Passbolt 5.11.0 "Got To be Real" marks SCIM provisioning as production-ready following an external security audit by Cure53. This release also adds PingOne as a new SSO provider and introduces OAuth support for SMTP authentication with Microsoft Exchange Online, ahead of Microsoft's planned deprecation of basic authentication at the end of 2026.
SCIM: audit fixes and general availability (Passbolt Pro)
SCIM provisioning, introduced as beta in Passbolt 5.5.0, is now marked as stable. With SCIM, administrators can create, update, suspend, and delete users directly from their identity provider, without ever touching the Passbolt UI. Microsoft Entra ID and Okta have been tested and validated as supported providers.
This milestone follows an external security audit conducted by Cure53, whose findings have been addressed across this and previous releases. The full report will be published shortly and made available to the community.
PingOne SSO support (Passbolt Pro)
This release adds PingOne as a new SSO provider. Organisations using PingOne can now authenticate their users without leaving their existing identity infrastructure.
PingOne joins the list of supported SSO providers alongside Azure AD, AD FS, Google, and the generic OpenID Connect connector that supports providers such as Keycloak or other in-house identity systems.
SMTP OAuth support for Microsoft Exchange Online
This release introduces OAuth 2.0 support for SMTP email delivery with Microsoft Exchange Online. Microsoft has announced that basic authentication for SMTP will be disabled by default at the end of 2026 (see Microsoft's updated deprecation timeline). Organisations using Exchange Online can start transitioning to OAuth now, ahead of the deadline.
Safari update (beta)
The Safari extension moves to its next milestone. While still in beta, organisations can now opt in by enabling a feature flag in the API configuration file or via environment variable. Once enabled, the browser extension becomes available through what will become the stable package on the Apple Store, allowing organisations to deploy it for all their users.
Safari support is not yet fit for production use. For more details about the known limitations and risks, see the open beta announcement. We thank the community members participating in the TestFlight program for their continued feedback and encourage pioneers who are comfortable with the risk to enable it and share their experience.
To enable safari beta from the environment variables, set the PASSBOLT_PLUGINS_SAFARI_ENABLED to true.
To enable safari beta from the passbolt.php configuration file.
'passbolt' => [
'plugins' => [
'safari' => [
'enabled' => true,
],
],
],
Other changes
This release adds autofill support for ProxMox, OVH, Supermicro IPMI, and several other websites. We continuously work to improve autofill coverage and the feedback from the community is invaluable. If you encounter a website where autofill does not work as expected, do not hesitate to file a bug report.
As usual, the release is also packed with additional improvements and fixes. Check out the detailed logs to learn more.
Conclusion
Many thanks to everyone who provided feedback, reported bugs, and contributed to making passbolt better!
Changelog
Added
- PB-49733 SMTP-OAUTH - WP2.1 Update SmtpSettingsService to SmtpSettingsApiService
- PB-49734 SMTP-OAUTH - WP1.1 Create the SmtpSettingsEntity
- PB-49737 SMTP-OAUTH - WP2.2 Update SmtpTestSettingsService to SmtpTestSettingsApiService
- PB-49738 SMTP-OAUTH - WP2.3 Split SmtpSettingsModel to new architecture pattern
- PB-49739 SMTP-OAUTH - WP2.4 Split SmtpTestSettingsModel to new architecture pattern
- PB-49740 SMTP-OAUTH - WP3.1 Adapt context with the new SMTP entities
- PB-49741 SMTP-OAUTH - WP3.2 Adapt ManageSmtpAdministationSettings to handle the new OAUTH fields
- PB-50058 OAuth SMTP: add the new styleguide to backend
- PB-50135 SSO with PingOne
- PB-50157 Enable avatar upload for Safari
- PB-50254 [Pro] SCIM-WP1.2 Adapt form to handle the new date field and display warning message when expired
- PB-50263 Add a username selector compatible with ProxMox
Fixed
- PB-46678 Fix quickaccess closing issue on Safari
- PB-49237 DisplayUserBadgeMenu attention required should be displayed on Administration page served by API
- PB-49287 When deleting a user, the URL must changed not to reference the deleted user id
- PB-49476 Fix autofill for websites using identifier as name for username field
- PB-49619 Fix username input field selector for OVH
- PB-49849 Sync generator password policy with the administration after save
- PB-49866 Fix the expiry column in the resource workspace grid is not present anymore
- PB-49882 Fix username input field selector for Supermicro IPMI WebUI
- PB-50023 Fix multifield OTP selector matching hidden inputs
- PB-50077 Fix React router issue that reloads the page unexpectedly
- PB-50177 Fix autofill issues for two websites
Maintenance
- PB-49129 Delegate tab opening to service worker in order to send all cookie via Safari
- PB-49459 Timeouts not cleared properly when filtering resources/users grids by keywords
- PB-49705 Add missing TOTP unit tests
- PB-49730 Setup an environment for publishing to npmjs registry
- PB-49998 Add required
data_collection_permissionsfor Firefox and set it tonone - PB-50013 Make Safari download custom avatars test of quick fix for CI
- PB-50118 Major upgrade for locutus (Critical) - passbolt-browser-extension
- PB-50158 Add Safari enablement through a feature flag
- PB-50200 Move the logic of passbolt.groups.create to GroupCreateController
- PB-50201 Update group create call in groupApiService to contain "my_group_user" as urlOptions
- PB-50202 Add supported formats documentation link in export dialog
- PB-50225 Create a CreateGroupService.js file and move the create call to api service inside it
- PB-50338 - Fix phantom @babel/preset-react
Security
- PB-49608 Fix ReDoS vulnerability in PGP armor regex validation
- PB-50271 Fix GHSA-25h7-pfq9-p65f - HIGH CVSS3.1
- PB-50272 Fix brace-expansion vulnerabilities