Skip to content

What's New in Nullafi Shield v3.8.1

v3.8.1Released: May 12, 2026  ·  Container image: public.ecr.aws/nullafi/shield:v3.8.1

Overview

  • 2

    New Features

  • 1

    Improvements

  • 2

    Bug Fixes

  • 0

    Security Fixes

New Features

Theme: ICAP proxy maturity and cloud-native observability.

  • SAML Session Logout Page

    End users traversing the network using Shield's SAML authentication can now explicitly terminate their session via a dedicated logout page, giving organizations greater control over session lifecycle and reducing the risk of residual authenticated sessions. See the SAML Sessions documentation.

    Policy Deployment

  • AWS OpenSearch Support for Activity Database

    Nullafi Shield now supports AWS OpenSearch as the activity database backend, enabling organizations deployed on AWS to leverage the fully managed OpenSearch Service instead of operating their own search cluster. Switching between Elasticsearch and OpenSearch requires only a configuration change. See the Deployment documentation.

    Deployment

Example · AWS OpenSearch in practice

Before Organizations deploying Nullafi Shield on AWS had to provision and maintain a self-managed Elasticsearch cluster to store activity data, adding operational overhead and infrastructure cost outside the AWS managed services model.

After Teams can now point Shield directly at an AWS OpenSearch Service domain with a single configuration change. Authentication is handled automatically via IAM roles, eliminating the need to manage credentials and reducing infrastructure ownership to zero.

Deployment

Infrastructure requirements, environment changes, and steps needed to deploy this release safely.

Deployment & Infrastructure

AWS OpenSearch activity database support Organizations deploying on AWS may now configure the activity database to use AWS OpenSearch Service. This is an additive capability — existing Elasticsearch configurations remain fully supported and require no changes. To adopt OpenSearch, update the activity database connection settings to point to your OpenSearch domain endpoint and ensure the Shield service role has the appropriate IAM permissions for the OpenSearch domain.

Deployment guide

Policy

Compliance requirements, data governance changes, and policy updates that take effect with this release.

Policy & Compliance

SAML Session Logout Page Administrators can configure a Shield SAML Session Logout page which will invalidate a user's SAML session when they visit the page and click on the Log me out button.

Configuration documentation

Developers

API changes, deprecations, SDK updates, and integration notes.

Developers & Integrators

API specification upgraded to OpenAPI 3.0 The Shield API reference has been migrated from Swagger 2.0 to OpenAPI 3.0 (formerly known as Swagger). The OpenAPI 3.0 specification is now the authoritative reference for all API integrations. Clients and tooling generated from the previous Swagger 2.0 specification should be regenerated from the updated spec to ensure compatibility.

API changelog & docs

Improvements & Bug Fixes

Full list of resolved issues and quality improvements in this release.

Type Description ID
Improvement The API specification has been upgraded to OpenAPI 3.0, improving compatibility with modern tooling and client generators. NS-563
Fix Resolved an issue where the ICAP secure server was not being created when the corresponding environment variable was set; only the plain ICAP server was initialized. NS-608
Fix Activity Log now correctly captures and associates the Shield instance identifier for traffic processed through the ICAP server, ensuring complete audit trail coverage. NS-607

Upgrade Instructions

Follow these steps before upgrading in production. Estimated time: 10 minutes.

  1. Back up your database and configuration files Take a full snapshot of your database and export current configuration — including your .env and any custom policy files. Store backups off-instance before proceeding.

  2. Review API specification changes If your team uses generated API clients or tooling based on the Swagger 2.0 specification, regenerate them from the new OpenAPI 3.0 spec after upgrading. Review the Developer notes above for details.

  3. Pull the updated container image

    docker pull public.ecr.aws/nullafi/shield:v3.8.1
    Configure your container runtime scripts or commands to use the new image. (If using Nullafi's sample Docker Compose files, modify the .env file so that SHIELD_IMAGE points to the new image.) Restart the Shield service after pulling the updated image.

  4. (Optional) Configure AWS OpenSearch If you are deploying on AWS and wish to use AWS OpenSearch Service as the activity database, update your activity database configuration to reference your OpenSearch domain endpoint and verify IAM role permissions before restarting Shield.

nullafi.com  ·  docs.nullafi.com  ·  support@nullafi.com  ·  Previous releases