2.17
Workflow
Improved Used By Table in the Activity Editor
The Used By table now displays additional information, including whether parent workflows are enabled, synchronized, or public.
HTTP Nodes: Retry Failed External Requests in Synchronous Mode
A new checkbox Force sync has been added. When enabled, the node is executed in synchronous mode even if the configured Delay time is not immediate.
Global Workflow Transition Limit
A new Max transitions configuration setting is available under Settings → Configuration → Execution. This limit helps prevent infinite workflow loops that could otherwise block APIO.
Macro Node Terminations
When creating a macro node, terminations are now automatically populated based on the selected sub-workflow.
XML Jinja Filter
A new Jinja filter converts XML data into a dictionary. It can be used as follows:
| xml_to_dictEnhanced JSON Schema Configuration and Validation for Startup Events
When configuring a startup event with JSON Schema (input or output), the schema is now validated before saving—preventing invalid schemas from breaking the route.
Integration
New JWT-Based SSO Mechanism
New configuration options include:
- IdP sign-in URL: If provided, the login button redirects users to this URL.
- IdP sign-out URL: If provided, logout redirects users to this URL.
- Token header name: Header from which the JWT is retrieved. If absent, the token is read from the JSON payload using the same key.
- Email claim: Claim containing the user's email. If omitted, no email is extracted.
- JWK set URL: Location of the JWK set used for token signature validation.
- Public key: Public key for signature validation (alternative to JWK set URL).
- Secret key: Base64-encoded shared secret for token validation (alternative to JWK set URL).
- Issuer: List of valid issuer domains for JWT verification.
Option to Disable SMTP STARTTLS
A new configuration setting allows disabling SMTP STARTTLS: Settings → Configuration → SMTP → Force STARTTLS disable
Extended Authentication Extra Rules
Additional attributes are now available for authentication rule conditions:
originhostproxyui_id
Operations
Configurable Process Log Levels (GUI)
New log-level configuration options are available under Settings → Configuration → Logs:
- Process core log level
- Process scheduler log level
- Process webhooks log level
- Process msteams_gw log level
User Management
GUI Inactivity Timeout
A new option GUI inactivity timeout (minutes) is available under Settings → Configuration → GUI. When enabled, inactive GUI sessions are automatically logged out after the specified period.
User Account Expiration
New user-profile-level expiration settings:
Expire (days): Automatically blocks the account after the specified number of days since creation.
User can extend expiration: Allows the user to extend the expiration by changing their password.
Expire Notification (days): Sends an email reminder after the specified number of days.
Expire Notification Email Template: Template used for expiration notifications.
- Use
{language}in the template name to localize it dynamically. - Use
{expire_date}inside the template to show the expiration date.
- Use
User Account Lockout
New settings allow automatic lockout after repeated failed login attempts:
- Invalid password lockout duration: Duration (minutes) of the lockout;
-1locks the account permanently. - Invalid password lockout threshold: Maximum failed attempts before lockout;
0disables the mechanism. - Lockout mail template: Email template for lockout notifications; supports
{language}for localization.
User-specific settings override global GUI-level lockout settings.
Force Password Change for New Users
A new option Force password change for new users is available under Settings → Configuration → GUI.
Trigger Workflow on User Creation
A new Post-auto-creation workflow option in Settings → Configuration → SSO allows automatically triggering a workflow after SSO-based user auto-creation. The workflow receives the same user attribute data provided by the IdP.
Security
CORS Verification
Under Settings → Configuration → GUI → Allowed origins, you can now define trusted domains permitted to access the system via CORS. These origins are validated during preflight (OPTIONS) requests.
Patch Versions Release Notes
Release 2.17.0
| Pull id | Fix |
|---|---|
| 534 | added configurable automatic expiration for user profiles |
| 533 | added variable ui_id to custom reset password workflow execution context |
| 532 | modified the reset password API to consistently return a successful response, regardless of whether the user exists |
| 528 | improved CORS verification |
| 527 | extended authentication extra rules context with origin, host, proxy, and ui_id attributes |
| 523 | improved error handling for invalid SAML redirect URLs |
| 522 | migrated javascript framework from react-scripts to vite |
| 521 | enhanced JSON schema configuration and validation for startup events |
| 519 | improved replication location information in DB replication status page |
| 514 | added an option to automatically trigger a workflow after SSO-based user auto-creation |
| 512 | added a Jinja filter to convert XML data into a dictionary format |
| 511 | load target user details when running simulation as a different user |
| 509 | fixed request search filtering by HTTP response code |
| 508 | fixed the proxying of health check requests to gateway endpoints |
| 506 | fixed the SSO configuration form to properly update when switching protocol types |
| 504 | fixed JSON encoding in the template renderer for the type generator |
| 499 | added automatic completion of sub-workflow terminations in the macro node |
| 498 | fixed email sending of templates when they do not contain any placeholders |
| 497 | added configuration option to disable SMTP STARTTLS |
| 495 | fixed condition text selection for node "Switch" |
| 494 | implemented automatic account lockout after repeated failed password attempts |
| 493 | fixed missing user IdP information for DRaaS build |
| 490 | added support for configurable automatic user expiration at the user profile level |
| 489 | added option to disable SMTP starttls by setting environment variable NO_STARTTLS |
| 486 | improved SAML SSO integration with Auth0 |
| 485 | added option to force password change for new users |
| 482 | added GUI inactivity timeout option |
| 477 | added SSO support for external IdP JWT validation |
| 473 | added configurable workflow transition limit to prevent infinite loops |
| 472 | added option to retry failed external requests in synchronous mode |
| 469 | fixed Provisioning UI error message when an invalid email address is submitted for a group administrator |
| 467 | improved "Used by" table in the activity editor to display key endpoint configuration flags |
| 439 | added configurable process log level from GUI |
Upgrade from 2.16
No special steps are required. Please follow the standard procedure described in the Deployment Guide.
Downgrade to 2.16
Stop all APIO Core 2.17 instances. Execute the following SQL statements on the APIO master database instance:
alter table user_profiles drop column lockout_duration;
alter table user_profiles drop column lockout_threshold;
alter table user_profiles drop column lockout_mail_template;
alter table user_profiles drop column expire;
alter table user_profiles drop column notify_expire;
alter table user_profiles drop column expire_mail_template;
alter table user_profiles drop column user_extend_expire;
alter table users drop column expire_date;
update schema_migrations set version=30;Start the previous version of APIO Core (e.g., 2.16).