has been added to download organization licenses for device clients.

  • The “orgadmin” designator now consistently defines the default OrgAdmin role for the organization in 10Duke SysAdmin. In addition, the system now automatically ensures that each organization has only one organization role with this “orgadmin” designator, removing the previous manual responsibility from your system administrators.

  • The values for the login and logout callback URLs for OIDC/OAuth 2.0 identity providers are now set by default, and cannot be edited. The following default values are used.

    • For client login callback URL: https://<your 10Duke Enterprise instance>/user/oauth20/cb

    • For client logout callback URL: https://<your 10Duke Enterprise instance>/user/oidc/idp-logout

  • The name of the organization role template as well as the designator of the organization role must now be unique in the system.

  • Replaced action buttons with compact icons and tooltips in tables listing invitations to improve layout and usability on smaller screens.

  • The fields for the federation request parameters related to assigned email domains have been removed for OIDC identity providers. For SAML 2.0 identity providers, these fields are hidden by default. If needed, the fields can be enabled in your deployment configuration.

  • The following fields related to the client details of SAML 2.0 identity providers are now hidden by default.

    • Consume group claims

    • Group names claim URI

    • Consume organization role claims

    • Organization roles claim URI

    • Organization name claim URI

    • Organization Id claim URI

    If needed, the fields can be enabled in your deployment configuration.

  • The following fields related to the client details of SAML 2.0 identity providers are now hidden by default.

    • Name ID Format

    • User id source

    • Email assertion name

    • Require deflated messages

    If needed, the fields can be enabled in your deployment configuration.

  • Response attributes for OIDC identity providers now use the @provider/ prefix for standard IdP claims. For example, /email is now @provider/email.

  • The @updateMode/Create and @updateMode/None claims have been added to the list of IdP claims for OIDC and SAML 2.0 identity providers.

  • Support has been added for defining the lock scope when provisioning licenses based on activation codes.

  • In the licenses views and in the legacy Entitlements section, fields not applicable to a license’s credit type now show a hyphen (-) for usage and credits.

  • The character limit in the invitation messages for users and device clients has been removed.

  • The queries listing users have been optimized.

  • A new configuration option has been added to prevent deletion of a default entitlement. This behavior is enabled by default and brings the legacy Entitlements section—where provisioning and license management are not in sync with the Entitlement Management REST API—in line with the behavior of the Licenses section.

    Vendors still using the legacy Entitlements section can have this behavior disabled via configuration if needed. We recommend testing your workflows with this restriction enabled, as it may become mandatory in a future release.

Bug fixes:

  • Fixed an issue where managing reservations for one license could unintentionally affect reservations in a neighboring license within the same entitlement.

  • Fixed an issue where setting an empty value for the seat reservation count in the advanced attributes of a licensed item within a product package incorrectly resulted in zero credit. Now, an empty string for the seat reservation count correctly grants unlimited seat reservation credit. Also, the seat reservation count field now only accepts an empty string and numerical values for consistent data entry.

  • Fixed an issue where adding license properties to an existing transaction item failed if the value of the license properties was null.

  • Other minor fixes.

10Duke OrgAdmin

Enhancements:

  • Breaking: The language code used for the Norwegian locale has been changed from “no” to “nb”, in line with current standards.

  • Breaking: The same favicon file is now used by default across the Login Application, My Licenses and OrgAdmin.

    If needed, different favicon files for each UI application can be defined in your deployment configuration.

  • 10Duke OrgAdmin now supports entitlement management, allowing users to:

    • Create and manage entitlements.

    • Move licenses from one entitlement to another.

  • The visualization for license usage has been updated. Now, instead of showing separate columns for consumed and total seats, the information is unified into a single column that displays the current usage out of the total granted credits for the license. This change applies to seat-based licenses, use count-based licenses, and use time-based licenses, where the current consumption is shown relative to the total credit granted.

    A new Seat Reservation Quota column has been added, using the same unified single column. For seat-based licenses that limit the number of times seats can be assigned or reserved for users, the visualization now shows the number of reservations made out of the total available reservations in the license.

  • When removing an administrator user from a user group, it is possible to remove the user’s admin access.

  • Downloading license tokens for device clients is supported.

  • If a user or device client no longer belongs to an organization but still has a reservation or active lease for the organization’s license, the status of the user is set to External in the license usage view in 10Duke OrgAdmin. For device clients no status is shown. While you can release their reservation, you will not be able to: view the details of these users or device clients, reserve a seat, block them from using the license, or unblock them.

  • The license usage view now shows the total number of consumed license seats (that is, the seats currently in use).

  • Support added for defining the validity period of a license token when downloading a license. If no value is set, the default maximum duration will be applied.

    By default, this feature is disabled in the 10Duke Enterprise configuration. If needed, the feature can be enabled in your deployment configuration.

  • In the license views, it is no longer possible to block users or device clients for expired licenses. Additionally, the reserved or blocked status is no longer shown for expired licenses.

  • License usage data is no longer shown for expired licenses in the license views.

  • In the license views, a hyphen “-“ is now displayed for license data that is unavailable. This includes data for expired licenses, data that is not applicable for the license’s credit type, or data where the usage is unlimited. Previously, the license usage data in these cases was usually shown as “0”.

  • The search functionality for tables has been enhanced.

  • The license access has been optimized for faster load times, and support for large data sets has been improved.

  • The format of the license assignment error messages has been unified.

  • The lists now show selected items at the top. This makes it easier for users to identify specific items within a long list; for example, quickly viewing the users who are members of a group from a list of hundreds of users.

  • Styles in 10Duke OrgAdmin have been unified by using consistent naming and structure for style definitions.

  • The underlying build setup and libraries for 10Duke OrgAdmin have been modernized to improve performance, maintainability, and compatibility with the latest technologies. These changes are internal and do not affect the user experience.

Bug fixes:

  • The details about seat reservations are now shown correctly in the license usage view.

  • Sorting by the Valid from and Valid until columns in the Manage licenses and Manage invitations tables now works correctly.

  • Sorting by columns where the value consists of multiple parts now works correctly.

  • Other minor fixes.

10Duke events

Enhancements:

  • Breaking: New events related to activating and deactivating user credentials are now available:

    • CredentialActivationStarted is triggered when a user begins the process of activating a new authentication credential, such as when they request a password reset or activate their account.

    • CredentialActivated is triggered when a user successfully completes credential activation, such as resetting their password, activating their account, or enabling two-factor authentication (2FA), or passkey, or a new password has been created for a user through the API.

    • CredentialDeactivated sent for example when a user has deactivated the 2FA or passkey for their user account.

    For further details on the new events, see the full data schema in the 10Duke GitHub repository.

    Changes in existing events related to user’s credentials as follows:

    • The UserPasswordChanged event now also triggers the CredentialActivated event.

    Due to introducing these new events, the following events have been deprecated in 10Duke Enterprise 6.0.0:

    • ForgotPasswordEmailSent

    • ForgotPasswordReset

    • UserPasswordCreated

    • UserMfaActivated

    • UserMfaDeactivated

    If needed, sending the deprecated events can be turned on by a configuration change in your 10Duke Enterprise deployment. This will not turn off the new events.

  • In the audit events sent by 10Duke Login Application, the modified object fields with null values are now omitted.

  • oldFields are now included in the Deleted audit event when UserSession is deleted. Only the id field is included in oldFields.

  • Audit events are now sent without additional configurations in the 10Duke Identity Management REST API, 10Duke Entitlement Management REST API and 10Duke SysAdmin.

  • New events related to activation codes are available:

    • ActivationCodeBlocked sent when an activation code has been blocked to prevent using it for provisioning licenses.

    • ActivationCodeUnblocked sent when a blocked activation code has been unblocked to enable using it for provisioning licenses.

  • New events related to adding and removing users to organization groups are available:

    • UserAddedToOrganizationGroup sent when a user has been added to an organization group.

    • UserRemovedFromOrganizationGroup sent when a user has been removed from an organization group.

  • New events related to assigning and removing organization roles to users are available:

  • UserAddedToOrganizationRole sent when a user has been assigned an organization role.

  • UserRemovedFromOrganizationRole sent when an organization role has been removed from a user.

For further details on the new events, see the full data schema in the 10Duke GitHub repository.

  • Events (including audit events) are now only sent after a request has been successfully committed, improving the reliability and accuracy of event data. Previously, in some cases, events might have been sent even if the request ultimately failed, potentially leading to inconsistencies. If needed, the earlier behavior can be restored by a configuration change in your 10Duke Enterprise deployment.

  • The activationCode field is now included in the LicenseProvisioned event.

  • The event reception has been enhanced.

Security:

  • Breaking: The allowed maximum length of a password has been set to 128 characters by default.

    If needed, the limit can be adjusted in your deployment configuration.

Bug fixes:

  • Other minor fixes.

Other changes

Enhancements:

  • Breaking: Restrictions to permissions organization roles can grant.

  • Support added for an authenticated OAuth client to impersonate a user and consume a license.

  • Performance related improvements.

Bug fixes:

  • Fixed an issue where reference fields were missing from audit trail delete events when cascading deletion was used. For single object deletion, the reference fields were included.

  • Other minor fixes.