Webhooks​

Webhooks in this release are expanded and easier to use. IDaaS now supports a broader event catalog across user lifecycle, authentication outcomes, credentials, passkeys, tokens, grids, and magic links, with additional detailed information for each event. Webhook delivery now follows a standard HTTP message signing model (RFC 9421) to simplify verification in downstream services, and webhook administration has been improved with clearer configuration metadata (including required webhook names) and more flexible testing options, such as overriding the callback URL during test calls.

For more information, see the Webhook customer use cases guide.

Documentation Portal​

This release of IDaaS introduces a new documentation portal that combines admin guidance, developer resources, and release notes in one place.

The new documentation portal includes the following features:

• Improved searching.
• LLM-friendly content export support for AI-assisted knowledge workflows.

For portal access and navigation, see the IDaaS documentation portal home.

Identity Enterprise Agent Migration Enhancements​

The Identity Enterprise (formerly IdentityGuard) Agent in the Enterprise Service Gateway has been enhanced to support progressive migration of customers from Identity Enterprise to IDaaS. When handling authentication requests from an Identity Enterprise client, the agent first tries to forward the request to IDaaS. If the user does not exist in IDaaS, the agent will then forward the request to Identity Enterprise. This allows a customer to migrate their users from Identity Enterprise to IDaaS in stages without forcing immediate client-side changes across all legacy integrations.

For configuration and routing behavior details, see Configuring an Identity Enterprise Agent.

Passkey Attestation​

This release introduces passkey attestation enhancements to improve trust during passkey registration and lifecycle management. IDaaS now captures and evaluates attestation-related registration details so administrators can better validate authenticator provenance and strengthen phishing-resistant authentication policies.

In addition, administrators now have an option to list passkeys, making it easier to review registered passkeys, identify stale or duplicate credentials, and support user troubleshooting and cleanup workflows. Together, these improvements help security teams make stronger authenticator trust decisions while giving operations teams better passkey inventory visibility and lifecycle control.

For solution overview and platform context, see Passkey basics and IDaaS Passkey/FIDO2 authenticator management.

User External ID Enhancements​

User External ID enhancements make it easier for customers to link external account information to the corresponding IDaaS account by mapping and persisting customer-managed user identifiers in IDaaS. External ID values can be assigned through directory sync, inbound IdP claims, the Administration API, bulk operations, or SCIM provisioning. External IDs can be included in SAML attributes or OIDC claims and be used for API-based lookups.

For configuration details and integration examples, see Configure external ID for users.

Magic Link Enhancements​

This release adds a new setting to automatically send a magic link when a new user is created. The link can take the user directly to IDaaS to complete verification and initial registration, reducing onboarding friction and speeding time to first sign-in.

The Magic Link redirect URL validation is now more flexible but still preserves application safety. Previously, the requested redirect URL had to exactly match an allowed URL. Now, IDaaS validates the base redirect URL and ignores differences in query parameters. This lets clients include route or state parameters so users can return to a specific page in the same application after completing the magic link flow.

For customer scenarios and implementation patterns, see Magic links solution guide.

Portal Enhancements​

The following changes have been made to the Administration portal to improve usability, so administrators can complete common setup and governance tasks faster with fewer navigation and context-switching steps:

• The administrator Add Role page has been updated to improve usability. See Create, assign, and manage roles.

  

• The Add Application page has been redesigned. Applications are now categorized by type and it is easier to select which type of application the administrator wants to view. See Manage applications.

  

• The Add Bulk Operations page has been modified so that the administrator selects the type of entity first and then the action. Previously the action was selected first. See Manage bulk operations.

  

• The allowed resolution for custom logos has been increased from 450x150 to 900x300. See Customize account appearance and language.

• Editing Links in the Message of the Day has been fixed. See Customize account appearance and language.

Content Security Policy (CSP) Changes​

The Content Security Policy used by IDaaS has been made stricter in this release. The following changes have been made:

• Remove Google Analytics and font endpoints.
• Use specific S3 bucket endpoints instead of broader AWS endpoints.

Fixed or changed in this release​

1. The Verify User action required the Add permission for the authenticator being used. This is no longer required. (42124)
2. Change to how Google Authenticators in the activating state are treated during registration. (42067)
3. Named password UI fixes: reset-password named password not saved until refresh; named password cleanup; and small-window layout fix for named password group policy. (42025, 41810, 41714)
4. Risk Factor source IP address in resource rules causing Create OTP Auth API failure. (42030)
5. For OIDC applications, initiate Login URL should not be mandatory. (41991)
6. SIEM customization tab logo not saving. (41983)
7. Directory configuration Group Filter not honored in AD LDS. (41974)
8. Changing tabs in the application UI can overwrite changes. (41936)
9. Audit searches with empty subjectName should ignore the search attribute. (41917)
10. Admin portal error after user password authentication. (41888)
11. Generic 500 error on password reset URL. (41873)
12. Bulk import sample CSV had duplicate security ID in audit. (41856)
13. Validate search parameters for assigning preferred OTP provider to tenants/accounts. (41798)
14. Named password flow and audit validation updates: disable named passwords for system-defined auth flows; enforce namedPasswordId check in Admin API password reset; and use named password UUID in group policy audit updates. (41797, 41640, 41163)
15. Password reset email from admin portal showed “default” in email body. (41763)
16. Alternative OTP delivery methods not working at portal login when non-default method selected in user profile. (41769)
17. Magic link login invalid_token error. (41755)
18. SCIM: add user as provisioned user if user already exists. (41734)
19. Named password audit/log consistency updates for bulk password reset and SAML forgot password, plus password-only group policy reset audit behavior. (41730, 41729, 41722, 41719)
20. Trimmed challenge response through ESG IdentityGuard Agent. (41689)
21. Default group policy category on password when present. (41620)
22. Service Provider tenant management role not working if no site role assigned. (41514)
23. Null Pointer Exception (NPE) during TransactionDetails check. (41452)
24. Email notification did not specify which password was changed. (41333)
25. SCIM provisioning failure when token expired. (41305)
26. Application description could not be set to blank. (41218)
27. SAML application max age disable behavior for -1 updated with day-based time handling. (41072)
28. SP auditor role should be able to view tenant usage details dialog. (41065)
29. Allow upload of WeChat service account QR code. (41049)
30. Token push verify user cancel audit permission update. (40818)
31. Verify user grid for specified-one missing userId in audit. (40562)
32. Previous passwords cannot be reused: inconsistent behavior when resetting password with current password. (30638)

Changes to Identity as a Service (IDaaS) APIs​

Authentication API​

New operations​

• None.

Removed operations​

• None.

Changed operations​

• None.

Changed models​

• FIDORegisterChallenge
  • Added: attestation (string) - Attestation preference for passkey/FIDO2 registration. Determines how much information about the authenticator (security key/passkey) is shared during registration. NONE: No authenticator details shared (recommended for privacy). INDIRECT: Basic information shared in a privacy-preserving way (balanced approach). DIRECT: Full authenticator details shared (use when you need to verify specific device models).
• FIDORegisterResponse
  • Added: transports (array<string>) - The transport methods used during registration (for example, 'usb', 'nfc', 'ble', 'internal'). Used to determine authenticator capabilities.
• FIDOToken
  • Added: aaguid (string) - The AAGUID of the authenticator that created this FIDO token.
  • Added: aaguidVerified (boolean) - Indicates whether the AAGUID reported by the authenticator was cryptographically verified via a full certificate chain against the FIDO MDS trust anchors. True only for DIRECT attestation; false for INDIRECT (cert chain not verified); null for NONE (no attestation collected).
  • Added: algorithm (string) - The signature algorithm of the authenticator that created this FIDO token.
  • Added: attestationFormat (string) - Attestation format of the authenticator that created this FIDO token.
  • Added: attestedData (boolean) - Indicates if this FIDO token contains attested data.
  • Added: authenticatorModel (string) - The authenticator model of the authenticator that created this FIDO token.
  • Added: backupEligible (boolean) - Indicates if this FIDO token is eligible for backup.
  • Added: backupStatus (boolean) - Indicates if this FIDO token is currently backed up.
  • Added: icon (string) - The icon of the authenticator that created this FIDO token.
  • Added: userPresent (boolean) - Indicates if the user was present during the registration or authentication ceremony that created or last used this FIDO token.
  • Added: userVerified (boolean) - Indicates if the user was verified during the registration or authentication ceremony that created or last used this FIDO token.
• GridChallenge
  • Added: cellAlphabets (string) - The cellAlphabets value specifies the characters that are valid for the cells in the grid challenge.
  • Required added: cellAlphabets.
• UserAuthenticatorLockoutStatus
  • Added: locked (boolean) - Determines if this authenticator is currently locked out.

Administration API​

New operations​

• GET /api/web/v1/async/tokenspaged/{id}/assigned/result (assignedTokenPageAsyncResultUsingGET) - Get the result of an asynchronous list assigned tokens operation.
• GET /api/web/v1/async/tokenspaged/{id}/assigned/status (assignedTokenPageAsyncStatusUsingGET) - Get the status of an asynchronous list assigned tokens operation.
• GET /api/web/v1/async/tokenspaged/{id}/unassigned/result (unassignedTokenPageAsyncResultUsingGET) - Get the result of an asynchronous list unassigned tokens operation.
• GET /api/web/v1/async/tokenspaged/{id}/unassigned/status (unassignedTokenPageAsyncStatusUsingGET) - Get the status of an asynchronous list unassigned tokens operation.
• GET /api/web/v2/async/gridspaged/{id}/assigned/result (assignedGridsPageAsyncResultUsingGET) - Get the result of an asynchronous list assigned grids operation.
• GET /api/web/v2/async/gridspaged/{id}/assigned/status (assignedGridsPageAsyncStatusUsingGET) - Get the status of an asynchronous list assigned grids operation.
• GET /api/web/v2/async/gridspaged/{id}/unassigned/result (unassignedGridsPageAsyncResultUsingGET) - Get the result of an asynchronous list unassigned grids operation.
• GET /api/web/v2/async/gridspaged/{id}/unassigned/status (unassignedGridsPageAsyncStatusUsingGET) - Get the status of an asynchronous list unassigned grids operation.
• GET /api/web/v4/async/userspaged/{id}/result (usersPagedAsyncResultUsingGET) - Get the result of an asynchronous list users operation.
• GET /api/web/v4/async/userspaged/{id}/status (usersPagedAsyncStatusUsingGET) - Get the status of an asynchronous list users operation.
• POST /api/web/v1/async/tokenspaged/assigned (assignedTokenPageAsyncUsingPOST) - Lists a page of assigned tokens asynchronously.
• POST /api/web/v1/async/tokenspaged/unassigned (unassignedTokenPageAsyncUsingPOST) - Lists a page of unassigned hardware tokens asynchronously.
• POST /api/web/v1/fidotokenspaged (getFIDOTokensPagedUsingPOST) - Get FIDO tokens (paginated).
• POST /api/web/v2/async/gridspaged/assigned (assignedGridsPageAsyncUsingPOST) - Lists a page of assigned grids asynchronously.
• POST /api/web/v2/async/gridspaged/unassigned (unassignedGridsPageAsyncUsingPOST) - Lists a page of unassigned grids asynchronously.
• POST /api/web/v4/async/userspaged (usersPagedAsyncUsingPOST) - Lists a page of users asynchronously.

Removed operations​

• POST /api/web/v4/tenants (createTenantUsingPOST)

Changed operations​

• POST /api/web/v1/webhooks/test/{id} (testWebhookUsingPOST)
  • Request body: A request body was added.

Changed models​

• FIDOAuthenticatorSettings
  • Added: attestation (string) - Attestation preference for passkey/FIDO2 registration. Determines how much information about the authenticator (security key/passkey) is shared during registration. NONE: No authenticator details shared (recommended for privacy). INDIRECT: Basic information shared in a privacy-preserving way (balanced approach). DIRECT: Full authenticator details shared (use when you need to verify specific device models).
• FIDOAuthenticatorSettingsParms
  • Added: attestation (string) - Attestation preference for passkey/FIDO2 registration. Determines how much information about the authenticator (security key/passkey) is shared during registration. NONE: No authenticator details shared (recommended for privacy). INDIRECT: Basic information shared in a privacy-preserving way (balanced approach). DIRECT: Full authenticator details shared (use when you need to verify specific device models).
• FIDORegisterChallenge
  • Added: attestation (string) - Attestation preference for passkey/FIDO2 registration. Determines how much information about the authenticator (security key/passkey) is shared during registration. NONE: No authenticator details shared (recommended for privacy). INDIRECT: Basic information shared in a privacy-preserving way (balanced approach). DIRECT: Full authenticator details shared (use when you need to verify specific device models).
• FIDORegisterResponse
  • Added: transports (array<string>) - The transport methods used during registration (e.g., 'usb', 'nfc', 'ble', 'internal'). Used to determine authenticator capabilities.
• FIDOToken
  • Added: aaguid (string) - The AAGUID of the authenticator that created this FIDO token.
  • Added: aaguidVerified (boolean) - Indicates whether the AAGUID reported by the authenticator was cryptographically verified via a full certificate chain against the FIDO MDS trust anchors. True only for DIRECT attestation; false for INDIRECT (cert chain not verified); null for NONE (no attestation collected).
  • Added: algorithm (string) - The signature algorithm of the authenticator that created this FIDO token.
  • Added: attestationFormat (string) - Attestation format of the authenticator that created this FIDO token.
  • Added: attestedData (boolean) - Indicates if this FIDO token contains attested data.
  • Added: authenticatorModel (string) - The authenticator model of the authenticator that created this FIDO token.
  • Added: backupEligible (boolean) - Indicates if this FIDO token is eligible for backup.
  • Added: backupStatus (boolean) - Indicates if this FIDO token is currently backed up.
  • Added: icon (string) - The icon of the authenticator that created this FIDO token.
  • Added: userPresent (boolean) - Indicates if the user was present during the registration or authentication ceremony that created or last used this FIDO token.
  • Added: userVerified (boolean) - Indicates if the user was verified during the registration or authentication ceremony that created or last used this FIDO token.
• OTPAuthenticatorSettings
  • Added: otpWeChatDefaultDeliveryAttribute (string) - Id of the default WeChat OTP delivery attribute.
  • Removed: otpWechatDefaultDeliveryAttribute (string) - Id of the default Wechat OTP delivery attribute.
• PasswordResetSettings
  • Added: namedPasswordName (string) - The name of the password.
• User
  • Added: userPasswordDetails (array<UserPasswordDetails>) - A list of the user password details.
  • Flag changed: passwordCompromised deprecated: false -> true.
  • Flag changed: passwordExpirationTime deprecated: false -> true.
• UserAuthenticatorLockoutStatus
  • Added: locked (boolean) - Determines if this authenticator is currently locked out.
• Webhook
  • Added: name (string) - Descriptive name for the webhook to help identify its purpose.
• WebhookEvent
  • Enum changed on type: added user.created, user.updated, user.deleted, user.registration.completed, authentication.succeeded, authentication.failed, password.updated, magiclink.email.sent, grid.created, grid.email.sent, grid.password.email.sent, passkey.created, passkey.updated, passkey.deleted, kba.question.created, token.created, token.activated, token.activated.online, token.seed.rotated, hardware.token.assigned, face.biometric.created, credential.create, credential.update, credential.delete, credential.print.
• WebhookParms
  • Added: name (string) - Descriptive name for the webhook to help identify its purpose.
  • Changed: enabled - Improved description. Indicates whether the webhook is active and will receive event notifications. Disabled webhooks will not receive any events.
  • Required added: name.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AES_128_GCM_SHA256
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:

• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-CHACHA20-POLY1305

Enterprise Service Gateway (ESG) Deprecation​

Entrust supports only the last four releases of the Enterprise Service Gateway (the current version 5.46 and the three previous releases 5.43, 5.44, and 5.45). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports the Internet Explorer 11 and Microsoft Edge Legacy browsers. Identity as a Service no longer supports these browsers.

Support Multiple Passwords​

IDaaS users can now have multiple passwords associated with their account. This allows users to have different passwords for different authentication flows or applications. Administrators can configure multiple passwords for users and assign each with a unique password policy.

SCIM Enhancements​

The following enhancements have been made to SCIM support in this release:

• Support for custom schemas.
• Mapping additional IDaaS attributes to SCIM attributes, including RegistrationStatus to indicate whether the user is registered.
• Support for setting values into multivalued complex type SCIM attributes like email.
• Improved logging.

UI Improvements​

In the IDaaS Administration portal, all the "Policy" pages and bulk operation pages have been redesigned to improve usability.

OAuth Improvements​

A new document "OAuth and OIDC Basics" has been added to the IDaaS Developer Hub. This document provides an overview of OAuth 2.0 and OpenID Connect (OIDC) concepts.

A new OIDC application template, “Generic Embedded Application,” is now available in IDaaS. This template enables administrators to implement a custom, self‑hosted login experience that keeps users within your application during authentication, while still relying on an OpenID Connect provider to issue standards‑compliant tokens.

CORS Changes​

For new IDaaS accounts, CORS is now enabled by default. Existing accounts are not affected by this change but Entrust recommends that customers enable CORS for their existing accounts.

Fixed or changed in this release​

1. Generic Native application client ID copy to clipboard fails - The copy to clipboard function for client ID was not working for Generic Native applications, though it worked for other OIDC apps. (41215)
2. Authentication API calls for OIDC IDaaS JWT grant type need to be added to CORS Allow list - Authentication API calls for IDaaS JWT grant types are now automatically allowed for CORS.(41203)
3. Group policy Face Biometric Mutual Challenge alphabet error handling - Setting Face Biometric mutual challenge alphabet to a single character and saving resulted in an error without an error message. (41316)
4. IDaaS Doc ER: SAML SLO configuration and expected behavior - Documentation needs to specify the resulting behaviors expected from IDP or SP initiated logout and whether it results in global logout. (39797)
5. Magic link auth email changing to blank when the defined custom email contact changed to SMS - When adding a custom email contact, changing group policy magic link default email to the custom contact, then changing the custom email contact type to SMS, the default email becomes blank. (40636)
6. SCIM Provisioner User Attribute Mappings filter for the Required field is a text field - The filter field should be restricted to yes/no options rather than free text. (40462)
7. Test Directory Configurations result dialog contains a typo - "All group filter" should be "All group filters". (40827)
8. Unsaved changes warning does not retain user on the same Authenticator edit page when "Cancel" is clicked - When navigating to Policy → Authenticators, editing an Authenticator without saving, then clicking another Authenticator, an unsaved changes pop-up appears. However, clicking "Cancel" navigates to the previously selected Authenticator instead of staying on the current page with unsaved changes. (41281)
9. OIDC Authentication Unexpected server error, authentication request invalid - After redirecting to IDaaS from the customer service provider using an OIDC integration, allowing five minutes to elapse before proceeding results in "server error: Unexpected server error, authentication request invalid" error. (40883)
10. IDaaS SAML user creation not recognizing role - When a user is created after IDP authentication, role assignment during user creation is not working. Role claims that include underscores and role claims returned as lists are not properly processed. (41319)

Changes to Identity as a Service (IDaaS) APIs​

Authentication API​

New models​

PasswordChallenge​

New model introduced to support password challenge scenarios.

• name (string) - The name of the password challenge
• namedPasswordId (string) - The Named Password Id associated with the challenge

Changed models​

AuthenticatedResponse​

• Added: passwordChallenge (PasswordChallenge) - Password challenge information returned when password authentication requires additional challenge

UserAuthenticateQueryResponse​

• Added: passwordChallenge (PasswordChallenge) - Password challenge information for user authentication queries

UserAuthenticatorLockoutStatus​

• Added: name (string) - The users named password authentication that is locked out.

Notes & migration guidance​

• Password Challenge Support: A new PasswordChallenge model has been introduced to support scenarios where password authentication requires additional challenge information. This is part of the named password feature that allows users to have multiple distinct password authenticators.
• Enhanced Authentication Responses: Both AuthenticatedResponse and UserAuthenticateQueryResponse now include an optional passwordChallenge field. Clients should handle this field to support multi-password authentication flows where a specific named password may be required.
• Lockout Status Enhancement: The UserAuthenticatorLockoutStatus model now includes a name field to identify which specific named password authenticator is locked out, providing better visibility for troubleshooting and user support.
• Non-Breaking Changes: All changes are additive (new optional fields and a new model). Existing client implementations will continue to work without modification, though they won't benefit from the enhanced password challenge capabilities until updated.

Administration API​

New operations​

• DELETE /api/web/v1/users/{userid}/passwords/{namedpasswordid} (deleteUserNamedPasswordUsingDELETE) — Delete a user password using the password ID
• GET /api/web/v1/users/{userid}/list/passwords (getUserNamedPasswordsUsingGET) — Gets a list of user passwords
• GET /api/web/v1/users/{userid}/settings/password/{namedpasswordid} (getUserNamedPasswordSettingsUsingGET) — Get user password authenticator settings by named password ID
• PUT /api/web/v1/users/{userid}/password/{namedpasswordid}/notify (sendUserNamedPasswordExpiryNotificationUsingPUT) — Update and send a password expiry notification using password ID

Removed operations​

• DELETE /api/web/v1/users/{userid}/activesyncdevices/{deviceid} (removeActiveSyncDeviceUsingDELETE) — Delete ActiveSync device
• GET /api/web/v1/serviceipaddresses (getServiceIPAddressesUsingGET) — Get service IP addresses
• GET /api/web/v1/users/{userid}/activesyncdevices (getCachedActiveSyncDevicesUsingGET) — Get ActiveSync devices
• POST /api/web/v1/users/{userid}/activesyncdevices (getActiveSyncDevicesUsingPOST) — Manage ActiveSync device
• PUT /api/web/v1/users/{userid}/activesyncdevices (updateActiveSyncDevicesUsingPUT) — Update ActiveSync device

Changed models​

AuthenticationFlow​

• Added: namedPasswordId (string) - The Named Password Id used for password authentication.

AuthenticationFlowParms​

• Added: namedPasswordId (string) - The Named Password Id used for password authentication.

CorsOrigin​

• Required added: id
• Required added: origin

Entitlement​

• Added: gracePeriodEndDate (string, date-time) - The USERS grace period end date of this entitlement in UTC time.

PasswordResetSettings​

• Added: id (string) - ID of the password reset settings.
• Added: namedPasswordId (string) - The ID of the named password.

SmsVoice​

• Added: gracePeriodEndDate (string, date-time) - The date when the grace period for the entitlement will end.

Tenant​

• Added: otpProviderId (string) - The ID of the preferred OTP provider associated with this tenant, if any. Only visible to root tenant.

UserAuthenticatorLockoutStatus​

• Added: name (string) - The users named password authentication that is locked out.

UserEntitlement​

• Added: gracePeriodEndDate (string, date-time) - The date when the grace period for the entitlement will end.

UserPassword​

• Added: id (string) - The ID of the user password.
• Added: namedPasswordId (string) - The named password associated to the user.

UserPasswordParms​

• Added: namedPasswordId (string) - The ID of the named password.

UserPasswordSettings​

• Added: namedPasswordEnabled (boolean) - Indicates whether the named password policy is enabled for the user.
• Added: namedPasswordId (string) - The ID of the named password.

UserPasswordValidationParms​

• Added: namedPasswordId (string) - The ID of the named password.

Notes & migration guidance​

• Named Password Support: The major theme of this release is support for named passwords. Multiple new properties (namedPasswordId) have been added across authentication flows, password settings, and user password models to enable multi-password scenarios per user. This allows users to have multiple distinct password authenticators with different policies.
• New Password Management APIs: Four new endpoints provide granular password management by password ID, including listing all passwords for a user, deleting specific passwords, managing password expiry notifications, and retrieving password settings per named password.
• ActiveSync Deprecation (Breaking): All ActiveSync device management endpoints have been removed. Clients using these endpoints must migrate to alternative device management solutions before upgrading.
• Service IP Addresses Removal (Breaking): The /api/web/v1/serviceipaddresses endpoint has been removed. Clients relying on this endpoint should contact support for alternative approaches to obtaining service IP information.
• Grace Period Tracking: Added gracePeriodEndDate to entitlement-related models (Entitlement, SmsVoice, UserEntitlement) to support grace period functionality for expired entitlements. This allows tenants to continue operating for a limited time after entitlement expiration.
• CORS Origin Validation (Breaking): The CorsOrigin model now requires both id and origin fields. Ensure all CORS origin configurations include these required fields when creating or updating CORS origins.
• OTP Provider Configuration: Tenants can now specify a preferred OTP provider via the otpProviderId property, providing flexibility in OTP delivery mechanisms.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

On March 15, 2026, support for the following ciphers will be removed.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway (ESG) Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.45 and the three previous releases 5.42, 5.43, and 5.44). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports the Internet Explorer 11 and Microsoft Edge Legacy browsers. Identity as a Service no longer supports these browsers.

Feature Deprecation​

ActiveSync Device Management​

IDaaS provided a feature that allowed IDaaS users to perform secure, multi-factor authentication and manage their Microsoft Office 365 ActiveSync devices. The Office 365 capabilities that IDaaS used to implement these capabilities are no longer supported by Microsoft. This feature was removed from IDaaS in the 5.45 release.

The documentation for configuring a Microsoft Certificate Authority (CA) with IDaaS has been updated to address issues described in Security Bulletin E25-012. Customers who have configured a Microsoft CA should review the security bulletin and apply the recommended actions.

Fixed or changed in this release​

1. User Verify fails when token push is used. (41181)

IDaaS Authentication JavaScript SDK​

A new authentication javascript SDK has been released to facilitate integration of IDaaS authentication into web applications. It wraps hosted OIDC flows, risk-based authentication (RBA) challenges, and “convenience” methods (password, OTP, passkey, soft token, etc.) in a client.

The SDK can be found at https://github.com/EntrustCorporation/idaas-auth-js.

SMS OTP Message Format​

IDaaS now includes a new OTP policy setting OTP SMS Format. Administrators can select between two formats for SMS OTP messages:

• Ends with OTP (existing format): OTP appears at the end of the message (for example, Your Entrust Identity as a Service OTP is 01234567).
• Starts with OTP (new format): OTP appears at the start of the message (for example, 01234567 is your OTP for Entrust Identity as a Service).

Users may find having the OTP at the beginning of the message easier to retrieve.

Dashboard Enhancements​

The Dashboard in the IDaaS Administration Portal has been enhanced. Counts in the Authenticators and Authentication statistics panels are now interactive and allow the administrator to navigate to additional information:

• Authenticators: clicking an entry opens the Members > Users list filtered to users who have that authenticator.
• Authentications per Application: clicking an application opens the Audit Logs filtered to authentication events for that application.
• Authentications per Authenticator: clicking an authenticator opens the Audit Logs filtered to authentication events performed with that authenticator.

A new Authenticator filter has also been added to the Audit Logs list, enabling administrators to view only authentication events for a specific authenticator.

Face Biometric Enhancements​

The following improvements have been made to the IDaaS Face Biometric authenticator:

• The Onfido applicant created during registration is no longer required for authentication. Permanent Onfido profile data is therefore no longer retained.
• Biometric data collected during registration can now optionally be stored in IDaaS instead of only in the Entrust Identity mobile application. This enables use cases such as account recovery when a user has a new device.
• A new Face Biometric authenticator (including associated biometric data) can be provisioned through the Administration API. This allows results from an external Onfido verification workflow to be used directly to create an IDaaS Face Biometric authenticator.

Directory Synchronization Enhancements​

A new option has been added to directory sync configuration allowing a synchronized group to be converted to an "unsynchronized" (local) group instead of being removed from IDaaS. Removing a group also deletes associated policy and resource rules. Converting the group instead preserves those configurations.

When a directory user becomes a local user, all directory groups will be disassociated from the user.

Previously, when the user ID of a user was updated in the directory, the existing IDaaS user ID was stored as an alias of the user. Now, the existing IDaaS user ID is no longer stored as an alias. The following behavior has not changed: if the new user ID was already defined as an alias, it is removed as an alias.

Identity Provider Enhancements​

The following improvements have been made to SAML and OIDC identity providers:

• SAML IDPs now support metadata import and export to support easier configuration with third-party systems.
• A new system authentication flow "Domain-based IDP or User Login" has been added.
• When configuring IDP authentication in authentication flows, a default IDP can be specified. A single IDP can be defined as the default IDP.
• IDPs now allow external group names/IDs returned from the IDP to be mapped to IDaaS group names. Previously, values returned from the IDP had to exactly match IDaaS group names. This was an issue for Microsoft Entra ID SAML where only the group object ID was returned to IDaaS.

Fixed or changed in this release​

1. Resource rule Save button is enabled when group filter validation fails. (40485)
2. Admin Guide compromised password detection/response missing from documentation. (40482)
3. Admin Guide end user timeout should be max 8 hours rather than 6 as documented. (40481)
4. Admin Guide verify user option - Grid Card and Token Authentication should allow selecting multiple options. (40472)
5. IP list should not allow duplicate IP addresses. (40121)
6. Compromised status filter is missing for the User and the Admin portal authenticators page. (40332)
7. Default for authentication provisioning settings has been changed so that by default a password and soft token are not created for a new user. (40427)
8. Duplicate audits for verify user using Email OTP. Audits created in both Authentication and Management categories. (40720)
9. Improved audit message for OIDC error. Replaced message that included JsonSyntaxException. (40552)
10. Face Biometric expiry date update audit missing seconds in timestamp format. (37755)
11. Field validation error for Entrust Soft Token Settings 'Activation Lifetime' has no upper limit. (25884)
12. Remove the application customization tab for OIDC server application types. (40696)
13. Helpdesk role should have magic link content view permission. (40091)
14. MagicLink authenticator does not set ACR or AMR values. (40398)
15. OIDC re-authentication triggers a loop if user becomes disabled. (40329)
16. Pass-through authenticator should be present as an option for user login second-factor but not IDP second-factor. (40459)
17. Push notification not delivered to iOS devices when Production Mode is enabled in IDaaS Soft Token SDK Credentials. (40403)
18. Resource rule risk condition date/time update makes the value and label overlap. (40537)
19. Remove all access restrictions on Syria. (40726)
20. SCIM Server Endpoint field should be editable on the Configuration page. (40504)
21. Communication with a SCIM server now has a timeout of 10 seconds. Previously the timeout was 30 seconds. (40792)
22. SCIM provisioning failed for SCIM servers that returned externalId values larger than a 32 character UUID. (40723)
23. Verify user missing authenticator dialog. (40531)
24. Spelling errors in IDaaS. "On-premise" should be "On-premises", "Dekstop" should be "Desktop", "Strengh" should be "Strength". (40608)
25. Update SAML application audit should not show encryptionCertificate attribute if it did not change. (36694)
26. User Guide Magic link authentication step missing update for confirmation requirement. (40019)
27. Improved error message if Entrust Soft Token activation fails because the user requires a mobile Face Biometric. (40228, 40229)
28. Improved text for Verify user audit message. (40521)
29. Copy button next to Application ID not properly labeled for screen readers in Edit Administration API screen. (39734)
30. Improved descriptions for IDaaS ISAPI, AD FS, and Desktop applications. (40766)
31. Verify user using OTP voice audit message incorrectly says SMS. (40569)
32. User verify result should be "successfully verified" instead of "successfully authenticated". (40492)
33. Several issues with importing SAML metadata have been fixed. (40624)
34. Documentation describing how to configure IDaaS SCIM Provisioning for GitHub has been added. (40486)

Changes to Identity as a Service (IDaaS) APIs​

Authentication API​

The following changes have been made to models in the Authentication API:

• The attribute rpId has been added to UserAuthenticateParameters and UserAuthenticateQueryParameters. This attribute specifies the Relying Party ID of Passkey/FIDO2 tokens to be considered for authentication. If a value is not provided, Passkey/FIDO2 tokens with the Relying Party ID of the IDaaS account hostname are considered. This attribute replaces the existing attribute origin which has been marked as deprecated. A similar change was made to the model UserChallengeParameters in a previous release.

Administration API​

The following methods have been added to the Administration API:

• POST /api/web/v1/identityproviders/saml/configuration (fetchSamlConfigurationUsingPOST). Fetch configuration from a third-party SAML identity provider that can be imported into IDaaS.
• GET /api/web/v1/identityproviders/saml/{id}/configuration (getSamlConfigurationUsingGET). Get SAML configuration from IDaaS that can be exported to a third-party SAML identity provider.

The following changes have been made to existing methods in the Administration API:

• POST /api/web/v2/reports/auditeventspaged (auditEventPageUsingPOST) - A new search attribute authenticator is supported in the searchByAttributes parameter. This search attribute filters authentication audits by authenticator type (for example, PASSWORD, OTP, TOKEN, FIDO, SMARTCREDENTIALPUSH, TOKENPUSH, IDP, PASSKEY, etc.). The only allowed operator is EQUALS.

The following models have been added to the Administration API:

• FaceEncryptedToken - Represents an encrypted biometric token that can be specified when creating a Face Biometric authenticator.
• IdentityProviderExternalGroupMapping - Represents a mapping between an external group name/ID returned from the IDP and an IDaaS group name. This model can be provided as input when creating or modifying an OIDC or SAML identity provider and is returned when fetching identity provider details.
• SamlConfigurationParms - The parameters passed to fetchSamlConfigurationUsingPOST specifying the metadata URL of the third-party IDP from which to fetch configuration.
• SamlConfigurationResponse - The response returned from fetchSamlConfigurationUsingPOST containing the SAML configuration details.
• SamlInfoClaim - Represents a SAML claim included in SamlConfigurationResponse.

The following changes have been made to existing models in the Administration API:

• The attribute otpSMSFormat has been added to OTPAuthenticatorSettings. This setting specifies the format used for OTP SMS messages.
• The attribute idpDefault has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute indicates if the Authentication Flow uses the default IDP for IDP authentication.
• The attribute defaultProvider has been added to IdentityProvider, OidcIdentityProvider, OidcIdentityProviderParms, SamlIdentityProvider and SamlIdentityProviderParms. This attribute indicates if the Identity Provider is the default provider for IDP authentication.
• The attribute externalGroupMappings has been added to OidcIdentityProvider, OidcIdentityProviderParms, SamlIdentityProvider, and SamlIdentityProviderParms. This attribute contains mappings between external group names/IDs returned from the IDP and IDaaS group names.
• The attribute groupDesyncPolicy has been added to DirectorySync. This setting indicates whether groups should be removed or converted to local groups when desynchronized.
• The attribute directoryDesynced has been added to Group. This attribute indicates if this group was converted from a synchronized group to a local group.
• The attribute encryptedBiometricToken has been added to FaceCreateParms. This attribute allows an encrypted biometric token created externally to be associated with a Face Biometric authenticator.
• The default value for the setting authenticatorActivationType in GeneralSettings has been changed from ENTRUST_SOFT_TOKEN to NONE. This means that by default tokens are not created for new users.
• The default value for the setting defaultPassword in GeneralSettings has been changed from true to false. This means that by default a password is not created for new users.
• The deprecated attribute registrationPeriod has been removed from GeneralSettings.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.44 and the three previous releases 5.41, 5.42, and 5.43). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports the Internet Explorer 11 and Microsoft Edge Legacy browsers. Identity as a Service no longer supports these browsers.

Feature Deprecation​

ActiveSync Device Management​

IDaaS provided a feature that allowed IDaaS users to perform secure, multi-factor authentication and manage their Microsoft Office 365 ActiveSync devices. The Office 365 capabilities that IDaaS used to implement these capabilities are no longer supported by Microsoft. This feature will be removed from IDaaS in the 5.45 release.

Compromised Password Detection Enhancements​

In a previous release, IDaaS added the ability to block new passwords found in a list of known compromised passwords during password change and reset. In this release, IDaaS has been enhanced to support checking existing passwords when they are used to authenticate. If a compromised password is detected during authentication, an audit event is generated, and the password is flagged as compromised. Options exist to force the user to change their password or to deny them access. IDaaS administrators can query users that have a compromised password. Checking existing passwords during authentication reduces the time newly compromised passwords can be attacked.

New User Verify Action in Administration Portal​

A new User Verify action has been added to Users in the User List in the Administration Portal. This action allows a help desk administrator to verify users calling a help desk by challenging them to provide a response to TOKEN PUSH, TOKEN, GRID, or OTP challenges. This feature assists help desk administrators to prevent a common account takeover attack where the attacker tries to get the help desk to give them access to an account.

Push Notification Actionable Notifications​

The upcoming 5.25.0 release of the Entrust Identity Mobile Application will support completing push authentication transactions from the notification without needing to open the application.

This release of IDaaS includes the changes to support this feature, including a new Soft Token policy setting to enable the feature. This feature is only available when Soft Tokens are configured to not require a PIN.

When this feature is enabled, end users using an older version of the Entrust Identity Mobile Application will continue to have to open the application to complete the transaction. There is a known issue with older versions of the iOS application where the application will not launch in this situation. To resolve this issue, either have end users upgrade to the new version of the mobile application or disable the actionable notifications feature.

Resource Server Enhancements​

In IDaaS, a Resource Server defines how access and refresh tokens are issued by IDaaS for authorization purposes after authenticating to specified OIDC applications. The Resource Server also defines the contents and processing of these tokens.

A new Resource Server tab has been added to OIDC Applications in the Administration Portal. This tab allows administrators to manage the Resource Servers associated with the application in the same place the application is defined.

System for Cross-Domain Identity Management (SCIM) Enhancements​

IDaaS supports using SCIM to allow clients to provision groups and users to IDaaS (inbound provisioning) and to provision users from IDaaS to other services (outbound provisioning). The following changes have been made to enhance existing SCIM capabilities provided by IDaaS:

• Improved how the configuration for outbound provisioning is tested to improve interoperability with 3rd-party SCIM services.
• Added support for the SCIM endpoints /Schemas and /ResourceTypes for inbound provisioning requests received from clients.
• Improved logging for SCIM outbound provisioning for better traceability and debugging.
• Added additional SCIM attributes to support a wider range of SCIM services.
• Outbound provisioning from IDaaS has been tested with GitHub and AWS.

Login Session Enhancements​

When a user logs in to authenticate to the portal, SAML or OIDC applications, a login session is maintained to track when the user authenticated and what authenticators they used. The user will not need to re-authenticate when accessing an application if the following conditions are true:

• The login session has not expired.
• The reauthentication time specified for the application has not been exceeded.
• The application has single sign-on (SSO) enabled.
• The user has previously authenticated with the authenticators required by the application's resource rule.

The following enhancements have been made to login sessions:

• The maximum login session lifetime defined by the General Policy "Standard User Authentication Session Idle Timeout" has been increased from 1 hour to 8 hours. This setting was previously named "Authentication Session Lifetime".
• A separate maximum login session lifetime for Administrators defined by the General Policy "Admin User Authentication Session Idle Timeout" has been added. It allows a customer to define a different login session lifetime for IDaaS administrators. It has a maximum lifetime of 1 hour.
• The maximum age setting for SAML and OIDC applications has been relabeled to "Reauthentication Time (Max Authentication Age)".

Resource Rule Enhancements​

The following changes have been made to the Resource Rule UI in the Administration Portal:

• The Cancel and Save buttons for the resource rule have been moved to the top of the page and are always visible.
• The option to revert to the old UI has been removed.
• Leaving the page with unsaved changes requires confirmation.
• The Access and Deny tasks now have descriptions describing their purpose.
• Improvements to connecting nodes by clicking on the connection points.
• When selecting the Add button on a link, multiple access filters are added in parallel instead of sequentially.
• The Date/Time risk context is created with a default value of the next day.

Allow IDaaS Groups to be Assigned to Users Synchronized from a Directory​

Previously, users synchronized from a directory could only be assigned to groups synchronized from a directory. Now, users synchronized from a directory can also be assigned to groups defined in IDaaS. This gives IDaaS administrators the flexibility to assign all users to IDaaS groups without needing to change group membership in the directory. In IDaaS, group membership can be used to allow access to applications and to specify the policy that is used for users.

Passkey Developer Documentation​

The Passkey Developer Documentation available in the IDaaS Developer Portal has been enhanced.

• A new document describing how to add IDaaS Passkey authentication to web applications has been added.
• The existing document describing how to add IDaaS Passkey authentication to mobile applications has been updated.

Enterprise Service Gateway IdentityGuard Agent Enhancements​

The IdentityGuard Agent has been enhanced to support the V12 version of Identity Enterprise Authentication API. This means clients using the latest version of the Identity Enterprise API can now migrate to IDaaS using the IdentityGuard agent.

Fixed or changed in this release​

1. Operations in the IDaaS Administration Portal may fail due to rate limiting for accounts (including trial accounts) that have small rate limits. The portal will now delay and retry the requests when it is rate limited. (40223)
2. Certificate expiry dates for SAML Identity Providers not formatted consistently. (38095)
3. In the Administration Portal, an administrator with only the view group permission should be able to view the details of a group. (38827)
4. Resetting a user's AD password from the Administration Portal was audited as an unlock operation. (39769)
5. A successful password reset performed from the User Portal did not display a success message. Additionally, error messages are now displayed consistently under the New Password entry field. (38778)
6. Improved error message "The mutual challenge size is greater than the number of possible challenge strings" when Entrust Soft Token mutual challenge policy is invalid. (38402)
7. Some documentation links in the Administration Portal were referencing the Entrust Soft Token documentation instead of general token documentation that includes Google Authenticator and other tokens. (38856)
8. The state attribute configuration for LDAP directories was not being processed correctly resulting in all users being synchronized as ACTIVE. (40072)
9. The Magic Link entry in a user's authenticator list shown in the Administration Portal is now not shown if the user does not have the MAGICLINK view permission. (40283)
10. The entry "Entrust Legacy Token" appearing in the policy, token and user profile pages, has been renamed to "Legacy Token". (40119)
11. The resource rule page no longer shows the Device Verification risk context for accounts with the Plus bundle, which does not support Device Verification. (40068)

Changes to Identity as a Service (IDaaS) APIs​

Authentication API​

The following changes have been made to models in the Authentication API:

• The attribute serialNumbers has been removed from GridChallenge. The same information is available in the attribute gridInfo.
• The attribute timeoutMillis has been added to FIDOChallenge and FIDORegisterChallenge. This setting specifies the FIDO timeout in milliseconds. It replaces the attribute timeout which has been deprecated.
• The attribute userIdStored in FIDORegisterResponse has been deprecated.
• The attribute rpId has been added toUserChallengeParameters. This setting specifies the Relying Party ID of FIDO tokens that should be considered when requesting a FIDO challenge. This setting replaces the attribute origin which has been deprecated.

Administration API​

The following changes have been made to models in the Administration API:

• The attribute allowActionableNotifications has been added to EntrustSTAuthenticatorSettings. This setting indicates whether the new push authentication actionable notifications feature is enabled.
• The attribute timeoutMillis has been added to FIDORegisterChallenge. This setting specifies the FIDO registration timeout in milliseconds. It replaces the attribute timeout which has been deprecated.
• The attribute userIdStored in FIDORegisterResponse has been deprecated.
• The attribute adminUserAuthenticationSessionLifetime has been added to GeneralSettings. This setting specifies the login session lifetime when an IDaaS administrator authenticates.
• The attribute compromised has been added to UserPassword. This setting indicates whether the user's password has been detected as compromised.
• The attribute lastCompromisedCheckTime has been added to UserPassword. This setting indicates the last time the user's password was checked against a list of known compromised passwords.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.43 and the three previous releases 5.40, 5.41, and 5.42). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Entrust Identity and Entrust Windows Desktop Soft Token Deprecation​

In the IDaaS 5.43 release, changes have been made that break the following operations:

• Password reset in versions of Entrust Identity prior to 25.1.1. Customers using the SDKs are not impacted.
• Soft Token online activation in versions of Entrust Windows Desktop Soft Token prior to 3.1.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Application/Resource Rule Enhancements​

The Application and Resource Rule pages in the Administration Portal have been redesigned to improve usability and enhance functionality. Changes include:

• The Application pages have been redesigned to include both the application configuration and resource rules. This means that the application and associated resource rules can be managed from the same page.
• The Resource Rules page has been redesigned to use a new easy-to-use graphical editor. In this release, an option to switch to the old UI is provided but this will be removed in an upcoming release.
• The graphical resource rule editor includes a test option to simulate the resource rule for different risk results.
• When editing a resource rule, settings like Authentication Flows and Transaction Details can be managed from the resource rule page. For example, Authentication Flows can be created or modified from the Resource Rule UI.
• A resource rule now has Access Filters that determine if a user can authenticate to an application using this resource rule. Supported Access Filters include: - Groups – a user can authenticate using this resource rule if they are a member of specified groups. - Authentication Context Reference – a user can authenticate using this resource rule if the authentication request from the client contains a specified authentication context reference value. This feature allows the client to influence how the user is authenticated. This is a new capability in this release. - Domain-based IDP – a user can authenticate using this resource rule if they belong to a specified Domain-based IDP. This is a new capability in this release.
• The Application List page now includes search and filter capabilities to target which applications are shown.
• The Application Create page has been redesigned to show all application templates. Search and filter capabilities are available to target which application templates are shown.
• The Authorization Server page and corresponding menu have been renamed to Resource Server.
• Many improvements have been made to the Application configuration pages, including: - The settings have been ordered to improve usability. - The settings now include more detailed descriptions. - Settings like the SAML Signing Certificate for SAML applications and the Gateway for RADIUS applications include an option to create a new Signing Certificate or Gateway. - Less frequently used settings have been moved to an advanced section of the page.

Enhanced Registration Configuration​

When configuring registration, an administrator can now specify the "Minimum Number of Second-factor Authenticators". This setting specifies the minimum number of authenticators the user must register. As an example, suppose an administrator wants their end users to register at least two of the authenticators, Entrust Soft Token, Passkey/FIDO2 or Face Biometric but wants the end user to decide which authenticators to register. This can be achieved by configuring these three authenticators as Optional during registration and then setting the Minimum Number of Second-factor Authenticators to 2.

Enhanced OTP Delivery Configuration​

When OTP authentication is enabled in an authentication flow in a resource rule, the allowed delivery types can be configured overriding the delivery types configured in the policy. This allows an administrator to configure different delivery types for different applications. For example, use Email delivery for one application and SMS delivery for another application.

Configuration to specify which delivery types are enabled and the default order of the delivery types is now set together instead of separate settings. This improves usability. The new UI is used in both the OTP policy and per application authentication flows.

Support Administrator Password Management for Directory Managed Passwords​

Administrators can now perform password reset and set passwords to require change on next use for users who have directory-managed passwords.

Allow Users to Specify Authenticator Order​

End users now have the option to specify their default authenticator order. This setting allows the end user to have a default authenticator that is different from the default specified in the resource rule. For example, suppose the resource rule lists authenticators in the order TOKENPUSH, TOKEN, FIDO. If the user has an Entrust Soft Token, they will always default to TOKENPUSH and if they want to use FIDO they will need to select an alternative authenticator. Allowing the end user to select their own authenticator order allows the end user to specify FIDO as their default authenticator. Now when the user authenticates, they will default to FIDO authentication.

Only authenticators allowed in the resource rule are used for authentication. The new setting only allows the end user to select a different order of allowed authenticators.

Magic Link Enhancements​

The following Magic Link enhancements have been made:

• Magic Link is now supported as an authenticator for Portal, OIDC, SAML, and Authentication API applications.
• Magic Link now supports Password Reset in addition to Registration.

The user experience of a Magic Link authentication is the following:

• The user begins authentication from their client. The client waits for authentication to complete.
• An email containing a Magic Link is sent to the end user.
• The end user clicks on the Magic Link in their email.
• The client completes authentication.

As part of these changes, the Magic Link policy page was moved from the Registration menu to the Authenticators menu.

Native Mobile Passkey Support​

IDaaS has been enhanced to support Passkey tokens implemented in mobile applications using Android and iOS Passkey SDKs. The Allowed Relying Party ID Hostnames configured in IDaaS Passkey/FIDO2 settings now supports mobile application values.

Improved Web Content Accessibility Guidelines (WCAG) Compliance​

Changes have been made to the IDaaS User Portal and the login pages to improve compliance with WCAG 2.2 at the AA level.

Support Import of Passwords from Entrust GetAccess​

Enhancements have been made to the IDaaS password APIs to support importing passwords from Entrust GetAccess.

Administration/User Portal Enhancements​

The following enhancements have been made to the Administration and User Portal UI:

• An option to Show/Hide the authentication response has been added to the Login UI response fields for all the authenticators.
• Leading and trailing whitespace is now trimmed from OTP responses in the Login UI. This addresses issues encountered when copying and pasting values from Emails or SMS messages.
• Vertical tabs in pages in the administration portal are now left justified and sorted alphabetically. The following pages were changed: - Security -> Resource Servers - Resources -> Certificate Authorities - Configuration -> Knowledge-based Authentications - Policies -> Registration - Policies -> Authenticators - Policies -> Risk-based Authentications - Policies -> Soft Token SDK - Policies -> User Portal Portal
• The administration portal menu search now supports keywords. For example, both otp and one time password will find the OTP settings page.

Fixed or changed in this release​

1. The maximum length of a SCIM API key has been changed from 500 characters to 2000 characters. (39341)
2. The IDaaS JWT grant type now supports ACR values. (38918)
3. Updating a RADIUS application fails if the shared secret was not updated. (35469)
4. Improve error message displayed for an invalid phone number entered when editing delivery contact. (37328)
5. Include IP location information in push notifications sent for IDaaS authentication API applications including integrations like Entrust Desktop Credential Provider. (37677)
6. Selecting an External Risk Engine in a resource rule is not saved. (37930)
7. Deleting a claim value from an OIDC application returns success even though the claim is not deleted. (38430)
8. Updating Passkey/FIDO2 registration level setting with an invalid value causes HTTP 500 error. (38735)
9. Updating Passkey/FIDO2 settings with an invalid hostname value should not be allowed. (38736)
10. Remove semicolon appearing on Entrust Soft Token SDK settings page. (38807)
11. API to update Organization does not support removing description value. (38857)
12. Administration role value selected by group policy is displayed with non-English locale. (38895)
13. Improved documentation of required Entra ID Read/Write permissions. (38995)
14. The org_id claim is not returned when using the OIDC JWT IDaaS grant type. (39008)
15. OIDC Regenerate Client Secret dialog shows Shared Secret instead of Client Secret. (37274)
16. Failed Passkey authentication is not generating an audit. (39164)
17. OIDC Pre-authorized Code grant type should only be shown for OIDC4VC applications. (39260)
18. When a managed tenant of a service provider is deleted, the associated Identity Provider application should be removed. (39274)
19. Device verification fails in some scenarios when the JWT is expired. (39385)
20. Support deflate encoding for SAML requests. (39501)
21. The subject of a Service Provider IDP login audit should not be clickable. (39563)
22. The resource name of a Service Provider IDP login audit should be Admin Portal not User Portal. (39588)
23. IDaaS now rejects requests with an Origin value of null. (39607, 39614)
24. The ACS and Logout URL hostnames of a SAML IDP are now added to the SAML CORs list. (39678)
25. Refresh of tenant list in Service Provider portal generates browser console error. (38869)
26. Header value returned in API rate limiting error contains value in milliseconds instead of seconds. (39960)

Changes to Identity as a Service (IDaaS) APIs​

Authentication API​

The following changes have been made to support Magic Link as a new authenticator in the Authentication API.

• The value MAGICLINK can be specified where ever an authenticator type is specified.
• The field magicLinkType has been added to the model AuthenticatedResponse returned from the challenge and authenticate APIs. It specifies the type of Magic Link being used for authentication.

The following changes have been made to existing models in the Authentication API:

• The field requestAcrs has been added to UserAuthenticateParameters, UserAuthenticateQueryParameters, and UserChallengeParameters. This field allows an application to pass an ACR value to IDaaS that will be used when evaluating the ACR access filter of a resource rule.
• The field authRequestKey has been added to UserChallengeParameters. This field allows the request key of an authentication request using the IDaaS JWT grant type. This allows authorization request parameters, such as the requested ACR, to be used when processing authentication challenge.
• The field origin has been added to UserAuthenticateParameters. This value allows the client to specify the origin when performing Passkey/FIDO2 authentication which allows IDaaS to select the appropriate Passkey/FIDO2 tokens for authentication.

Administration API​

The following changes were made to the Administration API to manage Magic Links.

• The method GET /api/web/v1/users/{userid}/magiclink (getMagicLinkUsingGET) has been added. This method returns the Magic Link for the specified user if one has been created.
• The model MagicLink has been added. It contains information about an outstanding Magic Link.
• the field type has been added to the model MagicLinkCreateParms. Since different types of Magic Links can be created, this field specifies the type of Magic Link being created.
• The value MAGICLINK has been added to the list of second-factor authenticators and is included where ever it is specified such as the list of second-factor authenticators specified in an Authentication Flow.

The following changes were made to the Administration API to manage ACR values. An ACR object defines an Authentication Context Resource value that can be defined as an access filter in a resource rule.

• The method GET /api/web/v1/acrs (getAcrsUsingGET) was added. This method returns all defined ACRs.
• The method POST /api/web/v1/acrs (createAcrUsingPOST) was added. This method creates an ACR.
• The method GET /api/web/v1/acrs/{id} (getAcrUsingGET) was added. This method returns a specific ACR.
• The method DELETE /api/web/v1/acrs/{id} (removeAcrUsingDELETE) was added. This method removes a specific ACR.
• The model Acr was added. This model includes information about an ACR returned from IDaaS.
• The model AcrParms was added. This model includes information about an ACR passed to IDaaS when creating one.
• The field acrFilter was added to the models ResourceRule and ResourceRuleParms. It specifies if the ACR filter is enabled and if so which ACRs it matches.
• The field acrs was added to the models ResourceRule and ResourceRuleParms. If applicable it specifies the list of ACRs the ACR filter matches.
• The field domainIdpFilter was added to the models ResourceRule and ResourceRuleParms. It specifies the Domain-based IDP filter is enabled and if so which IDPs it matches.
• the field domainIdps was added to the models ResourceRule and ResourceRuleParms. If applicable, it specifies the list of IDPs the Domain-based IDP filter matches.

The following changes have been made to support changes to how OTP Delivery preferences are defined:

• The model OTPPreferenceDetails has been added. The model defines information about an OTP Delivery type.
• The field otpDeliveryPreference has been added to the models AuthenticationFlow, AuthenticationFlowParms, and OTPAuthenticatorSettings. This attribute defines an array of OTPPreferenceDetails that lists the type of OTP delivery types that can be used. The order of these values defines the preferred order of the delivery types.
• The field overrideOtpContacts has been added to the models AuthenticationFlow and AuthenticationFlowParms. This attribute defines whether the OTP delivery configuration is defined in policy is used for this authentication flow or whether it is defined for this authentication flow.
• The fields deliveryMethods, otpEmailDefaultDeliveryAttribute, otpSmsDefaultDeliveryAttribute, otpVoiceDefaultDeliveryAttribute, otpWechatDefaultDeliveryAttribute, and otpWhatsappDefaultDeliveryAttribute in the model OTPAuthenticatorSettings have been deprecated. They have been replaced by the field otpDeliveryPreference.

The following changes have been made to support configuration of allowed relying party IDs for the Native Mobile Passkey feature:

• The method POST /api/web/v1/settings/fido/configuration/android (fetchAndroidAssociationFileUsingPOST) has been added. This method fetches the Android association file from a location specified by the relying party ID.
• The method POST /api/web/v1/settings/fido/configuration/ios (fetchAppleAssociationFileUsingPOST) has been added. This method fetches the Apple association file from a location specified by the relying party ID.
• The field androidOrigins has been added to FIDOAllowedRpId. This field specifies a list of FIDOAndroidOriginSettings defining a list of Android Relying Party IDs.
• The field iosOrigins has been added to FIDOAllowedRpId. This field specifies a list of FIDOIosOriginSettings defining a list of iOS Relying Party IDs.
• The models FIDOAndroidAssetLinks, FIDOAndroidAssetLinksTargets, FIDOAppleAppSiteAssociation, FIDOAppleAppSiteAssociationWebcredentials, and FIDOAssociationFileRequest have been added. These models defined arguments and return values for the methods described above.
• The models FIDOAndroidOriginSettings and FIDOIosOriginSettings have been added. These models define fields in FIDOAllowedRpId described above.

The field userAuthenticatorPreference has been added to the model User. This value specifies the authenticator preferences for the user.

The value GETACCESS has been added to the field passwordFormat has been added to the model UserPasswordParms. This allows an application to import GETACCESS passwords using the IDaaS APIs.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.42 and the three previous releases 5.39, 5.40, and 5.41). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In the 5.43 release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Entrust Identity and Entrust Windows Desktop Soft Token Deprecation​

In the IDaaS 5.43 release, changes are planned that will break the following operations:

• Password reset in versions of Entrust Identity prior to 25.1.1. Customers using the SDKs are not impacted.
• Soft Token online activation in versions of Entrust Windows Desktop Soft Token prior to 3.1

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Verifiable Credentials​

This release of IDaaS includes preliminary support for the issuance and presentation (or verification) of verifiable credentials. IDaaS supports verifiable credentials using the W3C VC format. IDaaS also supports OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP) for integrating VC issuance and presentation with wallets. IDaaS supports the following standards:

• W3C Verifiable Credential Data Model v1.1
• OpenID for Verifiable Credential Issuance - draft 15
• OpenID for Verifiable Presentations - draft 28

Face Biometric Registration Improvements​

When registering a Face Biometric authenticator, the IDaaS user's first and last name are provided to the Onfido registration workflow to compare the user's name in IDaaS to the user's name as it appears on their government ID. Previously, the user's default firstName and lastName attributes were used. The IDaaS user attributes used to provide first name and last name values can now be configured in the Face Biometric policy. This feature allows IDaaS to store both a user's legal name and their preferred name. When configured, the user's preferred name is used in most cases and the user's legal name is used for Face Biometric registration.

Certificate Expiry Notification Email Improvements​

The certificate expiry notification email now includes the hostname of the IDaaS account. This provides useful information for administrators who are managing multiple IDaaS accounts.

Portal UI Error Reporting​

Errors that cause the IDaaS Portal and Authentication UI to crash are now logged to the IDaaS service to facilitate debugging.

Fixed or changed in this release​

1. Audits for failed device verification are missing. (39166)
2. Allow Enterprise Service Gateway and Microsoft CA proxy to be downloaded from accounts with a vanity URL. (37855)
3. Token activation with Identity Verification option should include the Face Biometric serial number in its audit. (38779)
4. The Identity as a Service Integration ForgeRock application has been removed from the list of applications that can be created. The integration was no longer supported by ForgeRock. The ForgeRock OIDC application template is still available. (38633)
5. For Service Provider accounts, the default Customer Support Agent role now includes the Edit Tenants permission. This allows support agents to unlock tenants. (38472)
6. Editing the Message of the Day in the Administration portal generates a stack trace in the browser console. (38903)
7. Editing the User Verification Message in the Administration portal generates a stack trace in the browser console. (38757)
8. On the Group List page of the Administration portal, selecting the checkbox for all groups no longer selects the "All Users" group. The "All Users" group is a virtual group for which actions like delete groups do not apply. (38804)
9. When activating an Entrust Soft Token, do not display the Identity Verified option if it is not available. (38777)
10. Authenticate API user query can fail if the user password last changed time is not set. (39181)
11. Updating a user from any page other than the first page of the list results in a page not found error. (38454)
12. For OTP voice delivery, English was used for the Thai and Turkish locales. (38874)
13. Push notifications not sent for an Entrust Soft Token activated offline. (39218)
14. Activation of a Face Biometric on the Entrust Identity application is not working if registration started from the mobile web browser. An activation QR code was displayed instead of an activation link. (37756)
15. The error message displayed when a compromised password is used has been changed to "This password has been found in a compromised password list from a 3rd-party website. To ensure security, its use is restricted." (39147)
16. A password cannot be assigned to a user if they do not have an email address. Now the option to send the new password by email is disabled. (38483)
17. Broken hyperlinks in the documentation have been fixed. (38482)
18. Fix errors in the Administration Guide "Integrate Microsoft Entra ID with Identity as a Service" section. (38913)
19. For accounts that do not have WeChat/WhatsApp OTP delivery enabled, some WeChat/WhatsApp options are visible including the admin portal menu search. (38810)
20. Improve audits when WhatsApp credentials are updated. (38837)
21. User certificate authentication was only shown for users that had smart credentials supporting push authentication. This did not include users who have YubiKey smart credentials. (38750)

Changes to Identity as a Service APIs​

Authentication API​

There are no changes in the Authentication API in this release.

Administration API​

There are no changes in the Administration API in this release.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.41 and the three previous releases 5.38, 5.39, and 5.40). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Device Verified Entrust Soft Token Activation​

Entrust Soft Token now supports device verification during activation. When enabled, the user's device must have a device certificate issued from a trusted Certificate Authority. This feature ensures token activation occurs only on authorized devices.

Application Verified Entrust Soft Token Activation​

Entrust Soft Token now supports application verification during activation. When enabled, an attestation from Apple or Google is provided that validates the mobile application performing the activation. This feature ensures token activation occurs only from trusted mobile applications.

Disallow Previously Compromised Passwords​

When setting a new password, IDaaS now blocks previously compromised passwords reported by HaveIBeenPwned. This addresses a NIST recommendation for password security documented in SP 800-63B.

IDaaS provides an option in the password settings to "Allow Compromised Passwords" but Entrust recommends that customers do not use this option unless necessary. As an example, customers who have very short passwords or passwords consisting of just digits may find all possible password values are compromised.

Previously compromised passwords are disallowed by default for existing customers. This means existing end users may encounter this new behavior after IDaaS 5.40 is deployed.

OTP Delivery using WhatsApp and WeChat​

IDaaS now supports OTP delivery using WhatsApp and WeChat. Customers that want to use these capabilities must provide their own WhatsApp or WeChat business account.

Token Challenge/Response Authenticator​

A new Token Challenge/Response authenticator has been added to IDaaS. In Token Challenge/Response authentication, IDaaS generates a challenge that is provided to the end user. The user enters the challenge into the token, and then the token uses the challenge to generate the OTP.

Only users who have been assigned hardware tokens that support Token Challenge/Response (like Entrust CR300 tokens) will have access to the Token Challenge/Response authenticator.

Token Challenge/Response authentication is supported by all IDaaS authentication applications, including the User portal, SAML applications, OIDC and OAuth applications, RADIUS applications, and Auth API applications. For RADIUS applications, the customer must update to the 5.40 Enterprise Service Gateway. For Auth API applications, the client application must be updated to support TOKENCR.

Override Certificate Lifetime for PKIaaS​

When configuring smart credential digital IDs when using a PKIaaS CA, the customer can now configure the certificate lifetime in IDaaS if they want to override the lifetime configured by their CA.

Improvements for Desktop Credential Provider Offline Token​

IDaaS provides the ability for the Entrust Desktop Credential Provider to download future token responses that can be used by DCP to allow offline login. This feature has been enhanced to support download of offline token responses when token authentication was not required by the resource rule. For example, if the resource rule requires password-only for low risk and password+token for high risk, offline token responses can now be downloaded in the low risk scenario.

This feature needs the upcoming release of Entrust Desktop Credential Provider before it can be used.

Mobile OIDC Developer Guide​

A new document Integrating IDaaS OIDC with a mobile app using AppAuth has been added to the IDaaS Developer Portal. This document describes how OIDC authentication using IDaaS can be added to a customer's mobile application.

Increase size of IP List​

An IP List can now include up to 2000 IP addresses. Previously the limit was 500.

New Passkey/FIDO2 Algorithms​

IDaaS PassKey/FIDO2 now supports the Ed25519 & RS256 algorithms. These algorithms are used by Windows Hello and some newer hardware.

Certificate Expiry Notification Improvements​

The Certificate Expiry Notification email now includes more instructions including a link to the documentation describing how to update the certificates.

RADIUS Unknown User Cache Audit Changes​

The audits generated by the RADIUS Unknown User Cache (introduced in 5.39) have been changed. Previously, an audit was generated for each unknown user that tried to authenticate in a given period of time. Now a single audit including a count of the number of unknown users who tried to authenticate in that period of time is generated instead.

Entrust Identity Security Whitepaper Updates​

The Entrust Identity Security Whitepaper has been updated. This document can be accessed from the IDaaS Admin Portal Documentation Menu at Whitepapers > Identity as a Service Platform Security.

Fixed or changed in this release​

1. Bulk import of unassigned grids failed. (35516, 37401)
2. Gateway status in Dashboard shows warning instead of error icon when the SSL certificate has expired. (37669)
3. User portal session timeout dialog shows negative timeout after session has expired. (34100, 38392)
4. RADIUS Push authentication fallback to grid not working. (37233)
5. Audit for change to FIDO Settings fidoRelyingPartyAllowlist showing wrong value when subdomainsAllowed is not checked. (37101)
6. User Portal Authenticators List Filter for Types should not include authenticators not allowed in User Portal policy. (37561)
7. User created by Azure synchronization is not getting provisioned by SCIM. (37769)
8. Clicking on the QR Code in the Google Authenticator activation email will now launch the Google Authenticator app on mobile. (37386)
9. Email value format is not validated in the UI if the email attribute is optional. (29804)
10. For SAML IDP authentication, the redirect message is not translated. (39359)
11. The Passkey/FIDO2 category in the Group Policy categories list is not sorted correctly. (34800)
12. Certificate validation added to the Directory SSL Certificate import rejects certificates with RSA-1024 and EC2 keys. These keys are now allowed. (38755)
13. During SAML authentication, if a user gets locked they are redirected to the IDaaS login page instead of back to the SAML service provider. (38285)
14. User certificate authentication failing on Mac Safari. (38761)
15. Test for external risk engine now returns error http_connector_execution_failed if it is unable to connect to the external risk service. Previously a general error was returned. (37965, 38495)
16. Password reset performed from Entrust Identity mobile app fails for passwords synchronized by AD Connector. (38081)

Changes to Identity as a Service APIs​

Authentication API​

The following changes have been made to support TOKENCR authentication.

• The value TOKENCR has been added to the list of available authenticators. This value can be passed as an argument to userChallengeUsingPOST and userAuthenticateUsingPOST indicating which authentication type to use. It can be returned in the attributes authenticationTypes and availableSecondFactor in UserAuthenticateQueryResponse returned from userAuthenticatorQueryUsingPOST indicating which authentication types are available. The resource rules of authentication API applications that don't support TOKENCR authentication should not be configured to include TOKENCR.
• The attribute challenge has been added to the model TokenChallenge. For TOKENCR authentication, this attribute includes the challenge to be entered into the token.

The following changes have been made to support OTP delivery using WeChat or WhatsApp.

• The values WECHAT and WHATSAPP have been added to the attribute otpdeliveryType in the model AuthenticatedResponse.
• The values WECHAT and WHATSAPP have been added to the attribute type in the model OTPContactValue.
• The values WECHAT and WHATSAPP have been added to the attributes otpDefaultDelivery and availableOTPDelivery in the model OTPDetails.
• The values WECHAT and WHATSAPP have been added to the attribute otpDefaultDelivery in the model UserAuthenticateQueryResponse.

These attributes specify when WeChat/WhatsApp are available to be used to deliver OTPs and to request that they be used to delivery OTPs.

The following changes have been made to support download of offline token responses.

• New method POST /api/web/v1/self/tokens/offline (getOfflineTokenResponsesUsingPOST) - Given the auth token returned from a previous authentication request for an application that allows offline token download, download offline token responses for the specified token.
• New model GetOfflineTokenAuthenticateParms - contains the parameters passed to the method getOfflineTokenResponsesUsingPOST.

Administration API​

The following changes have been made to support managing FIDO Settings.

• The method GET /api/web/v1/settings/fido (getFIDOSettingsUsingGET) has been added. This method gets the requested FIDO Settings.
• The method PUT /api/web/v1/settings/fido (updateFIDOSettingsUsingPUT) has been added. This method updates the specified FIDO Settings.
• New model FIDOAuthenticatorSettings. This model contains the values returned from the method getFIDOSettingsUsingGET.
• New model FIDOAuthenticatorSettingsParms. This model contains the parameters passed to the method updateFIDOSettingsUsingPUT.
• New model FIDOAllowedRpid. This model defines one of the attributes included in FIDOAuthenticatorSettings and FIDOAuthenticatorSettingsParms.

The following changes have been made related to Device Verification.

• The attribute requireDeviceVerificationOnActivation has been added to EntrustSTAuthenticatorSettings. This setting indicates whether device verification must be performed when an Entrust Soft Token is activated.
• The attribute deviceVerified has been added to Token. This setting indicates if the token was device verified during activation.

The following changes have been made related to Application Verification.

• The attribute appVerificationRequired has been added to EntrustSTAuthenticatorSettings. This setting indicates whether application verification must be performed when an Entrust Soft Token is activated.
• The attribute appVerificationIOSBundleId and appVerificationIOSTeamId have been added to EntrustSTAuthenticatorSettings. These settings identify the trusted Apple mobile application.
• The attribute appVerificationAndroidPackageName has been added to EntrustSTAuthenticatorSettings. This setting identifies the trusted Android mobile application.
• The attribute appVerified has been added to Token. This setting indicates if the token was application verified during activation.

The following changes have been made related to the Smart credential certificate lifetime feature.

• The attribute lifetime has been added to DigitalIdConfigCertTemplate. This setting indicates the lifetime (in months) to use when requesting certificates from the CA if the default lifetime is not used.
• The attribute useCaDefaultCertLifetime has been added to DigitalIdConfigCertTemplate. This setting indicates if the CA default certificate lifetime should be used.

The following changes have been made related to Face Biometric authenticators.

• The method POST /api/web/v1/users/{userid}/face (createFaceUsingPOST) has been deprecated.
• The method POST /api/web/v2/users/{userid}/face (createFaceAuthenticatorUsingPOST) has been added. This method is used to create a new Face Biometric authenticator and replaces createFaceUsingPOST.
• New model FaceCreateResponse. This model contains the response from createFaceAuthenticatorUsingPOST.
• The attribute returnQRCode has been added to FaceCreateParms. This setting indicates if a QR code used to launch Face Biometric authenticator registration should be returned.

The following changes have been made related to TOKENCR authentications.

• The value TOKENCR has been added to the attributes idpLoginSecondStep and userLoginSecondStep in the models AuthenticationFlow and AuthenticationFlowParms. These attributes specify when the authenticator TOKENCR is allowed in an authentication flow.
• The value TOKENCR has been added to the attributes highRiskSecondStep, mediumRiskSecondStep, and lowRiskSecondStep in the models ResourceRule and ResourceRuleParms.
• The value TOKENCR has been added to the attribute authenticators in the model PasswordResetSettings. This model lists authenticators that can be used for password reset.
• The value TOKENCR has been added to the attribute lockedAuthenticatorTypes in the model User. This attribute lists locked out authenticators for a User.
• The value TOKENCR has been added to the attribute type in the model UserAuthenticatorLockoutStatus. This model provides details about authenticator lockout status for a User.

The following changes have been made related to supporting WeChat/WhatsApp for OTP delivery.

• The values WECHAT and WHATSAPP have been added to the attribute otpDefaultDelivery in the model OTPAuthenticatorSettings. This attribute specifies the default OTP delivery type.
• The attributes otpWechatDefaultDeliveryAttribute and otpWhatsappDefaultDeliveryAttribute have been added to the model OTPAuthenticatorSettings. These attributes specify the user attribute to use by default for OTP delivery using WeChat or WhatsApp.
• The values WECHAT and WHATSAPP have been added to the attribute otpDeliveryType in the model OTPCreateParms. This attribute specifies how an OTP is delivered when an OTP is created if delivery is enabled.
• The values WECHAT and WHATSAPP have been added to the attribute name in the model OTPDeliveryMethod. This model is used to define the allowed delivery methods in OTPAuthenticatorSettings.
• The values OTP_WECHAT and OTP_WHATSAPP have been added to the attribute type in the model OTPVerificationChallengeValue. This model is passed as an argument to the method contactVerificationChallengeUsingPOST to validate the value for a user contact attribute.
• The values OTP_WECHAT and OTP_WHATSAPP have been added to the attribute type in the models UserAttribute, UserAttributeParms, and UserExtraAttribute. These values specify the type of user attribute used to store a WeChat or WhatsApp contact value.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.40 and the three previous releases 5.37, 5.38, and 5.39). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Locking and Removal of Production Accounts with Expired Entitlements​

Starting in this release, production accounts will be locked when their entitlements expire and removed after 6 months if the entitlement has not been renewed. IDaaS will send notification emails to account owners when entitlements approach the expiry date and then when they expire.

Customers can view the status of their account entitlements by clicking on the Entitlements icon on the Administration Portal Dashboard.

The default Customer Support Agent service provider administrator role has been modified to include permission to modify entitlements. This allows a support agent to address customer entitlement issues if their entitlement has expired.

SMS/Voice Entitlements Are Required​

Starting in this release, entitlements are required to use SMS/Voice delivery for OTPs. Previously, accounts without an entitlement were allowed to use SMS/Voice delivery. Email delivery of OTPs does not require an entitlement.

Customers can view the status of their account entitlements by clicking on the Entitlements icon on the Administration Portal Dashboard.

SAML Identity Providers​

IDaaS can be configured to support SAML Identity Providers in addition to the currently supported OIDC Identity Providers. The following are included as part of this new feature:

• An Authentication Flow that enables identity providers to select either OIDC or SAML identity providers, or both.
• Global and Group-Based User Verification Policies that configure identity providers can select either OIDC or SAML identity providers, or both.

Flexible External Risk Engines​

A new external risk engine type has been added to IDaaS. The new risk engine type allows the customer to integrate 3rd-party external risk engines into IDaaS with a no-code solution. IDaaS supports third-party risk engines that accept HTTPS requests and returns the risk results as a JSON formatted response.

Pass-through Authenticator​

A new pass-through authenticator type has been added to IDaaS allowing the customer to integrate third-party authenticators into IDaaS with a no-code solution. The pass-through authenticator forwards the authentication requests from IDaaS to a customer-operated authentication service. This feature allows a customer to integrate an application using the IDaaS authentication API with existing authentication services.

Group Attribute Support​

An attribute can be defined for IDaaS groups. This attribute can be mapped into SAML assertion attributes and OIDC claims depending on the group membership of the authenticating user.

These new capabilities include support for the Danish OIOSAML Web SSO Profile 3.0 for interoperation with Kombit Context Handler 2. Information defining privilege and constraint information can be defined in the IDaaS group attribute. This information can be encoded and returned in a SAML assertion as defined in OIOSAML and returned to Kombit Context Handler 2.

When defining a SAML attribute, the NameFormat can now be specified. Previously it was left undefined. This is required for OIOSAML but is applicable to any SAML attribute.

Maximum Password Length Policy​

A new maximum password length policy has been added to Password settings. When set, this policy enforces the maximum length of the user's password when a new password is set. By default, IDaaS does not enforce a maximum password length.

A customer may want to enforce a maximum password length if they have clients that cannot accept longer passwords.

Outbound SCIM Provisioning Enhancements​

Previously, IDaaS outbound SCIM provisioning only supported OAuth to authenticate to the service to which users were provisioned. Now, IDaaS also supports authentication using API keys.

Improved User/Audit Searching for Large Customers​

For large customers, the list/search operations in the Administration portal have been redesigned to avoid timeouts that may be encountered. These issues are more likely when complicated search criteria are specified. The user experience of the administrator using the Administrator portal is unchanged.

Webhooks for User Creation​

IDaaS now supports webhooks where IDaaS will send a signal to an external service when an event happens. In this release, webhooks are supported for user create events.

IDaaS JWT OIDC Grant Type​

A new IDaaS JWT grant type has been added to OIDC and OAuth applications. This grant type allows a customer application to use the IDaaS authentication API to authenticate a user. When using this grant type, the client application does the following:

• Calls the OIDC/OAuth authorize endpoint to begin authentication specifying the new grant type. This will return an authRequestKey value.
• Calls the IDaaS authentication APIs to authenticate the user. The authRequestKey is passed as an argument. The authentication API will return an IDaaS JWT when the user is authenticated.
• Calls the OIDC/OAuth token endpoint to get an OAuth access token. The IDaaS JWT and authRequestKey are passed as arguments. This call returns an OAuth access token that can be used to interact with the customer's backend service.

This new grant type provides the following capabilities not available with standard OIDC:

• The customer can implement their own authentication UI allowing them to customize the UI to meet their requirements.
• The customer can access IDaaS risk authentication capabilities, such as transaction verification that require customer transaction values to be provided. When transaction values are provided, the returned OAuth access token can be configured to include these transaction values as a claim.

RADIUS Agent Caching​

Recently some IDaaS customers have experienced attacks on their VPN servers where bad actors perform large numbers of authentication attempts using the same userid and different passwords in an attempt to find a valid userid and password. The error returned from IDaaS does not indicate if the error is because the user does not exist or if the password was invalid. This means that these attacks generate large numbers of IDaaS requests resulting in unknown user errors.

For customers whose VPN server or network infrastructure does not provide capabilities to filter out these kinds of requests before they reach the IDaaS RADIUS agent and then IDaaS, the IDaaS RADIUS agent now provides the following caches to block this traffic before it reaches IDaaS:

• An unknown user cache that blocks RADIUS authentication requests with a userid that previously generated a user not found error.
• A client IP rate limiter that restricts the number of RADIUS authentication requests that will be accepted from a client IP address.

For customers that allow this traffic to reach IDaaS, Entrust may be forced to rate limit the authentication traffic for that account. This rate limiting would block both valid and invalid authentication requests.

Customers will need to upgrade to the 5.39 version of the Enterprise Service Gateway to have these features available.

Token Delete Bulk Operation​

A new bulk operation to delete tokens has been added.

Administrator Portal Menu Search Improvements​

The menu search capability now supports all levels of the Administrator portal menu instead of just the top level menus. The menu search field has been moved to the menu.

IDaaS Logo Change​

The IDaaS logo displayed by default on the login page has changed.

Service Provider Tenant Management Improvements​

When a service provider configures a tenant for tenant management, there is now an option to select the OIDC key/certificate to be used.

Improved OIDC Error Information​

OIDC requests that fail due to configuration issues or due to unsupported requests now return additional information to the client in the error description indicating the cause of the error.

New Integrations​

The following integrations have been added.

• A new SAML application template for Bonusly.
• A new SAML application template for ProdPad.

Fixed or changed in this release​

1. The Save button should be disabled in the password change UI if the New Password matches the Current Password. Submitting the request results in a server error as expected. (10826, 36622)
2. User search criteria in the Administrator portal should not display the Organization filter for administrators who do not have permission to view Organizations. (37314)
3. Changes to the Geolocation allow list in resource rules were not saved. (37856)
4. User Certificate was missing from the User Authenticator Notifications settings. (37159)
5. Allow the default OIDC certificate to be deleted if it is not used, and it is not the only OIDC key. (37728)
6. Edit the Tenant Management configuration for a tenant from a service provider fails. (37982)
7. The User Attributes VIEW permission has been added to the default SCIM Provisioning role. (37596)
8. Remove sample values of API keys from IDaaS OpenAPI files. These sample values trigger customer vulnerability scanners. (38107)
9. If Face Biometric registration is cancelled during User Registration it is marked complete. (37747)
10. OIDC Server Application should not have the Show Login Redirect URL in My Profile option. (37646)
11. Administrator in Helpdesk role was not allowed to remove groups from a user. (37459)
12. Japanese version of Reset Password email is missing text. (10566)
13. Localized versions of User State Change email contains English text. (33749)
14. User created in IDaaS after authentication from an Identity Provider is ignored by SCIM outbound provisioning. (37635, 38082)
15. If creation of a user in IDaaS after authentication from an Identity Provider fails, authenticators created for that user are left behind. (37636)
16. Delete users bulk operation fails with "Bulk operation already started" error. (37353)
17. When entering the name of an Organization, the UI does not validate if the name is a duplicate. This results in an error being returned from the server. (36439)
18. Encoding smart credentials on YubiKey tokens with firmware version 5.7.1 or greater fails. (37412)
19. In the Administrator Portal, the list of groups to add to a user were not sorted. (37408)
20. When the Directory configuration has a list of SSL certificates, it now indicates which SSL certificate is being used. (37619)
21. Unlocking a user fails if the user was locked out due to User Certificate authentication failure. (37153)
22. Audits without an Error Description display a value of undefined. (37315)
23. Smart credential encoding fails for PKIaaS CAs when the smart credential definition only specifies one digitalId Config. (38121)
24. Magiclink fails when case of provided email address differs from user's email address. (38391)

Changes to Identity as a Service APIs​

The CSharp SDK dropped support for .NET 6.0 in this release.

Authentication API​

The following changes have been made to support the Pass-through Authenticator.

The following models have been added:

• PassthroughAuthenticationResponse. This model defines information returned to the client application from a pass-through authenticator. It consists of a list of PassthroughAuthenticationResultItems. The list of items returned is defined in the Pass-through Authenticator configuration in IDaaS.
• PassthroughAuthenticatorParms. This model defines information passed from the client application to the pass-through authenticator. The model consists of a list of PassthroughAuthenticatorPlaceholder. The Pass-through Authenticator configuration in IDaaS specifies how these values are mapped into the requests sent to the Pass-through Authenticator.

The following models have been updated:

• The attribute passthroughAuthenticationResponse has been added to AuthenticatedResponse. This attribute contains the information returned to the client application from a pass-through authenticator.
• The attribute passthroughAuthenticatorParms has been added to UserChallengeParameters and UserAuthenticateParameters. This attribute contains the information passed from the client application for a pass-through authenticator.

The following changes have been made to support the IDaaS JWT OIDC Grant Type.

The following models have been updated:

• The attribute authRequestKey has been added to UserAuthenticateQueryParameters. This attribute is provided by the OIDC/OAuth authorize endpoint when using the IDaaS JWT grant type and is required to use the IDaaS authentication APIs for that grant type.
• The attribute maxAge has been added to UserAuthenticateQueryParameters. If an existing authToken is provided, the maxAge parameter can be used to indicate if re-authentication is required for an authentication. If the specified requestTime (or current system time if requestTime is not specified) is more than maxAge seconds after the time which the authToken was issued then re-authentication will be required.
• The attribute requestTime has been added to UserAuthenticateQueryParameters. Used when comparing maxAge to the authToken issue time to determine if re-authentication is required. If not specified, the system current time is used.
• The attribute authRequestKey has been added to UserAuthenticateParameters. This attribute is provided by the OIDC/OAuth authorize endpoint when using the IDaaS JWT grant type and is required to use the IDaaS authentication APIs for that grant type.

Administration API​

The following models related to authentication flows have been updated:

• An attribute identityProviderIds has been added to AuthenticationFlowParms. This value specifies the identity providers associated with the authentication flow. The attribute oidcIdentityProviderIds has been deprecated.
• An attribute identityProviders has been added to AuthenticationFlow. This value specifies the identity providers associated with the authentication flow. The attribute oidcIdentityProviders has been deprecated.

The following APIs have been added to manage identity providers:

• GET /api/web/v1/identityproviders (listIdentityProvidersUsingGET) - List identity providers.

The following models related to identity providers have been added:

• IdentityProvider - The results returned from the list API.

The following APIs have been added to manage SAML identity providers:

• GET /api/web/v1/identityproviders/saml (listSamlIdentityProvidersUsingGET) - List identity providers.
• POST /api/web/v1/identityproviders/saml (createSamlIdentityProviderUsingPOST) - Create an identity provider.
• DELETE /api/web/v1/identityproviders/saml/{id} (deleteSamlIdentityProviderUsingDELETE) - Delete an identity provider.
• GET /api/web/v1/identityproviders/saml/{id} (getSamlIdentityProviderUsingGET) - Get an identity provider.
• PUT /api/web/v1/identityproviders/saml/{id} (updateSamlIdentityProviderUsingPUT) - Modify an identity provider.

The following models related to SAML identity providers have been added:

• SamlIdentityProviderParms - The parameters passed to the create and update APIs.
• SamlIdentityProvider - The results returned from the create, get, list, and update APIs.

The following models related to webhooks have been added:

• WebhookParms - The parameters passed when creating or updating a webhook.
• Webhook - The parameters returned when listing or getting a webhook.
• WebhookEvent - Specifies the event types supported by the webhook. Currently for IDaaS, this will always be user.create.

The following APIs have been added to manage Webhooks:

• GET /api/web/v1/webhooks (getWebhooksUsingGET) - List all webhooks.
• POST /api/web/v1/webhooks (createWebhookUsingPOST) - Create a webhook.
• POST /api/web/v1/webhooks/test/{id} (testWebhookUsingPOST) - Test a webhook by trying to deliver a dummy payload.
• GET /api/web/v1/webhooks/{id} (readWebhookUsingGET) - Get the specified webhook.
• PUT /api/web/v1/webhooks/{id} (updateWebhookUsingPUT) - Update the specified webhook.
• DELETE /api/web/v1/webhooks/{id} (deleteWebhookUsingDELETE) - Delete the specified webhook.

The following change has been made to other models:

• The attribute 'maximumLength' has been added to UserPasswordSettings which defines the maximum length of the password.
• The attribute attribute has been added to Group and GroupParms which provides access to the attribute value associated with a group.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.39 and the three previous releases 5.36, 5.37, and 5.38). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Identity Verified Activation of Entrust Soft Tokens​

IDaaS can be configured to require users to perform Face Biometric authentication when activating an Entrust Soft Token. Identity verification ensures that the expected user is activating the soft token.

Passkey/FIDO2 Enhancement to Block Synced Passkeys​

Passkey/FIDO2 policy can now be configured to block synced passkeys from being registered. Customers may want to only allow their users to use passkeys, such as physical FIDO2 tokens, whose keys are not backed up to the cloud.

Locking and Removal of Production Accounts With Expired Entitlements​

Starting in 5.39 release, production accounts will be locked when their entitlements expire and removed after 6 months. Accounts with entitlements that have already expired will be immediately locked and then removed after 6 months. IDaaS will send notification emails to account owners when entitlements approach the expiry date and then when they expire.

In 5.38, the expiry notifications will be sent to account owners, but the accounts will not be locked.

Identity Proofing Management Removed​

The identity proofing management capabilities have been removed.

Directory and Gateway SSL Certificate Enhancements​

The following enhancements related to SSL Certificate configuration have been made for Directories and Gateways that have SSL configured:

• The Directories and Gateways tiles on the dashboard indicate if any SSL certificates are expired.
• The status of the SSL certificate is shown in the Directory list.
• A new View SSL Certificates action is available that shows a list of all SSL certificates configured for the directory.
• A new View SSL Certificate action is available for each Gateway instance.
• Certificate expiry notification emails sent by IDaaS now include notifications for Directory and Gateway SSL Certificates.

New Integrations​

The following integrations have been added.

• A new SAML application template for Keeper Security.
• A new SAML application template for LeaveWizard.
• A new SAML application template for ShareFile.

Fixed or changed in this release​

1. ESG log not rolling over causing disk to fill. (37181, 37320)
2. ESG disks partition for /opt too small. Customers will need to reinstall ESG for this fix to apply. (37239)
3. When OTP Voice delivery is used, the wrong type displays on the user's login page. (37330, 37406)
4. The X-Xss-Protection header is no longer included in IDaaS API responses. (37455)
5. The sample value for the machine fingerprint value in the API was incorrect. (37329)
6. Validation of device certificate fails if it contains a ExtendedKeyUsage value marked critical. (36968)
7. Address issues with SCIM user provisioning. Some errors were not properly handled resulting in the operation not completing and preventing future operations from starting. (37187, 37228, 37240, 37262, 37305)
8. Enhance the User Authenticator Update email notification so that it can distinguish between an authenticator being locked and a user being locked. (37481)
9. Customized name for Google Authenticator is HTML encoded. (37531)
10. Face Biometric activation audit is missing mobile platform. (37261)
11. Group policy category list in Admin portal not sorted. (37238)
12. Face Biometric push transaction details are not translated. (37236)
13. Microsoft Azure AD has been renamed to Microsoft Entra ID. (37529)
14. Missing error message if Face Biometric authentication times out. (36456)
15. Save user profile with alias generates blank error message. (37302)
16. Password reset dialog has two scrollbars for some locales. (37223)
17. Pressing User Certificate login button twice generates an error. (37100)
18. Group names not sorted in Group Policies list. (36963)
19. Add extra contact info entry in Admin portal is too short. (36679)
20. When editing an application, the Next button should not be enabled if all authentication flows are disabled. (35322)

Changes to Identity as a Service APIs​

Administration API​

ID Proofing capabilities have been removed from IDaaS. The following methods have been removed from the Administration API.

• idProofingInitUsingPOST (POST /api/web/v1/idproofing/init).
• idProofingImageUsingPUT (PUT /api/web/v1/idproofing/{requestId}/image/{side}).
• idProofingCompleteSelfieUsingPUT (PUT /api/web/v1/idproofing/{requestId}/completeselfie).
• idProofingCompleteUsingPUT (PUT /api/web/v1/idproofing/{requestId}/complete).
• idProofingRequestUsingGET (GET /api/web/v1/idproofing/{requestId}).
• idProofingRequestsPagedUsingPOST (POST /api/web/v1/idproofing).

Token activation for Google Authenticator has been enhanced to support activation of a token with a specified token secret. This allows a customer to import existing Google Authenticator tokens into IDaaS. The following model has been changed.

• The attribute secret has been added to ActivateParms. If specified when activating a token, this attribute specifies the seed of a token.

Methods used to configure the Onfido account used for Face Biometric authenticator have been added to the Administration API. The following changes have been made.

• The method getFaceAccountSettingsUsingGET (GET /api/web/v1/settings/face/account) has been added. This method fetches the current Onfido account settings.
• The method setFaceAccountSettingsUsingPUT (PUT /api/web/v1/settings/face/account) has been added. This method updates the Onfido account settings.
• The model FaceAccountSettings has been added. This model contains the Onfido account settings.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.38 and the three previous releases 5.35, 5.36, and 5.37). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Face Biometric Authentication with Entrust Identity Mobile​

The IDaaS Face Biometric Authenticator has been enhanced to support Face Biometrics registered and authenticated from the Entrust Identity Mobile application. Face Biometric authenticators managed on the Entrust Identity Mobile application can be configured so that the user's biometric information is stored on the mobile device rather than in the Onfido cloud.

Face Biometric authentication using the Entrust Identity Mobile app has a user experience similar to token push authentication.

• The user gets a notification on the mobile device.
• The mobile app is launched.
• From the mobile app, the user performs a workflow that does a motion capture of the user's face.
• The user is authenticated if the motion capture matches their previously registered biometric.

Face Biometric authentication has the option to include a mutual authentication challenge to prevent the user from accidentally responding to an attacker's authentication request.

User Certificate Authentication Matching Policy Update​

IDaaS has enhanced its User Certificate Authentication matching policy, enabling fine-grained control for user matching. The new settings allow the configuration of one-to-one mappings between certificate components and user attributes.

The list of supported certificate components has been expanded to include both strong and weak components:

• Strong components: securityId, sha256PublicKey, subjectKeyIdentifier, serialNumber
• Weak components: commonName, rfc822Name, userPrincipalName, directoryName, subjectDN

Entrust highly recommends using strong components for user matching. When only weak components are configured, all matching rules must be satisfied to successfully authenticate a user.

In addition, the settings support specifying mandatory and prohibited certificate policy OIDs, ensuring that only certificates with the appropriate policies can be used. This applies to both certificates issued by trusted Certificate Authorities and IDaaS-issued smart credentials.

Support for Entrust Identity Mobile Features​

The following changes have been made to IDaaS to support new functionality in Entrust Identity.

• The latitude and longitude of push notification transactions are included in the information sent to the mobile app so that it can display the location from which the transaction was launched.
• A new policy "Allow Device Biometric Authentication" has been added for Entrust Soft Tokens. This allows an administrator to disable the use of the device biometric for unlocking the mobile app.

User Portal / Admin Portal Enhancements​

An end user can select favorite applications in the user portal. Favorite applications are displayed first on the Applications page.

The admin portal has been enhanced to support searching the menu.

Microsoft Entra ID Read-Only Authorization​

When adding a Microsoft Entra ID directory to IDaaS for user synchronization, the option to select Read-Only Authorization is provided.

Authentication Notification Enhancements​

When enabling User Authenticator Notifications, the administrator can now select which authenticators cause notifications.

FIDO/Passkey Enhancements​

FIDO/Passkey authenticators now support subdomains for Relying Party IDs. For example, IDaaS can be configured so that an authenticator registered from register.mydomain.com can be used to authenticate from authenticate.mydomain.com. The Allowed Relying Party ID hostnames policy allows subdomains to be specified.

SAML/OIDC Enhancements​

The following enhancements have been made for SAML and OIDC applications

• When configuring a SAML application, a new setting, SAML Max Authentication Age, can be specified. If configured, this setting specifies the maximum time before a user needs to reauthenticate.
• The ForceAuthn parameter in SAML authentication requests is now supported. If set to true, reauthentication by the user will be required.
• SAML ForceAuthn or OIDC max_age in a request that force a re-authentication will now preserve an existing IDaaS session.
• Resource rules that disable SSO no longer apply to reauthenticating the same SAML or OIDC application. Setting the application max authentication age to 0 will disable SSO for the application.
• If the IDP max authentication age is configured, then a SAML ForceAuthn or OIDC max _age request is propagated to third-party IDPs. The smaller value is used.
• A new option "Include Authentication Claims" has been added to the OAuth Resource Server configuration. If enabled The acr, amr, and auth_time claims are included in the OAuth access token.
• A new option "Show Login Redirect URL in My Profile" has been added to OIDC applications. This setting controls whether the OIDC application with the redirect URL displays in the User portal.
• OIDC applications with an expired or expiring certificate are now flagged with an icon in the Application List page.
• When SAML attribute encryption is enabled for a SAML application, the default algorithm is now RSA-OAEP instead of RSA version 1.5.

Token Report Enhancements​

The token report now includes additional fields, including the platform for Entrust Soft Tokens and an indication of whether the token supports push notification.

Service Provider Role Updates​

Permission to delete tenants has been added to the Service Provider On-boarding Administrator role.

New Integrations​

The following integrations have been added.

• A new SAML application template for Air.
• A new SAML application template for Druva.
• A new SAML application template for Freshworks.
• A new OIDC application template for Freshworks.

Fixed or changed in this release​

1. The FIDO/Passkey authenticator can now be chosen when configuring resource rules for IDaaS ADFS, IDaaS Apache Filter and IDaaS ISAPI application. (35988)
2. Add missing descriptions for various Email Template variables. (34070, 34069)
3. Generate audits for Onfido configuration errors detected when performing Face Biometric operations. (37017)
4. Improve wording of user/authenticator unlock notification email. (36506)
5. Audit for user portal settings change should not include settings that have not changed. (36654)
6. User provisioning using SCIM is now supported for accounts with the PLUS bundle. (36658)
7. Fix broken links and misleading steps in the Microsoft Entrust ID EAM integration guide. (36805)
8. Password expiry notification option to mobile should only be available when the user has a token supporting push notification. (34479)
9. When an option attribute is modified for a user synchronized from AD, the Security ID attribute gets modified to null. (34634)
10. In the User portal, step-up authentication should not be required to view the details of a Face Biometric authenticator. (36292)
11. The Dashboard shows the wrong count for expired applications if both OIDC and SAML applications have an expired certificate. (36445)
12. The SecurityID attribute can be modified using the Admin API when it is mapped from the directory. (34403, 33806)
13. The Option to add an Entrust Soft Token from the User portal was erroneously disabled when user was locked but lockout was expired. (36692)
14. IDaaS ESG package registry now includes net-snmp and net-snmp-utils for customers who want to install and configure these packages. (36882)
15. Offline tokens with Entrust Identity Desktop Credential Provider did not work for the Google Authenticator. (35917)
16. IDaaS Administration Guide now includes a description of the attributes that can be included in an audit. (36808)
17. Entrust Soft Token activation audit now includes the platform of the mobile device. (36302)
18. Add Face Biometric authenticator audit now includes state attribute. (36478)
19. Option to set Face Biometric authenticator expiry date to Never should not display a date. (36716)
20. Creating a domain-based Identity Provider is missing the option to select other Identity Providers. (36739)
21. Identity Provider initiated log in not showing organizations. (36665)
22. When configuring a Microsoft EAM OIDC application, the JSON configuration is missing the default application ID. (37164)

Changes to Identity as a Service APIs​

Authentication API​

The following changes have been made to the authentication API to support the enhancements made to Face Biometric authentication.

The following changes have been made to existing models:

• the attribute pushMutualChallenge has been added to the models AuthenticatedResponse and UserAuthenticateQueryResponse. This value contains the mutual authentication challenge that should be displayed to the user. This attribute applies to both token and face biometric authentication. This attribute replaces the existing attribute tokenPushMutualChallenge which still exists in both models but has been deprecated.
• the attribute pushMutualChallengeEnabled has been added to the models UserAuthenticateQueryParameters and UserChallengeParameters. This value indicates if the client supports mutual authentication challenges. This attribute applies to both token and face biometric authentication. This attribute replaces the existing attribute tokenPushMutualChallengeEnabled which still exists in both models but has been deprecated.
• the following changes have been made to FaceChallenge: - the attribute applicantId has been removed. It was not used in previous releases. - the attribute device has been added. This attribute indicates if the Face Biometric was registered on WEB or MOBILE. - the attributes id and qrCode have been added. These attributes are not used for authentication. - the attributes sdkToken and workflowRunId remain. When authenticating for a mobile Face Biometric authenticator, the sdkToken will be null and the workflowRunId will be the transactionId used to call the authenticate complete method to get the authentication response.

In addition to the changes made to support the enhancements to Face Biometric authentication, the following changes have also been made to the authentication API.

The following method deprecated in an earlier release has been removed:

• requestPasskeyChallengeUsingPOST (POST /api/web/v1/authentication/passkey)

The following model deprecated in an earlier release has been removed:

• PasskeyChallengeParameters

The following changes to existing models have been made:

• the attribute registeredCredentialsNameshas been added to FIDORegisterChallenge. This attribute specifies the names of FIDO tokens already registered to the user.

Administration API​

The following changes have been made to the administration API to support the enhancements made to Face Biometric authentication.

The following method has been added:

• sendFaceActivationEmailUsingPUT (PUT /api/web/v1/face/{faceid}/activation). This method sends an email containing a QR code or link used to launch Face Biometric authenticator activation in the mobile app.

The following changes have been made to existing models:

• the following attributes have been added to FaceAuthenticator - created - the date the authenticator was created. - lastUsed - the date the authenticator was last used for authentication. - mobile - a flag indicating if the authenticator was registered in the mobile app. - serialNumber - an external identifier for the Face Authenticator.
• the attribute deliverActivationEmail has been added to FaceCreateParms. This flag indicates if an activation email will be sent when a Face Authenticator is created.
• the attribute id has been added to FaceUpdateParms. This attribute specifies which Face Biometric authenticator is to be updated. If not specified and the user has a single Face Biometric, that authenticator will be updated. If the user has multiple authenticators, an error will be returned.
• the attribute maxFacesPerUser has been added to GeneralSettings. This policy specifies the maximum number of Face Biometric authenticators a user can have.

In addition to the changes made to support the enhancements to Face Biometric authentication, the following changes have also been made to the administration API.

The following method has been added:

• deleteTenantEntitlementUsingDELETE (DELETE /api/web/v4/tenants/{tenantid}/entitlements/{type}). This method deletes the specified entitlement from the specified tenant of a service provider.

The following changes to existing models have been made:

• The attribute subscriptionLineId has been added to Entitlement. This setting is used internally for configuring entitlements of an account.
• The attribute allowDeviceBiometric has been added to EntrustSTAuthenticatorSettings. This setting specifies if an end user is allowed to use the device biometric to unlock the Entrust Soft Token in the Entrust Identity mobile app.
• The attribute registeredCredentialsNameshas been added to FIDORegisterChallenge. This attribute specifies the names of Passkey/FIDO2 tokens already registered to the user.
• The attribute overageType has been added to SmsVoice. This setting is used internally for configuring SMS/Voice entitlements of an account.
• The attribute deleteEntitlement has been added to SmsVoiceParms. This setting is used internally for configuring SMS/Voice entitlements of an account.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.37 and the three previous releases 5.34, 5.35 and 5.36). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Organizations​

IDaaS has been enhanced to support organizations. An IDaaS user can belong to one or more organizations. When the user authenticates using a SAML or OIDC application, the authentication response indicates the organizations to which the user belongs. When a user belongs to multiple organizations, they are also asked to select the organization they are accessing.

Customer applications that support multiple tenants can map their tenants to IDaaS organizations and use this information to determine which tenant the authenticating user is accessing.

Domain-based Identity Provider Selection​

Third-party Identity Providers can be configured to be associated with domains.

When an IDaaS authentication flow is configured to support external Identity Providers, they can be configured to use the external Identity Providers associated with a user's domain.

This allows a customer to define a single authentication flow that applies to users using different Identity Providers based on the user's domain.

Face Biometric Authenticator using Onfido​

A new authenticator "Face Biometric" has been added to IDaaS. This authenticator uses Onfido technology to perform strong biometric authentication of a user. The Face Biometric authenticator is available when authenticating to SAML and OIDC applications, and to the IDaaS portal.

Step-up authentication for User Portal Update Operations​

When configuring the resource rules for the User portal, a separate resource rule can now be specified for User portal update operations. This allows the customer to require separate authentication before a user is allowed to modify their user profile or manage their own authenticators.

User Portal Configuration Enhancements​

The User portal can now be configured to restrict the actions are available to the end users. Additionally, the User portal configuration has been reorganized so that all the settings are accessed from the new Policies > User Portal menu.

SAML Enhancements​

SAML IDP initiated authentication has been enhanced so that the request can specify the Service Provider the user is authenticated to using the Service Provider Entity ID and the Relay State (if required) by Relay State value. The URL would have the following format.

https://<tenant>/api/saml/SAML2/SSO?spentityid=<spentityid>&RelayState=<RelayState>

This feature allows a customer to generate IDP URLs that can be bookmarked.

Bulk Enhancements​

A new bulk operation to delete grids has been added to IDaaS. This bulk operation can delete either assigned or unassigned grids.

Upcoming Cross-Origin Requests (CORS) Handling Changes​

IDaaS will be making the following changes to how CORS is handled in IDaaS in a future release. In 5.36, IDaaS will track invalid requests and Entrust will notify customers that will be impacted by these changes.

• IDaaS will reject requests that contain an Origin header with a value of null.
• The IDaaS Configuration setting "Enable CORS" will be enabled by default meaning that applications that are making cross-origin requests to IDaaS APIs will need to define the list of allowed origins in IDaaS CORS configuration.

Service Provider Management Removed​

The service provider management capabilities supported for Google and Box have been removed. User provisioning is now supported using SCIM.

New Integrations​

The following integrations have been added.

• A new SAML application template for Alibaba Cloud.

Fixed or changed in this release​

5.36.1 Patch​

1. OTP authentication for step-up authentication fails under some conditions. (36822)
2. Default value of IDaaS Face Biometric Authentication Input Name policy does not match new Onfido value for default workflows. (36770)
3. IDaaS does not accept some valid values for Onfido API key when configuring Onfido. (36883)
4. When changing Onfido API key or Web Hook token configuration in IDaaS the wrong value is saved unless both values are changed. (36721)
5. Access to the User Portal Entrust Soft Token activate/reactivate operation now requires the Entrust Soft Token Edit permission instead of the Add permission. This means the user portal can be configured to allow end users to activate or reactivate existing tokens without allowing them to create new tokens. (36908)

5.36​

1. When configuring the network proxy for ESG the Save button should be disabled when the proxy test fails. (36143)
2. Enterprise Service Gateway heartbeats might not be tracked correctly due to clock skew between ESG and IDaaS. (36066)
3. Mobile SmartCredential activation dialog updated to reference the Entrust Identity mobile app and not the old Entrust SmartCredential app. (35607)
4. User report fails for users that have not completed activation. (36626)
5. User verification fails with error service_authentication.email_template_not_found. (35956)
6. Authentication flow not displayed correctly in user portal when using Safari. (36058)
7. The attributes SecurityID and User Principal Name are no longer shown in the User Portal > User Profile. (35321)
8. Offline token download not working for Desktop Credential Provider. (36049)
9. Improved audits when a SAML or OIDC application is modified. (35662)
10. Rename Microsoft Azure AD to Microsoft Entra ID in the IDaaS documentation. (35518)
11. Administrator should be blocked from upgrading Managed Service Provider from Trial to Production if there are not entitlements available. (34708)
12. Fix log rotation configuration for Enterprise Service Gateway. (35661)
13. Directory Test action is now disabled for Gateways with versions prior to 5.35. (35900)
14. Authentication Flow graphics should not have connection dots for IDPs without second factor. (34972)
15. Fix sorting in User Certificate Settings page. (36630)
16. When password is changed from Entrust Identity mobile app, the IDaaS audit is missing the resource name. (34178)
17. IDaaS Developer Portal includes an extra newline in the section linking to the license. (35960)

Changes to Identity as a Service APIs​

Authentication API​

The following models have been added to support Face Biometric authentication.

• FaceChallenge specifies the attributes needed to launch a Face Biometric authentication.

The following attributes have been added to existing models to support Face Biometric authentication.

• the attribute faceChallenge has been added to AuthenticatedResponse.
• the attribute faceResponse has been added to UserAuthenticateParameters.

Administration API​

The following methods have been added to support management of Face Biometric authenticators.

• DELETE /api/web/v1/face/{faceid} (deleteFaceUsingDELETE) - Delete the specified Face Biometric authenticator.
• POST /api/web/v1/users/{userid}/face (createFaceUsingPOST) - Create a Face Biometric for the given user.
• PUT /api/web/v1/users/{userid}/face (updateFaceUsingPUT) - Update the Face Biometric for the given user.
• GET /api/web/v1/users/{userid}/faces (getFacesUsingGET) - Get the Face Biometrics for the given user.
• GET /api/web/v1/users/{userid}/settings/face (getUserFaceSettingsUsingGET) - Get the Face Biometric settings for the given user.

The following models have been added for Face Biometric Authenticators.

• FaceAuthenticator specifies the attributes for a Face Biometric.
• FaceCreateParms specifies the attributes passed when creating a Face Biometric.
• FaceUpdateParms specifies the attributes passed when modifying an existing Face Biometric.
• UserFaceSettings specifies the settings for the Face Biometric authenticator.

The following methods have been added to support management of Organizations.

• POST /api/web/v1/organizations (createOrganizationUsingPOST) - Create an organization.
• GET /api/web/v1/organizations/{id} (getOrganizationUsingGET) - Get the specified organization.
• PUT /api/web/v1/organizations/{id} (putOrganizationUsingPUT) - Update the specified organization.
• DELETE /api/web/v1/organizations/{id} (deleteOrganizationUsingDELETE) - Delete the specified organization.
• POST /api/web/v1/organizations/{orgid}/users/{userid} (createUserOrganizationAssociationUsingPOST) - Add the specified user to the specified organization.
• DELETE /api/web/v1/organizations/{orgid}/users/{userid} (deleteUserOrganizationAssociationUsingDELETE) - Remove the specified user from the specified organization.
• POST /api/web/v1/organizationspaged (organizationsPagedUsingPOST) - List organizations matching the given search criteria.
• PUT /api/web/v1/users/{userid}/organizations (modifyUserAOrganizationAssociationsUsingPUT) - Modify the organizations for the specified user.

The following models have been added for Organizations.

• Organization specifies the attributes of an organization.
• OrganizationPage specifies a page of organizations returned from the list operation.
• OrganizationParms specifies the parameters passed when creating or modifying an organization.
• UserOrganizationParms specifies the parameters passed when modifying the organizations to which a user belongs.

The following changes to existing models have been made to support Organizations.

• the attribute organizationIdshas been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute specifies a list of organizations to which a user created after authenticating to an external IDP will be assigned.
• the attribute organizations has been added to User and UserParms. This attribute specifies a list of organizations to which the user belongs.

The following changes to existing models have been made to support Domain-based IDPs.

• the boolean attribute idpDomainBased has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute indicates if the AuthenticationFlow will only use domain-based IDPs.
• the attribute domains has been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute specifies a space separated list of domains associated with the IDP.

When specifying a password value for a user the provided value can now be passed as cleartext (the existing behavior) or provided as a bcrypt protected value (new behavior). This allows a customer to import existing bcrypt protected passwords into IDaaS using the IDaaS administration API. To support this functionality the following changes have been made existing models.

• the attribute passwordFormat has been added to UserPasswordParms.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.36 and the three previous releases 5.33, 5.34 and 5.35). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

User Certificate Authentication​

A new user certificate authenticator has been added to IDaaS. This authenticator can be used in a passwordless login flow or as a second-factor in User Login flow or IDP login flow.

User certificates can be either certificates issued by third-party CAs or certificates in IDaaS-issued smart credentials. The third-party CAs need to be added to the IDaaS Trusted CA list and marked as a user certificate CA. Additionally, to align with the new user certificate authenticator, issuing CAs will no longer be automatically used in device verification. A new option was added to allow specifying issuing CAs to be used in device verification.

User certificates issued by 3rd party CAs are matched against the user's attributes to locate the user in IDaaS. Supported certificate components for this matching process include subject DN, subject alternative Name, and serial number. For user attributes, user ID, user principal name, security ID, and custom attributes are supported. User certificates from IDaaS-issued smart credentials do not use the certificate matching process.

Device Verification Enhancements​

IDaaS device verification has been enhanced to support verification performed using the forthcoming release of the Entrust Device Agent (formerly Identity Bluetooth Reader).

Support Microsoft Entra ID External Authentication Method (EAM)​

IDaaS has added support for Microsoft Entra ID EAM where IDaaS can provide second-factor authentication for customers authenticating to Microsoft Entrust ID.

IDaaS Password, KBA and IDP authenticators are classified as knowledge type authenticators by IDaaS and so are not accepted by Microsoft Entra ID EAM as acceptable second-factor authenticators.

Directory Configuration Validation​

A new Test action has been added for Directories. The Test action tests the directory configuration against the directory and reports on any errors found in the configuration.

Certificate Expiry Notification​

When Notifications are enabled in IDaaS (Configuration > Notification) notifications are sent indicating when SAML and OIDC certificates are nearing expiry or have expired.

OIDC/SAML Enhancements​

OIDC and SAML now support external authentication as a first-factor optionally without any second-factor authentication. SAML and OIDC applications can be configured to return to the client without user intervention when an error occurs during authentication. These capabilities allow a customer to configure their Service Provider to only use IDaaS risk capabilities to decide whether a user is allowed or denied access.

Customers should only use external authentication when they know that the client is performing first-factor authentication. Additionally, single sign-on should be disabled for a resource rule using external authentication.

When an OIDC authentication fails due to access denied, more error information can be included in the response returned to the client. This is controlled by the existing General setting "Enabled Enhanced Authentication Details."

IDaaS now supports the OAuth 2.0 Web Message Response Mode.

OIDC Authentication Context Class Reference (ACR) and Authentication Methods References (AMR) claims are now populated based on the authenticators used in IDaaS to authenticate the user.

External Risk Enhancements​

Support for Generic External Risk Engines has been added to IDaaS. This allows customers to integrate their own risk engines with IDaaS.

Developer Portal Enhancements​

The IDaaS Developer Portal has been enhanced with a new Docs section that includes documents describing how to integrate IDaaS with various services. New in this release is Protecting AWS API Gateway.

The IDaaS administration and authentication SDKs are now available by way of a private registry, facilitating easier integration into customer projects. Initially, Java, CSharp, and Python SDKs are available in the registry. Support for the Php SDK has been discontinued. The Python SDK now requires Python 3.7 or higher. The CSharp SDK has been updated to support .NET 8.0. For instructions on adding the private registry into your project, see the IDaaS Developer Portal.

Bulk Enhancements​

The locale of the user can now be specified when creating or updating users.

Configure Allowed Smart Credential Definitions​

When configuring smart credentials, an administrator can specify a list of allowed smart credential definitions. This allows an administrator to restrict which smart credential definitions can be selected when activating a smart credential.

Enhanced Configuration for IDaaS Desktop Application​

When configuring an IDaaS Desktop Application, the administrator can now configure if the client application can determine whether the client IP address is used for Audits but not Resource Rule Conditions.

New Integrations​

The following integrations have been added.

• A new SAML application template for Amazon Business.
• A new SAML application template for Confluent Cloud.
• A new SAML application template for SiteMinder.
• A new RADIUS application template for OpenVPN.

Fixed or changed in this release​

1. Return a specific error grid_max_num_per_user when assigning a grid to a user who already has the maximum number of grids allowed. (33750)
2. Improvements to OIDC and IDP audits. (26886, 34533, 34538, 34907, 35123, 35180, 35353)
3. RADIUS push authentication does not properly handle repeated requests from VPN causing the authentication to be rejected. (35811)
4. Changes to the user authenticator page in 5.34 added a requirement for the SETTINGS:VIEW permission causing the page to fail to load for administrators without that permission. This permission is no longer required. (35424)
5. When a user selects a different locale during login they are given an option to set that locale as their default locale. If the user chose not to save that value in some scenarios, it would be saved regardless. (32335)
6. User list operation filtering for disabled users failed with error that the requested operation could not be performed. (34302)
7. Custom mail server error still present in UI after OAuth re-authentication. (35139)
8. URLs in message of the day may be truncated. (34523)
9. Updates to OTP default delivery settings not displayed in UI after save. (35179)
10. Alternate OTP delivery options ignored when authenticating for password. (35609)

Changes to Identity as a Service APIs​

Authentication API​

The following changes have been made to support user certificate authentication:

• The model UserCertificateChallenge has been added.
• The attribute userCertificateChallenge of type UserCertificateChallenge has been added to AuthenticatedResponse.
• The model UserCertificateResponse has been added.
• The attribute userCertificateResponse of type UserCertificateResponse has been added to UserAuthenticateParameters.
• The type USER_CERTIFICATE has been added as an allowed value where ever authentication types are specified.

Administration API​

The type USER_CERTIFICATE has been added as an allowed value where ever authentication types are specified.

The type USER_CERTIFICATE_LOGIN has been added to the list of allowed Login Flow types.

New v2 versions of the following authentication APIs have been created to support the new USER_CERTIFICATE authentication type and the USER_CERTIFICATE_LOGIN login flow.

• GET /api/web/v2/authenticationflows (getAuthenticationFlowsUsingGET) - List authentication flows.
• POST /api/web/v2/authenticationflows (createAuthenticationFlowUsingPOST) - Create an authentication flow.
• DELETE /api/web/v2/authenticationflows/{id} (removeAuthenticationFlowUsingDELETE) - Delete an authentication flow.
• GET /api/web/v2/authenticationflows/{id} (getAuthenticationFlowUsingGET) - Get an authentication flow.
• PUT /api/web/v2/authenticationflows/{id} (updateAuthenticationFlowUsingPUT) - Modify an authentication flow.

The attribute allowIgnoreIpAddressForRba has been added to AuthApiApplication and AuthApiApplicationParms. This value specifies whether the client can specify that the client IP address is used for audits but not for resource rule conditions. This attribute only applies to IDaaS Desktop applications.

The following APIs have been added:

• GET /api/web/v1/scdefns/users/{userId} (listAllowedSCDefnsUsingGET) - List smart credential definitions that are allowed for the specified user.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.35 and the three previous releases 5.32, 5.33 and 5.34). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

IDP plus Second-Factor Authentication​

When using a third-party identity provider for authentication, IDaaS second-factor authentication can now be included in the authentication flow.

Step-Up Authentication to Edit User Profile​

The User portal can be configured to require step-up OTP authentication before a user is allowed to edit their user profile. The user attributes that receive the OTP can be configured in the policy.

OIDC Certificate Management​

The certificates used for OIDC applications can now be managed, including having them certified by a Certificate Authority.

Grid Delivery Address Selection​

When the end user or an administrator chooses to deliver a grid, the email address to use can now be selected. The allowed addresses can be configured in the policy.

Restrict OTP Delivery Types​

The OTP delivery types that are available for OTP authentication can now be specified in the policy.

Administrator Support for Entrust Soft Token Manual Activation​

When an administrator activates an Entrust Soft Token from the Administration portal, they now have the option to view the manual activation parameters.

Automatically Send Registration Magic Link​

The Registration Magic Link can now be configured so that it is automatically delivered when a user is created.

User ID Quick Search​

The user list in the admin portal now has a "Search for User ID" quick search option.

New Integrations​

The following integrations have been added.

• A new RADIUS application template for PAM RADIUS Plug-in.
• A new SAML application template for Fastly
• A new SAML application template for Lucidchart
• A new SAML application template for Soloinsight

The following Identity as a Service integrations have been renamed from IntelliTrust to IDaaS:

• IDaaS AD FS Adapter
• IDaaS Apache Filter
• IDaaS Desktop
• IDaaS ISAPI Filter

The Identity as a Service integration IntelliTrust ForgeRock has been removed. The OIDC ForgeRock application is still available.

Fixed or changed in this release​

1. When creating a tenant from a managed service provider, the country of the tenant and the mobile phone number of the first administrator are now optional. (34504)
2. When creating a tenant from a managed service provider, tenant creation fails if the service provider's entitlements are expired. The entitlement is now verified before trying to create the tenant. (34224)
3. Improved the performance of token queries and reports when the tenant has a large number of tokens. (34584, 34916)
4. Improved the performance of user export for tenants with a large number of users. (33632)
5. Device verification is now fully supported for Passkey, IDP, and Smart Login authentication. (34273, 34274, 34275)
6. Device verification caused unexpected errors if the user entered an invalid password during password change. (34528)
7. The tab titles in the User portal and Administration portal have been changed to use black instead of the primary account color. (34284)
8. Fixed the ESG setup_static_ip.sh script. (35025)
9. Previously an imported PKIaaS CA only supported OCSP for certificate revocation. Now CRLs are also supported. (34672)
10. Smart login now supports single sign-on. (33162)
11. The User portal operations to verify ownership of a phone number now consume SMS/Voice entitlements. (26751)
12. SAML metadata download fails when "All Certificates" is selected. (35034)
13. Addressed issues where travel velocity was performed for IP addresses without a location. (34364)
14. Improved the display of the Message of the Day in the login page on mobile devices. (34005)
15. Smart Login is now available for managed service provider tenants. (34581)
16. Fixed an issue with directory sync where errors could result in the user entitlement counts to be incorrect until the daily entitlement verification task was performed. (29178, 31441)
17. Addressed some issues in how authentication flows display in the Administration portal. (34807)
18. The subject name for a SYNCADD user audit should be clickable. (34478)
19. The IDP remove audit should not include all the details of the removed IDP. (34688)
20. Return a better error message when a duplicated trusted CA certificate is added. (33108)
21. Improve the formatting of authentication audits containing device certificate risk factor evaluation results so that the device certificate DN displays properly. (32896)
22. Improve the formatting of the Passkey button text on Safari. (34058)
23. Optional custom user attributes synchronized from the directory could be modified using the Administration API. (34402, 34405)
24. OTP authentication settings modify audit contained attributes whose values did not change. (34685, 34698)
25. The audit generated when a user is created or a soft token is created as part of user creation after an IDP authentication has the wrong subject name. (34524, 34534)
26. The audit generated when an inactive user authenticates with Passkey/FIDO2 was missing the Authenticator value. (31770)
27. PKIaaS CA actions on Issuing CA list page should be disabled for administrators that do not have permission to perform the action. Performing the action caused a permission denied error. (32930)
28. When configuring an Identity Provider, the JWKS Endpoint is now required for all IDPs except for Twitter. (34585)
29. The wrong error was displayed in the Administration portal if the administrator tried to remove a synchronized group from the user. (34379)
30. Passkey authentication did not work for managed service providers authenticating to a child account. (34277)
31. Some strings in the user portal were not translated for all locales. (34362, 34532)
32. Make the mobile application name consistent between the Activate Smart Credential and Activate Soft Token dialogs. (34648)
33. The "Add Client Credential Grant" option should be disabled for administrators that do not have permission to perform the operation. Performing the action results in a no permission error. (34509)
34. Improve the audit generated when a custom mail server is updated with a new password to indicate that the password was changed. (32904)
35. Fix password reset for AD passwords for users whose DN contains values that need to be escaped. (34285)
36. Only audits that have a subject name that are user IDs should be clickable. (34521)
37. The reset password audit shows the forceUpdate attribute even though it has not changed. (33042)
38. Changing the state of the ESG password agent could fail. (34641)
39. Creating a Generic Server OIDC Application is now only available in an account with the premium bundle. (34540)
40. Identity Provider configuration now supports acr values request. Supply a space separated list of acr values. If supplied then at least one of specified ones must be returned from the IDP to be successful. (34620)
41. If an OIDC request specifies a claims request for acr or amr as essential with specified values, then if at least one of the specified values cannot be achieved, the request wil fail. (34673)
42. Fixed an issue where the name and description of a resource rule containing groups synchronized from AD could not be updated. (34594)
43. Fixed an issue where the FIDOTOKEN add permission could not be set when creating or editing a role in the admin portal. (35259)
44. Updated phone number validation that was rejected phone numbers with new area codes for some countries. (35223)

Changes to Identity as a Service APIs​

Authentication API​

The attribute ignoreIPAddressForRBA has been added to UserAuthenticateQueryParameters, UserChallengeParameters, and UserAuthenticateParameters. When this attribute is set to true, the IP address provided to an authentication request is included in authentication audits but is not used for risk-based authentication. By default, the IP address is used for both audits and risk-based authentication.

The attribute expires has been added to UserAuthenticateQueryResponse. It specifies the expiry time of the authentication token.

Administration API​

The following changes have been made to support selecting which email attribute is used when delivering a grid to a user.

• The model EmailParms has been added.
• The API deliverAssignedGridByEmailUsingPOST now takes EmailParms as a parameter.
• The attribute emailParms of type EmailParms has been added to the model GridAssignParms. This attribute is used when calling the API assignGridByIdUsingPUT and assignGridBySerialNumberUsingPUT.
• The attribute emailParms of type EmailParms has been added to the model GridCreateParms. This attribute is used when calling the API createGridUsingPOST.

The following changes have been made to define the OTP Settings policy used to define which delivery types can be used to deliver OTPs.

• The model OTPDeliveryMethod has been added. It defines an OTP delivery method and indicates if that method can be used for delivering OTPs.
• The attribute deliveryMethodshas been added to the model OTPAuthenticatorSettings. It defines an ordered list of OTP delivery methods that can be used for delivery OTPs. The first entry in the list is the default delivery method.
• The attribute otpDefaultDelivery in the model OTPAuthenticatorSettings has been deprecated and is replaced by deliveryMethods.

The following changes have been made to support defining IDP plus second-factor authentication and other improvements to Identity Providers.

• The attribute idpLoginSecondStep has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute defines the list of authenticators that are required for IDP second-factor authentication.
• The attribute acrValues has been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute defines a list of authentication context request values to include in the authentication request to the 3rd-party IDP.
• The attribute descriptions for OidcIdentityProvider and OidcIdentityProviderParms have been improved.

Other changes made to the Administration API:

• The attribute companyCountry in the model TenantParms is no longer required when creating a new tenant.
• The attribute mobile in the model UserParms used to create the first administrator of the tenant is no longer required when creating a new tenant.
• The version of the method createTenantAsyncUsingPOST has been updated from v4 to v5. The non-compatible changes requiring this change are not related to authentication clients and will not impact IDaaS customers.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.34 and the three previous releases 5.31, 5.32 and 5.33). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Authentication Flows​

IDaaS supports several authentication flows:

• The standard userID authentication flow where the user enters their userID and is then prompted for an optional first-factor password followed by a selection of second-factor authenticators.
• The Passkey authentication flow where the user uses their Passkey token to authenticate. Their userID is provided by the Passkey token.
• The Smart Login authentication flow where the user uses their Entrust Identity Smart Credential to authenticate to IDaaS. Their userID is provided by the smart credential.
• The Identity Provider (IDP) authentication flow where the user uses a third-party Identity Provider to authenticate. Their userID is provided by the IDP.

Prior to 5.33, some authentication flows (userID and Smart Login) were configured in the resource rules and some authentication flows (Passkey and IDP) were defined outside the resource rules in the applications. In 5.33, the authentication flows are now defined as a separate entity and linked to the resource rules. These changes provide the following benefits:

• Configuration of all authentication flows is the same.
• All authentication flows now support single-sign on and user registration and verification.
• Resource rule contexts, which can be used to deny access to an application apply to all the authentication flows. Prior to 5.33, Passkey and IDP authentication were not restricted by the context rules in the resource rule.
• Authentication flows can be shared with multiple resource rules.

The IDaaS portal authentication UI has been updated as part of this feature. Only the authentication flows defined for the application are shown. For example, the User portal can be configured so that only IDP authentication is shown.

The IDaaS user portal and administration portal can have different authentication flows. A user browsing to the account URL (ex: https://mycompany.us.trustedauth.com) will see the authentication flow for the user portal which may not be an authentication flow that allows access to the administration portal. In this scenario, a user wishing to access the administration portal can do so by adding ?action=admin to their URL. For example https://mycompany.us.trustedauth.com/#/?action=admin.

As part of these changes, the existing Resources menu has been split into two top-level menus. A new Security menu includes items related to authenticating to applications, including a new Authentication Flows menu item for managing authentication flows. The existing Resources menu includes items related to managing resources such as Grids, Tokens, and Smart Credentials.

When IDaaS 5.33 is deployed, existing resource rules will be converted. Where necessary, new authentication flows will be created and linked to resource rules.

Support Entrust Identity Mobile Hardware Storage for Smart Credentials​

An upcoming version of Entrust Identity Mobile will support storing smart credential private keys in hardware. Hardware storage on iOS only supports Elliptic Curve (EC) keys. When configuring smart credentials in IDaaS, there is now an option to select EC as the key type in addition to RSA. Additionally, there is new policy for smart credentials to indicate to Entrust Identity Mobile that smart credential private keys must be stored in hardware storage or will be stored in hardware storage if available. Existing versions of Entrust Identity Mobile will fail to encode the smart credential if EC keys are specified and will not store private keys in hardware even if required by IDaaS policy.

FIDO2/Passkey Authenticator Improvements​

An "Allowed Relying Party ID Hostnames" list has been added to FIDO2/Passkey policy. This list restricts the hostnames that can register FIDO2/Passkey tokens.

Strict Access Option for Resource Rules​

In IDaaS if a user matches multiple resource rules, if one or more resource rules allows access then the user is allowed access using those resource rules. A new "Enable Strict Access for Application" option has been added to resource rules. If enabled and the resource rule denies access and the user is denied access even if other resource rules allow access.

Magic Link Redirect​

An application creating an IDaaS Registration Magic Link can now include a redirect URL. After registration completes, the user's browser is redirected to that URL. The Magic Link policy now includes a policy to enable Redirect and to list URLs that are allowed for redirect.

Redirect URLs are only supported with Magic Links created using the administration API. They cannot be specified for Magic Links created from the administration portal.

Support Existing Entrust PKIaaS CAs​

IDaaS has been supporting Entrust PKIaaS CAs created by IDaaS. Now customers can use Entrust PKIaaS CAs created from Entrust Certificate Services.

Customize Google Authenticator Name​

Most 3rd-party soft tokens are compatible with Google Authenticator for activation and authentication. This means that customers using 3rd-party soft tokens with IDaaS can use the IDaaS Google Authenticator with those tokens. IDaaS now allows a customer to customize the name of the authenticator to match the token that the customer is using.

User Registration Enhancements​

The following enhancements have been made to user registration:

• User registration can now include an option to create a new grid for the user.
• User registration can now include an option to perform password management for the user. If the user does not have a password, they can create a password. If the user has a password that is expired or set for forced update, the user can change it. Currently, password creation is only supported for IDaaS-managed passwords and not for AD passwords.

Support Multiple Smart Credential Definitions in User Portal​

When activating a smart credential in the IDaaS User portal, if multiple smart credential definitions are configured, the user is now asked to choose which smart credential to use. The user no longer needs to choose between activating for mobile or physical smart credentials. That information is provided by the selected smart credential definition.

Enhance Password Expiry Notification​

An upcoming version of Entrust Identity Mobile will support handling password expiry notifications. In IDaaS, support for delivering password expiry notifications to mobile has been added. This includes a new Mobile option for the Password Expiry Notifications policy.

Azure AD Directory Permission Changes​

When authenticating to Azure AD, IDaaS no longer requests all the permissions required to perform all directory-related operations (synchronizing users and groups, changing or resetting user passwords). Instead, IDaaS requests minimal permissions and is given the permissions allowed for the authenticating directory credentials. If IDaaS does not have permission to perform an operation, the operation fails. This allows, for example, a customer to configure their directory to only provide read permissions supporting user synchronization without having write permission to support password change.

Enterprise Service Gateway (ESG) Platform Update​

ESG has been updated to use a new OS. Versions of ESG prior to 5.33 are still supported for 3 versions after release, but they can not be upgraded in place. To upgrade existing ESGs to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

New Integrations​

The following integrations have been added.

• A new SAML application template for FortiSIEM
• A new SAML application template for Gong
• A new SAML application template for Huddle
• A new SAML application template for Mimecast
• A new SAML application template for Netskope
• A new SAML application template for Ziflow

Fixed or changed in this release​

1. Push authentication in RADIUS did not fall back to token authentication when the push transaction expired. (34332, 34308, 34196)
2. Administrators logging into the IDaaS portal using device certificate authentication were only given access to the User portal. (34190, 33919)
3. User attributes synchronized from AD should be read-only when editing the user profile in the Administrator or User portal. (34300, 34291)
4. Magic Link email not using user locale for email subject and expiry date. (33924, 33556)
5. Audits for IDP initiated SAML/OIDC logins now include the application name in the audit. (34099)
6. The IntelliTrust Desktop application can now be configured to support FIDO2/Passkey authentication. (33783)
7. The activation email for mobile smart credential now includes a link to the Entrust Identity mobile application instead of the old Entrust Smart Credential mobile application. (33676, 33621, 33512)
8. IDaaS did not correctly handle incoming SAML requests if the RelayState parameter was not URL encoded. (33673)
9. Hardware tokens were not unassigned as expected when a synchronized user is deleted because they were removed from the directory. (33627)
10. The Administrator portal removed spaces from user aliases that contained multiple spaces. (33209)
11. Smart login authentication not saved in location history or counted in the authentications per application statistics. (33166, 33169)
12. Passkey login authentication not saved in location history or counted in the authentications per application statistics. (33168, 33167)
13. Check that the same Trusted Certificate Authority is not added twice. (32614)
14. When directory synchronization was configured to synchronize "Group Matching Group Filter" and the group filter was empty, all groups were synchronized. It should not synchronize any groups. (33201)
15. Improvements to policy caching to ensure policy changes are applied immediately. (33773)
16. IDaaS allows groups in a directory group filter that differ only with leading or trailing whitespace. (22843)
17. Improve message in failure audit if authentication fails because there are no active resource rules. (34134)
18. IDaaS accounts with Standard bundle were unable to add SAML applications. (33852)
19. The basic authentication option has been removed from Secure Device Provisioning. (30691)
20. The refresh option on the managed service provider tenant list page now displays all tenants being created rather than just tenants created in the current session. (33652)
21. Improved error message of synchronization from Azure AD fails because authentication token has expired. (32283)
22. Improved error in change password indicating that the password has matched an alias. (31644)
23. OIDC Authorization should only be accessible in accounts with the PREMIUM bundle. (34481)

Changes to Identity as a Service APIs​

Authentication API​

The authentication type PASSKEY has been added to the AuthenticatorType enumerated type. Previously when performing PASSKEY authentication, the API POST /api/web/v1/authentication/passkey (requestPasskeyChallengeUsingPOST) was used. This API has been deprecated. Instead, call POST /api/web/v2/authentication/users/authenticate/{authenticator} (userChallengeUsingPOST) with authenticator set to PASSKEY. The parameter userId in UserChallengeParameters is now optional. It is required when calling non-passwordless authenticators but is not required for PASSKEY.

The attribute relyingParyId has been added to FIDOToken which is returned from the APIs completeFIDORegisterUsingPOST and getSelfFIDOTokenUsingGET.

Administration API​

The following APIs have been added to manage authentication flows:

• GET /api/web/v1/authenticationflows (getAuthenticationFlowsUsingGET) - List authentication flows.
• POST /api/web/v1/authenticationflows (createAuthenticationFlowUsingPOST) - Create an authentication flow.
• DELETE /api/web/v1/authenticationflows/{id} (removeAuthenticationFlowUsingDELETE) - Delete an authentication flow.
• GET /api/web/v1/authenticationflows/{id} (getAuthenticationFlowUsingGET) - Get an authentication flow.
• PUT /api/web/v1/authenticationflows/{id} (updateAuthenticationFlowUsingPUT) - Modify an authentication flow.

The following models related to authentication flows have been added:

• AuthenticationFlowParms - The parameters passed to the create and update APIs.
• AuthenticationFlow- The results returned from the create, get, list, and update APIs.

The following APIs have been added to manage OIDC identity providers:

• GET /api/web/v1/identityproviders/oidc (listOidcIdentityProvidersUsingGET) - List identity providers.
• POST /api/web/v1/identityproviders/oidc (createOidcIdentityProviderUsingPOST) - Create an identity provider.
• POST /api/web/v1/identityproviders/oidc/configuration (fetchOidcConfigurationUsingPOST) - Get configuration information for an identity provider.
• DELETE /api/web/v1/identityproviders/oidc/{id} (deleteOidcIdentityProviderUsingDELETE) - Delete an identity provider.
• GET /api/web/v1/identityproviders/oidc/{id} (getOidcIdentityProviderUsingGET) - Get an identity provider.
• PUT /api/web/v1/identityproviders/oidc/{id} (updateOidcIdentityProviderUsingPUT) - Modify an identity provider.

The following models related to OIDC identity providers have been added:

• OidcIdentityProviderParms - The parameters passed to the create and update APIs.
• OidcIdentityProvider - The results returned from the create, get, list, and update APIs.
• OidcConfigurationParms - The parameters passed to the configuration API.
• OidcConfigurationResponse - The results returned from the configuration API.

A new version of the following APIs to manage resource rules have been created. The new v2 version of the APIs manage resource rules linked to authentication flows. The old v1 version of the APIs have been deprecated and will be removed in a future release.

• GET /api/web/v2/resourcerules (getResourceRulesUsingGET) - List all resource rules.
• POST /api/web/v2/resourcerules (createResourceRuleUsingPOST) - Create a resource rule.
• GET /api/web/v2/resourcerules/resource/{id} (getResourceRulesForResourceUsingGET) - List all resource rules for the specified resource.
• DELETE /api/web/v2/resourcerules/{id} (removeResourceRuleUsingDELETE) - Delete a resource rule.
• GET /api/web/v2/resourcerules/{id} (getResourceRuleUsingGET) - Get a resource rule.
• PUT /api/web/v2/resourcerules/{id} (updateResourceRuleUsingPUT) - Update a resource rule.

The models ResourceRule and ResourceRuleParms related to resource rules have been modified.

• The attributes highRiskAuthenticationFlow, mediumRiskAuthenticationFlow, and lowRiskAuthenticationFlow have been added. These attributes specified the authentication flows associated with this resource rule for the different risk levels. These attributes are managed by the v2 version of the resource rule APIs.
• The attributes highRiskEnableSmartLogin, highRiskFirstStep, highRiskSecondStep, mediumRiskEnableSmartLogin, mediumRiskFirstStep, mediumRiskSecondStep, lowRiskEnableSmartLogin, lowRiskFirstStepand lowRiskSecondStep have been deprecated. These attributes have been replaced by the corresponding authentication flow attributes and will be removed in a future release. These attributes are managed by the v1 version of the resource rule APIs.

Once a resource rule has been updated by the v2 version of the resource rule APIs (including the IDaaS Administrator portal), it can no longer be accessed by the v1 version of the APIs.

The following models have been changed:

• An attribute relyingPartyId has been added to FIDOToken. This value specifies the relying party from which the token was registered.
• The attribute passkeyEnabled in AuthApiApplication and AuthApiApplicationParms has been deprecated. It is no longer used.
• The attribute keyType has been added to DigitalIdConfigCertTemplate. This value specifies whether the key type RSA or ECC should be used.
• The attribute redirectUrl has been added to MagicLinkCreateParms. This value specifies the optional redirect URL that can be included in a Magic Link.
• The attributes lockedAuthenticatorTypes in User and type in UserAuthenticatorLockoutStatus have been updated to include the new authenticator types IDP, PASSKEY, and SMART_LOGIN.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.33 and the three previous releases 5.30, 5.31 and 5.32). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Administrator Role Defined by Group Membership​

IDaaS has a new group-based policy category that defines an Administrative role. This allows a customer to assign all members of a group an administrative role.

Registration Settings UI Restructured​

The Registration Settings page has been restructured so that each category has its own page.

Magic Link for Registration​

IDaaS now provides Magic Links that allow a user to register authenticators without requiring a password to authenticate. Magic Links can be delivered by email from IDaaS to the user or returned to customer applications using the Administration API.

Account Rename​

The hostname for an account can now be modified by the Service Provider of that account. To support migration between hostnames, there is an option to keep the old hostname available.

Group Provisioning using SCIM​

SCIM can now be used to provision groups and to provision group membership of users in IDaaS.

New Default SCIM Provisioning Role​

There is now a new default role "SCIM Provisioning." This role contains the permissions required to perform provisioning to IDaaS using SCIM.

Asynchronous Account Creation​

New account creation is now performed asynchronously. To support this, the account creation UI in the Service Provider portal has been extensively changed.

New APIs to support asynchronous account creation have been added to the Administration API. The existing APIs have been deprecated and will be removed in a future release.

Directory Synchronization Improvements​

The following improvements have been made to directory synchronization.

• User aliases can now be populated from a list of one or more directory attributes.
• IDaaS attributes can now be defined as a composite of multiple directory attributes (for example, '<givenName> <sn>' to specify the user's full name) or a combination of directory attributes and static values (for example, 'ENTRUST\<samAccountName>' to specify the user's domain qualified userID).

Replace Deleted Applications​

When creating an Authentication API application, the administrator can now specify the unique ID of the application. This allows an administrator to recreate an application that was deleted with the same unique ID so that existing clients do not need to be reconfigured.

New Integrations​

The following integrations have been added.

• A new SAML application template for 15Five
• A new SAML application template for Forest Admin
• A new SAML application template for Freshservice
• A new SAML application template for HubSpot
• A new SAML application template for Jenkins
• A new SAML application template for Miro
• A new SAML application template for Onfido
• A new SAML application template for ReviewInc
• A new SAML application template for Splunk SOAR

Additionally, an integration guide is now available for the Epic Hyperdrive integration that was added in 5.31.

Fixed or changed in this release​

1. Fixed an issue where Java clients using the IDaaS APIs could not deserialize null arrays. (33036)
2. Addressed issues in the Google Workspace integration guide. (32947, 33082)
3. Updated the bulk import user sample to include securityId. (32872)
4. Disabled the refresh operation for PKIaaS CAs for administrators that do not have permission to perform the operation. (32931)
5. Removed the Referrer-Policy header that was added in 5.31. It caused issues with some IDaaS clients. (33110)
6. Renamed the "SCIM Provisioning Management" role permission to "Outbound Provisioning Management". (32862)
7. The audit generated when directory attributes are modified now includes the old and new values. (32859)
8. When updating a SAML application when Override SAML Audience is checked, the Audience value is now required. (33034)
9. Addressed issues in the "Integrate Microsoft Azure AD" Technical Guide. (32738, 33137)
10. Improvements to SCIM User Provisioning documentation. (32933)
11. Fixed broken link in "Integrate Nets E-Ident IDP Broker" section of Technical Guide. (33144)
12. Addressed FIDO token registration issues using Safari on Mac. (32702, 32700)
13. In the Service Provider portal, disable the Tenant report option for administrators that do not have permission. (33233)
14. Users added to IDaaS by directory synchronization did not receive their new grid. (32811)
15. Userid search options were disabled for accounts with more than 1 million users. The limit is now 3 million users. (33484)
16. When creating a new SAML application, the Signature Type now defaults to the expected value. (33187)
17. When creating a new SAML application, if only one SAML signing certificate is defined, it is automatically selected. (33188)
18. IDaaS now allows the Authorization Bearer token passed to authenticated endpoints to contain more than one space. The standard specifies a single space but some clients include multiple spaces. (33107)
19. Fixed language selection issue where a user was asked to confirm a change when the default language selected. (33286)
20. Fixed an issue where changing the default account locale can result in the Admin portal displaying that locale instead of English. (32915)
21. Improved text in Gateway download dialog to make it clear that the OVA can be installed onto more than just VMWare vSphere. (32069)
22. When a FIDO token is registered, its origin is now audited. (31237)
23. Changed the Registration page so that the authenticators are sorted. (30794)
24. Improved validation of input on My Authenticator page. (15217)
25. Fixed the issue on Password Reset policies page that prevented an administrator from unchecking Allow Email OTP Delivery. (33109)
26. Enabling/updating tenant management configuration failed in some cases. (33200)
27. When configuring an IDP, Security ID should not be allowed as an attribute used to identify the user. (33146)
28. Improved the formatting of the Risk Factor Evaluation Results in authentication audits. (32497)
29. The authenticator filter in the user list search criteria should only show authenticators that the administrator has permission to access. (31887)
30. Fixed an issue that prevents the custom email server configuration from being saved when the OAuth is reauthorized. (32536)
31. In the User list, when the Last Authenticated before criteria is used it includes users who have never authenticated. The UI now includes a note to indicate this. (32266)
32. Users are unable to use the OTP authenticator because they do not have contact information were not getting the expected error response when Enable Enhanced Authentication Details was checked. (32628)

Changes to Identity as a Service APIs​

Authentication API​

The following models have been changed in this release.

• serialNumbers in GridChallenge has been deprecated. Use gridInfo instead.

Administration API​

The following APIs to support asynchronous account creation have been added in this release.

• POST /api/web/v4/async/tenants (createTenantAsyncUsingPOST)
• GET /api/web/v4/async/tenants/{id}/createstatus (getCreateTenantAsyncStatusUsingGET)
• GET /api/web/v4/async/tenants/{id}/createresult (getCreateTenantAsyncResultUsingGET)

To create a new tenant from a Service Provider:

• call createTenantAsyncUsingPOST to start the tenant creation.
• call getCreateTenantAsyncStatusUsingGET repeatedly until the returned status indicates that the tenant creation is complete.
• call getCreateTenantAsyncResultUsingGet to get the tenant creation result.

The following APIs to support registration of FIDO tokens using the administration API have been added in this release.

• GET /api/web/v1/fidotokens/challenge/{id} (startCreateFIDOTokenUsingGET)
• POST /api/web/v1/fidotokens/complete/{id} (completeCreateFIDOTokenUsingPOST)

The following APIs to support the management of Magic Links for registration have been added in this release.

• PUT /api/web/v1/users/{userid}/magiclink (createMagicLinkUsingPUT)
• DELETE /api/web/v1/users/{userid}/magiclink (deleteMagicLinkUsingDELETE)

The following APIs have been deprecated in this release.

• POST /api/web/v4/tenants (createTenantUsingPOST). Tenants should be created using the new asynchronous methods described above.
• GET /api/web/v1/serviceipaddresses (getServiceIPAddressesUsingGET). IDaaS accounts now have fixed IP addresses.

The following models have been added in this release.

• CreateTenantSyncStatus contains the information returned from getCreateTenantAsyncStatusUsingGET.
• FIDORegisterChallenge contains the information returned from startCreateFIDOTokenUsingGET.
• FIDORegisterResponse contains the information passed to completeCreateFIDOTokenUsingPOST.
• MagicLinkCreateParms contains the parameters passed to createMagicLinkUsingPUT.
• MagicLinkResponse contains the information returned from createMagicLinkUsingPUT.
• UserAlternateEmails contains information about alternative email addresses available to a user.

The following models have been modified in this release.

• id has been added to AuthApiApplicationParms. When creating an authentication API application, the unique UUID of the application can be specified. If an ID is not specified, a random unique ID is generated for the new application.
• created and lastModified have been added to Group. These values specify the date when the Group was created and last modified.
• lockedAuthenticators in User has been deprecated. Use lockedAuthenticatorTypes instead.
• alternateEmails has been added to User. This value lists all the alternate email addresses defined for the user.
• magicLinkEnabled has been added to User. This flag indicates whether magic links are enabled for the user.
• aliasMappingName has been added to Directory. This value specifies the list of directory attributes whose values will be mapped to user aliases.
• previousHostname has been added to Tenant. If set, this value specifies the previous hostname of an account after it has been renamed.

Changes to Identity as a Service SDKs​

1. The order of parameters in the API functions may change. Refer to the clients' documentation for the correct order.
2. The python SDK no longer supports accessing properties using dictionary keys. Access properties using object attributes.
3. IDaaS no longer accepts paths that end in /. For example, previously both /api/web/v4/async/tenants and /api/web/v4/async/tenants/ would have been accepted. Now only /api/web/v4/async/tenants will work.
4. The 5.30 and 5.31 Java SDKs did not support models from newer versions of IDaaS that contain new attributes. This issue has been fixed in the 5.32 SDKs.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.32 and the three previous releases 5.29, 5.30 and 5.31). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

Device Verification using Certificates​

A new Device Certificates risk factor has been added to Resource Rules. When configured, this risk factor requires that the client be able to perform client-authenticated SSL with a certificate issued from a trusted CA to pass.

When configuring Certificate Authorities, the customer can now configure Issuing CAs which is the existing capability of configuring CAs to issue smart credentials and Trusted CAs which is a new capability for configuring CAs that have issued the certificates on the user's devices.

Device certificates are supported for SAML and OIDC applications as well as the IDaaS portals.

Certificate Details for mPKI CA Smart Credentials​

A new Certificate action is available for Smart Credentials using a mPKI CA. The Certificate action lists the certificates issued to the selected Smart Credential and allows an administrator to manage those certificates. Previously this action was only available for Smart Credentials using a PKIaaS CA.

Resource Rule Risk-factor Enhancements​

The Risk-factors in resource rules have been enhanced to include a Deny Access option. When the Deny Access option is enabled for a risk factor, access to the application is denied if that risk factor fails regardless of the results of the other risk factors.

OIDC Claim Enhancements​

Custom OIDC Claims can be defined and associated to any OIDC application. Claims can be defined to always be returned with User Info or with the ID Token. The way attributes are mapped to OIDC claims has been improved.

Microsoft AD Strong Authentication​

Microsoft Windows is changing to require that certificates used for smart-card login include the user's security identifier as an extension. IDaaS has been enhanced to include a new user attribute to store the user's security identifier and to encode this value into smart credentials. Additionally, AD and Azure directory sync have been enhanced to retrieve this value from the customer's directory and store it for IDaaS users.

If you have a CA that was created before this release you will need to update the CA configuration to support Security Identifiers.

• For an Entrust PKIaaS CA, there is a new Refresh action available from the IDaaS Issuing Certificate Authority list. This will update the necessary CA configuration.
• For Entrust mPKI or Microsoft CA the certificate profiles managed from the CA will need to be updated.

Identity Provider Enhancements​

The following enhancements have been made to identity providers:

• A new identity provider IDVaaS has been added supporting integration with Entrust's Identity Verification as a Service.
• When configuring an identity provider, additional checks can be configured that ensure IDP claim values match existing IDaaS user attributes to successfully complete IDP authentication.

Administration API Long-Lived Token​

An administration API can be configured to support long-lived tokens. When creating an administration API or refreshing its shared secret, a long-lived token is available if enabled for the application. When invoking an administration endpoint, instead of passing the authentication token returned from the administration API authentication endpoint, the long-lived token can be passed instead. The long-lived token does not expire, meaning that client applications do not need to refresh the authentication token periodically.

User Provisioning using System for Cross-Domain Identity Management (SCIM)​

IDaaS users can now be managed by 3rd-party clients using SCIM.

SAML Enhancements​

The following enhancements have been made to SAML applications:

• A SAML application can now define multiple Assertion Consumer Service (ACS) URLs.
• Each SAML application now has a public endpoint that returns the SAML metadata for the application. This endpoint can be used by SAML service providers that automatically fetch the SAML metadata.
• SAML applications can now be configured to specify the audience returned in SAML assertions. The audience can either be specified in IDaaS or requested from the SAML SP as a parameter.

Manage Inactive Users​

IDaaS now allows a customer to have users be blocked from authenticating if the user has not authenticated in a period of time.

User Search/Report Enhancements​

The following enhancements have been made to user search/export capabilities:

• The user search criteria have been enhanced to allow an administrator to search for users who have not authenticated in a period of time. Previously, only searching for users who had authenticated in a period of time was supported.
• The user export operation has been enhanced to allow an administrator to export customer defined attributes.

Phone/Email Verification APIs​

New administration APIs have been added that allow a customer application to verify that a user owns a given phone number or email address.

User Portal Improvements​

The following enhancements have been made to the user portal:

• Users synchronized from AD were unable to modify any contact values. Now they are only blocked from modifying contact values synchronized from AD. Other contact values can be modified.

New Passkey/FIDO2 Registration Policies​

The following new policies have been added to the Passkey/FIDO2 Authenticator policies to control registration.

• User Verification - controls if the user must be verified or not.
• Resident Key (User ID stored) - controls if the user ID is stored on the token during registration. This is required if the token is to be used for passwordless Passkey authentication where the user does not need to enter their user ID.
• Authenticator Attachment (platform or cross-platform) - controls whether a platform type, cross-platform type or either type of token can be registered.

Additionally, the option to select whether the User ID is stored during registration has been removed from the token registration dialog. The behavior is now controlled by policy.

Rate Limiting​

Rate limiting is now enforced for trial accounts. The current limits are:

• Authentication requests: 5 requests per second (50 requests in a 10-second time window)
• Request to retrieve audits: 1 requests per second (10 requests in a 10-second time window)
• Administration requests: 3 requests per second (30 requests in a 10-second time window)

New Integrations​

The following integrations have been added.

• A new OIDC application template for ConnectWise
• A new SAML application template for ConnectWise ScreenConnect
• A new SAML application template for Epic Hyperdrive. This template is designed to be used with the Entrust Epic Hyperdrive plugin.
• A new SAML application template for Fivetran
• A new SAML application template for Pingdom
• A new RADIUS application template for Sophos XG Firewall

Additionally, the existing RADIUS integration Fortinet has been renamed to Fortinet-FortiGate.

Fixed or changed in this release​

1. Some dates in IDaaS API responses included milliseconds and some did not. Now all date values are consistent and do not include milliseconds. (31481)
2. Refreshing the page after changing the user locale in the User portal prompts the user to change the locale back to the original value. (31955)
3. Changing the locale on the login page is not always correctly applied. (31962, 32025, 32107)
4. The TLS configuration of the IdentityGuard Agent on the Enterprise Service Gateway (ESG) has been updated. It now supports TLSv1.2 and TLSv1.3 and the ciphers TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. (16301, 31970)
5. When importing Mobile SDK push notification credentials into IDaaS, the credentials were rejected if they contained extra fields not used by IDaaS. Now those fields are ignored and the credentials are imported. (32040)
6. When configuring the Knowledge-Based Authenticators Minimum Challenge Size and Default Challenge Size a value of 1 should be allowed. (32523)
7. The error message displayed when trying to delete a group assigned to an unassigned grid card was incorrect. (31475)
8. The messages displayed in the Service Provider portal for the delete tenant dialog and the reset resource rule dialogs were incorrect. (31950)
9. The smart credential activation dialog was not formatted correctly for some locales. (31590)
10. When creating a CA the UI now prevents the administrator from entering a duplicate name. (32507)
11. When creating a custom role the UI crashes when trying to add a group. (32061)
12. When a locale is selected during authentication it is not used if the user needs to register. (32015)
13. When a service provider unlocks administrators of a tenant it should not make service provider administrators in that tenant active. (32382)
14. The audit generated when removing a RADIUS application should not list all the attributes of the application. (31133)
15. Improve the formatting of the Registration Settings page. (31974)
16. When a user has a FIDO/Passkey token registration for another application, the user portal registration should require that the user register a FIDO/Passkey token for the user portal. (31606)
17. The audit displayed when a user used a temporary access code as a replacement for a token erroneously stated Grid authentication instead of Token authentication. (32018)
18. The UI now trims leading and trailing whitespace for the Password Expiry Notification Days setting. (31983)
19. Improved handling if the user currently logged into the user portal does not match the userid specified in the password expiry link. (31927)
20. Improved how the number of days until your password expires shown in the password expiry notification email is calculated. (31976)
21. The smart credential unblock dialog has been refreshed. (31363)
22. If a duplicate expected location is added to the RBA settings an error is now returned. Previously duplicates were removed without error. (29346)
23. Improvements made to the OIDC application audits to remove some UUID values that were audited. (24876)
24. When change the password in the portal for user's in a group with group specific policy for the password expiry the password expiry date from the global policy was used. (32341)
25. Client Credentials Grant for OAuth2 resources are now sorted. (31520)
26. Change Password dialog displayed wrong password rules for Include Lowercase set to Not Allowed. (32383)
27. The User Portal session expiry warning dialog can display negative values until expiry. (32019)
28. Users with alternative email addresses for OTP may not see the Alternative Authentication option during login. (32647)
29. The default Group Name Attribute for AD directory synchronization has been changed from sAMAccountName to cn. This change only applies when creating new directories and not to existing directories. (31090)
30. Access to the user location history page in the Administration portal required the settings View permission which should not be required. (31545)
31. The Export Audits dialog in the Administration portal does not display the Filters value if it is set to 1 Hour. (31944)
32. AD Connector page may crash in the UI the if administrator does not have the necessary permission to view it. (32633, 32656)
33. Dates included in Emails are in English and do not use the user's locale. (15278, 31769)
34. ActiveSync Device authentication issues have been addressed. Only OAuth authentication is supported now. (32199, 32730)
35. Prepare Identity as a Service for Salesforce link in Technical Integration Guide is broken. (32060)
36. Email template preview triggers browser console error. (31899)
37. Unable to set the attribute mapping for an Azure directory configuration. (32512)
38. For APIs that do not return a result, the API guides in the developer portal now show the response as "Successful" instead of "No Response". (31024)

Changes to Identity as a Service APIs​

Authentication API​

The following models have been updated in this release:

• authToken has been added to UserAuthenticateQueryParameters. If passed to the authentication query, the query will determine if authentication is allowed with the given auth token.
• authenticationCompleted has been added to UserAuthenticateQueryResponse. It indicates if further authentication is required when the auth token was passed as a parameter.
• deviceCertAuthDesired has been added to UserAuthenticateQueryResponse. This attribute is currently not used by the public authentication API.
• deviceCertAuthDesired has been added to AuthenticatedResponse. This attribute is currently not used by the public authentication API.
• registrationAuthenticatorAttachment, registrationRequireResidentKey and registrationUserVerification have been added to FIDORegisterChallenge. These attributes are arguments that describe how the FIDO token should be registered.

Administration API​

The following APIs have been added in this release:

• POST /api/web/v1/contact/verification/challenge (contactVerificationChallengeUsingPOST)

  Given a phone or email contact value this method sends an OTP challenge to the contact using email or SMS.

• POST /api/web/v1/contact/verification/authenticate (contactVerificationAuthenticateUsingPOST)

  Validate the challenge generated by a previous call to contactVerificationChallengeUsingPOST.

The following models have been added in this release:

• OTPVerificationChallengeValue contains the parameters passed to contactVerificationChallengeUsingPOST.
• OTPVerificationChallengeResponse contains the response returned from contactVerificationChallengeUsingPOST.
• OTPVerificationAuthenticateValue contains the parameters passed to contactVerificationAuthenticateUsingPOST.
• OTPVerificationAuthenticateResponse contains the response returned from contactVerificationAuthenticateUsingPOST.
• DeviceCertificateContext defines the device certificate context for a resource rule.

The following models have been updated in this release:

• inactivityGracePeriod has been added to GeneralSettings. This attribute specifies the amount of time an administrator can grant to a user who has been deactivated due to inactivity to authenticate.
• manageInactiveUsers has been added to GeneralSettings. This attribute specifies if inactive users are blocked from authenticating.
• userInactivityThreshold has been added to GeneralSettings. This attribute specifies the amount of time a user has to be inactive before they are blocked from authenticating.
• frozen has been added to User. This attribute specifies if a user has been frozen (blocked from authenticating) due to inactivity.
• frozenGracePeriod has been added to User. If a user blocked from authenticating due to inactivity has been granted a grace period for the administrator this attribute specifies when that grace period expires.
• securityId has been added to User and UserParms. This attribute specifies the users security identifier and is used to encode the value into the certificates of their smart credentials which will become a requirement to support Microsoft Windows smart-card login.
• userCreationTime and lastModifiedhave been added to User. These attributes specify the date the user was created and last modified.
• applyGracePeriod has been added to UserParms. This attribute is used to specify a grace period to users who have been blocked from authenticating due to inactivity.
• allowLongLivedToken has been added to AdminApiApplication and AdminApiApplicationParms. This attribute specifies if a long-lived token can be used to authenticate to this admin API application.
• denyAccess has been added to DateTimeContext, DeviceCertificateContext, IpContext, KbaContext, LocationContext, LocationHistoryContext, MachineContext, TransactionContext and TravelVelocityContext. This attribute specifies if access to the application associated with the resource rule is denied if this context does not pass evaluation.
• deviceCertificateContext has been added to ResourceRule. This attribute returns the device certificate context of a resource rule.
• deviceCertificateContext and removeDeviceCertificateContext have been added to ResourceRuleParms. These attributes allow the device certificate context of a resource rule to be set or deleted.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.31 and the three previous releases 5.28, 5.29 and 5.30). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service will no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

SAML Signing Certificate Enhancements​

SAML Signing Certificates have been enhanced to support a signing key and certificate issued by a CA (for example, using a P12 file). Additionally, the option to generate a PKCS#10 certificate-signing request (CSR) has been enhanced to offer stronger key size options, signing algorithm options, and an optional challenge password.

SAML Metadata Enhancements​

Exported SAML Metadata now also contains the set of configured SAML Attributes.

Authentication Locale Enhancements​

When a user chooses a different locale when authenticating to the IDaaS User Portal, the user is given the option to store the new locale as their default. The locale is used to localize any messages (such as an OTP Email or SMS) sent during authentication.

Password Expiry Notification​

IDaaS now includes the ability to deliver password expiry notifications to users when their password approaches or reaches expiry. The expiry notification can be sent using EMail or SMS. EMail notifications can include a link to take the user to the password change dialog in the IDaaS user portal.

FIDO2/Passkey Authentication API Support​

The IDaaS authentication API now includes FIDO2 and Passkey authentication options. APIs for a user to register FIDO2 tokens are also available.

IDaaS Portal Improvements​

The password entry field on the login and password change pages now include an option to view the password.

The change user password dialog has been refactored. Additionally the URL https://<hostname>/#/?redirect=password&userid=<userid> (for example, https://myaccount.us.trustedauth.com/#/?redirect=password&userid=myuserid) takes the user directly to the password change dialog in the User Portal after authentication.

Enterprise Service Gateway Updates​

The version of MS CA Proxy used with IDaaS has been updated. Customers that are using IDaaS with Microsoft CAs should update the version of MS CA Proxy they have installed when they upgrade their ESG.

The ESG install documentation now includes a procedure that describes how to configure the ESG UI to use a public CA issued SSL certificate.

New OIDC Integrations​

A new OIDC/OAuth application template has been added for OAuth2 Native Apps (RFC 6749 section 4.3)

New RADIUS Integrations​

A new RADIUS application template has been added for Fortinet.

Fixed or changed in this release​

1. In past releases some customers encountered issues with their ESG when the underlying VM was modified. This required the ESG be re-initialized to recover. This issue has been addressed. (30855)
2. User Provisioning has been optimized to not perform provisioning for some user changes that do not require reprovisioning. (31311, 31323)
3. Address issues in User Provisioning where users were not provisioned or deprovisioned for some group changes. (31317, 31434)
4. User Provisioning related audits have been improved. (31312, 31294)
5. User Provisioning should not be enabled for Service Providers that are not Premium accounts. (31396)
6. Improvements to User Provisioning where attributes, including locale and some custom attributes, were not provisioned as expected. (31278, 31314, 31341)
7. Improvements to User Provisioning configuration to prevent invalid values from being configured and other UI improvements. (31326, 31461, 31492, 31496)
8. The notification sent to users when an authenticator is locked specified the wrong action. (31376)
9. Improved the label for the Smart Credential > Activation Lifetime setting in the UI. (31411)
10. Differentiate audits for FIDO2 authentication to differentiate when the userId is entered and where it comes from the FIDO2 token. (30284)
11. Improvements to Identity Provider configuration for Microsoft Identity Providers. (29118)
12. Improve audit details when the attribute filters for a SAML application are updated. (29222)
13. Fix a problem with Entrust soft token activation when the maximum time steps policy was set to 1. (31397)
14. Improved error message returned when invalid values were provided for Google Max. Time Steps and Max. Reset Time Steps settings. (29721)
15. Some links to documentation in IDaaS admin portal were broken. (30976)
16. RADIUS applications with External first-factor can now be configured to skip second-factor authentication. (31052)
17. Password blocklist did not allow the last value to be deleted. (31402)
18. Admin API authentication now ignores leading or trailing whitespace in the applicationId. (29297)
19. Improve errors logged when attempting to delete external users using the bulk delete user operation. (29530)
20. Fixed issues with date filters for authentication counts in the Admin Portal dashboard. (31519, 31522)
21. The UI in the Admin Portal for adding custom OIDC attributes has been updated. (31674)
22. Improve the audit for modifying OIDC applications to not include attributes that have not been changed. (31399)
23. The audit for delete grid card showed the action in lowercase. (31423)
24. The Admin Portal did not allow email addresses with leading or trailing whitespace. The whitespace is now automatically trimmed. (28895)
25. When creating a new site role, the option to delete groups was missing. (31189)
26. Log file for IdentityGuard bulk import operation now includes more information about errors. (30645)
27. The Azure AD reauthenticate audit used a non-standard date format for the authorizationDate value. (31443)
28. Generic Device OIDC applications should not be clickable in the User Portal. (30456)
29. When configuring a Microsoft CA in the Admin Portal, fix some formatting issues when the configuration is displayed. (31254)
30. When configuring Authorization, OIDC applications created to support Service Provider administration should not be allowed for Client Credentials Grants. (31419)
31. The list of OIDC applications listed for Add Client Credentials Grant for Authorization should be sorted. (31418)
32. OIDC applications without an Initial Login URI configured should not be clickable in the User Portal. (30458)
33. The IDaaS portal has been improved to support authentication in browsers that do not support local storage which is common for browsers running in protected mode or on mobile devices. (31641, 29604, 27564, 30924, 30224)

Changes to Identity as a Service APIs​

Authentication API​

The following APIs have been added in this release:

• POST /api/web/v1/authentication/passkey (requestPasskeyChallengeUsingPOST)

  Create a Passkey authentication challenge to begin Passkey authentication.

• GET /api/web/v1/self/fidotokens (startFIDORegisterUsingGET)

  Get a FIDO token registration challenge for the authenticated user.

• POST /api/web/v1/self/fidotokens (completeFIDORegisterUsingPOST)

  Complete registration of a FIDO token for the authenticated user.

The following models have been updated in this release:

• FIDORegisterChallenge. This model contains the attributes returned from startFIDORegisterUsingGet.
• FIDORegisterResponse. This model contains the attributes passed to completeFIDORegisterUsingPOST.
• PasskeyChallengeParameters. This model contains the attributes passed to requestPasskeyChallengeUsingPOST.
• PasskeyChallengeResponse. This model contains the attributes returned from requestPasskeyChallengeUsingPOST.

The following models have been updated in this release:

• locale has been added to UserChallengeParameters and UserAuthenticateParameters. If specified, this value specifies the locale to be used when generating messages sent for the authentication challenge or the authentication complete operation. If not specified, the user's default locale is used.
• origin has been added to UserChallengeParameters and UserAuthenticateParameters. If specified, this value specifies the origin of FIDO tokens. Only FIDO tokens registered with this origin are used for authentication.
• In previous releases, the response and newPassword attributes of UserAuthenticateParameters were erroneously labelled as required attributes. These attributes are optional.

Administration API​

The following APIs have been added in this release:

• PUT /api/web/v1/users/{userid}/password/notify (sendPasswordExpiryNotificationUsingPUT)

  This API sends a password expiry notification to the specified user.

The following models have been updated in this release:

• expiryNotificationDate has been added to UserPassword. This attribute specifies the next time that a password expiry notification will be delivered.
• passkeyEnabled has been added to AuthApiApplication. This attribute indicates if the application supports Passkey authentication.
• origin has been added to FIDOToken. This attribute indicates the origin from which this token was registered.
• showNotification has been added to User. This attribute is currently not used.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.30 and the three previous releases 5.27, 5.28 and 5.29). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service will no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.

User Provisioning​

IDaaS now supports provisioning of users to 3rd-party services using the System for Cross-domain Identity Management (SCIM) protocol. The first release of this feature has been tested against Salesforce.

Identity Provider Enhancements​

The following enhancements have been made to Identity Providers:

• A new user verification policy has been added to require a user to approve a user verification message. When configured, users must approve the message in order to complete verification. Administrators configure the user verification messages on the IDaaS Theme page.

• An Administrator can configure IDaaS to find users using the User Principal Name attribute or an IDaaS custom attribute during Identity Provider authentication. This is in addition to finding users using the Userid/Alias attribute.

Token Reset Bulk Operation​

A new bulk operation to perform token reset for a list of tokens has been added.

New Option on SAML/OIDC Applications to Disable Go Back Button​

A new option has been added to SAML and OIDC applications that allows an administrator to disable the Go Back button that is present during authentication.

Options to configure the User Portal​

The following options have been added to allow an administrator to configure the IDaaS User Portal

• Options to select a default tab and additional tabs that appear on the User Portal. The default tab is the landing page tab when a user logs in.
• A setting to specify the URL of the User Guide User Portal help. If set, the User Guide Help option displays this document instead of the default IDaaS documentation. This allows a customer to provide custom documentation.

Create Grid Action in User Portal​

Users can now create their own grids in the User Portal. Previously, only administrators could create grids for users.

Fixed in this release​

1. When deleting, enabling, or disabling a smart credential from the User portal, the audit specified the Admin portal. (28966, 29007)
2. When changing the variable values of a smart credential, the audit does not indicate which values were changed. (29009)
3. Sync add user audit specified edit permission instead of add permission. (29673)
4. User registration dialog and registration emails for Mobile smart credential contained outdated links for both Android and iOS apps. (30906, 30908)
5. User portal smart credential activation dialog is missing option to download Android and iOS apps. (30877)
6. Updated the encryption of PDF eGrids to use AES-256. (30949)
7. Unable to delete KBA word maps. (30960)
8. Errors updating KBA word maps. (30793)
9. KBA word maps defined in a per group policy were not correctly applied. (30947)
10. Improve the logs generated for the IdentityGuard (Identity Enterprise) import. (30941)
11. When importing tokens using the IdentityGuard (Identity Enterprise) import, the token set name from IDE is imported into the IDaaS token label. (31038)
12. When importing tokens using the IdentityGuard (Identity Enterprise) import, if the token has push authentication enabled, the push authentication is now enabled in IDaaS during import rather than after the first time the user uses the Entrust Identity application after migration. (30899)
13. Creating a smart credential in the User portal sends multiple activate requests. (30248)
14. When adding a contact in the User portal, the generated audit specifies user add. It should be user edit. (29556)
15. When a resource rule is cloned, the UI displays Edit Resource Rule. It should be Add Resource Rule. (31130)
16. When checking user aliases for uniqueness, white space was ignored. White space is significant. (31059)
17. When a resource rule Date/Time context was set without a time zone, it displayed as an unknown value the next time the resource rule was viewed. (30898)
18. When a resource rule Date/Time context was set, the start time may not be set correctly resulting in situations where it was rejected. (30669, 30900)
19. When a second-factor authenticator is checked in the resource rule it should automatically sort above all unselected authenticators. (31015)
20. Display a proper error message if a cloned resource rule is created with an existing name. (31012)
21. When viewing a resource rule as an administrator that does not have write access the External Risk Engine settings should be read-only in the UI. Note that IDaaS correctly rejects the edit request if submitted. (30792)
22. The performance of LDAP queries performed by the directory sync agent on the Enterprise Service Gateway have been improved. (27563)
23. The RADIUS agent option to perform first-factor AD password authentication directly to AD was broken. (30041)
24. The SIEM agent on the Enterprise Service Gateway could stop sending logs to syslog for some network connectivity issues. (30701)
25. The layout of PDF eGrids has been improved. (30657)
26. The authentication types and actions included in the authenticator change notification email are not localized. (30436)
27. Unable to remove the email value from a schedule report. (30655)
28. In the Admin UI, fix the tab order between fields for the EMail Server OAuth Settings page. (30472)
29. When configuring an EMail server to use OAuth, the defined scope may be removed if the OAuth server returns a null scope. (30471)
30. When configuring an EMail server to use OAuth, require the OAuth server to be reauthorized if the OAuth data changes. (30795)
31. When testing EMail server configuration for a server configured to use OAuth, only try the test a single time if the OAuth refresh token is expired. (30785)
32. Improve the audit for Email server configuration changes to show which attributes changed. (30814)
33. When accessing the Email server settings, the OAuth Authorize action should be disabled if the administrator does not have edit permission. (30557)
34. Improve the error messages displayed in the User portal when using FIDO/Passkey authentication. (30384)
35. Reports can get stuck in the schedule state preventing new reports from being started. These reports are now automatically cancelled. (29761, 31164)
36. Accounts with the standard bundle should have access to use IP lists. (30568)
37. The audit generating when modifying User RBA Settings is missing the admin permission. (29717)
38. Fix how the User Portal Change Password dialog is loaded on a slow network so that is does not display until fully rendered. (22039)
39. When modifying Active Sync settings, the Save button should not be enabled until the Test operation completes. (27969)
40. OAuth scopes during authentication are not sorted in the display. (30850)
41. Add gateway audit included information about DB proxy that is not applicable and is now removed. (29472)
42. Audit for unassigning a grid from a user should include the userId of the user. (29339)
43. When all user entitlements have been consumed, synchronizing an inactive user fails. Inactive users do not consume an entitlement. (29135)
44. Warning message displayed when editing a resource rule that has Identity Providers associated with it should only be displayed for resource rules associated with OIDC and SAML applications. (30823)
45. The default Date Range for audit and authentication searches performed on the Admin portal dashboard has been changed from 24 hours to 1 hour.
46. All new Facebook Identity Providers must use openid scope. (31350)

Changes to Identity as a Service APIs​

1. IDaaS API documentation has been refactored and moved to the Developer Portal
2. Dropped support for .NET Core 3.1 for CSharp clients and added support for .NET Framework 4.8.

Changes in this release​

The following changes have been made to address issues or enhance existing functionality.

1. All existing Facebook Identity Providers that do not use openid will require an update to use openid.

Authentication API​

The following APIs have been updated in this release:

• POST /api/web/v2/authentication/users (userAuthenticatorQueryUsingPOST)

• POST /api/web/v1/authentication/users (userAuthenticatorQueryUsingPOST)

• POST /api/web/api/v1/authentication/users (userAuthenticatorQueryUsingPOST) - returnDefaultChallenge has been added to UserAuthenticateQueryParameters. This attribute is used to indicate whether a challenge should be returned for the default authenticator. - The following attributes are also added to UserAuthenticateQueryParameters to support returning the default challenge--see UserChallengeParameters for details: summary, priority, requestDetail, pushMessageIdentifier, tokenPushMutualChallengeEnabled, offlineTVS - UserAuthenticateQueryResponse has been updated to include the following attributes with the default challenge information--see AuthenticatedResponse for details: otpDeliveryType, kbaChallenge, gridChallenge, tokenDetails, fidoChallenge, tokenChallenge, tempAccessCodeChallenge, tokenPushMutualChallenge - authenticatorLockoutStatus has been added to UserAuthenticateQueryResponse. This attribute contains detailed user authenticator lockout information. This behavior is controlled by the General policy enableEnhancedAuthenticationDetails.

• POST /api/web/v1/authentication/users/authenticate/{authenticator}/complete (userAuthenticateUsingPOST)

• POST /api/web/api/v1/authentication/users/authenticate/{authenticator}/complete (userAuthenticateUsingPOST) - Providing a JWT in the Authorization header is now optional. This change allows to authenticate a user with a single API call for authenticators that do not require a challenge.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.29 and the three previous releases 5.26, 5.27 and 5.28). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.

External Risk Engine Support​

IDaaS has extended risk-based authentication to include risk factors from external providers. These external providers can track additional information about a user session to determine whether this is likely the user. Only authentications using the Authentication API support External Risk Engines.

PDF eGrid Automatic Delivery​

Grid delivery can be configured so that a PDF eGrid is automatically delivered to the user when a new grid is created. Additionally, a new option has been added to registration so that a grid is automatically created when a user is created.

Resource Rule Improvements​

The following enhancements have been made to resource rules:

• For customers that are not using resource rule contexts to choose between different risk levels, a new simplified resource rule is shown that hides all of the unused configurations.
• When creating an additional resource rule for an application, the existing resource rule can be cloned.
• The information included in an authentication audit has been enhanced to show how the authentication decision was reached.

Fixed in this release​

The following issues have been fixed in this release.

1. A bash script has been added to the Enterprise Gateway to allow administrators to easily configure the static IP address of the Enterprise Gateway. The script can be found at /home/entrust/tools/setup_static_ip.sh and requires sudo privileges to run. The script prompts for the interface name, IP address, netmask, network gateway, and DNS server. After the script runs, users must then use the cockpit to register the Enterprise Gateway with Identity as a Service. (30106)
2. IDaaS features that use OAuth to authenticate to 3rd-party services have been refactored to use common OAuth functionality. These services include External Email, secure device provisioning, and Azure AD directories. Improvements include better handling of expired auth tokens. (30467)
3. A customer can now create multiple bulk operations of the same type. The bulk operations will be queued and run one at a time. Previously a second bulk operation could not be created until the first operation had completed. (29735)
4. FIDO2/Passkey token registration error handling in the User portal has been improved to better handle the error caused when the user has registered the maximum allowed number of FIDO2/Passkey tokens. (30403)
5. The password state icon shown in the User portal authenticator list could be truncated. (30451)
6. The subject of Emails sent to deliver eGrids to users were not translated for non-English locales. (30431)
7. Improved the bulk operation create dialog display when a long description is entered. (30506)
8. Audits generated when a user was updated as part of a directory sync operation indicated the audit was for the Gateway Agent instead of the user. Also, all user attributes were listed instead of just the attributes that changed. (28154)
9. Enhanced the user list password expiry filter to differentiate between a password that has expired and a password that never expires. (28311)
10. The AD Connector Delete Group operation has been renamed from "Delete Group" to "Delete AD Connector Group" so that it does not get confused with deleting IDaaS groups. (29769)
11. Importing a grid export file generated by Identity Enterprise was broken. (30493)
12. Password could not be reused even after password history was cleared. (30083)
13. An OIDC Generic Server Application should not show the "Authentication Flow" option because this type of OIDC application does not support the standard authentication flows. (30376)
14. Disable input fields when displaying a resource rule for administrators that do not have write access. The Save button was correctly disabled. (30569)

Changes to Identity as a Service APIs​

The swagger files provided for the IDaaS APIs have been updated from Swagger (OpenAPI 2.0) to OpenAPI 3.0.

Authentication API​

The concept of self-management APIs has been introduced and are included in the IDaaS authentication APIs. To use a self-management API, the customer application must do the following:

• Use the authentication API to authenticate the end user which generates an authToken.
• Call a self-management API providing the authToken as an authentication token. The self-management API will act on the user associated with the authToken.

The following self-management APIs have been added in this release:

• POST /api/web/v1/self/values (selfSetUserClientValuesUsingPOST) - store the specified list of name/value pairs for the user.
• GET /api/web/v1/self/values (selfGetUserClientValuesUsingGET) - return the stored name/value pairs from the user.
• PUT /opt/web/v1/self/values (selfDeleteUserClientValuesUsingPUT) - delete the named name/value pairs from the user.

The following models have been added in this release:

• UserClientValue defines a name/value pair that is passed to selfSetUserClientValuesUsingPOST and returned from selfGetUserClientValuesUsingGET.

User client values can be used by any application using an IDaaS authentication API application to manage user client values used by client applications.

Administration API​

The following attributes have been added to existing models:

• userValuesEnabled has been added to AuthApiApplication and AuthApiApplicationParms. This boolean value indicates whether user client values can be managed for this application.
• defaultGrid has been added to GeneralSettings. This boolean value indicates if a grid should be automatically created for a new user.
• riskEngineContext has been added to ResourceRule and ResourceRuleParms. This attribute is a list of TransactonContext and specifies external risk engines to apply to the risk authentication.

In previous versions of the Administration API swagger file, the method unblockSmartCredentialUsingPUT was incorrectly defined to return the type SmartCredentialUnblockParms. It should have been SmartCredentialUnblockResponse.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.28 and the three previous releases 5.25, 5.26 and 5.27). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.