Feature Bundles​

Identity as a Service tenants are now assigned a feature bundle. The bundle determines the Identity as a Service features available to the Tenant account. See About Service Provider bundles in the Service Provider guide for more information.

Mobile Device Fingerprint​

Identity as a Service now supports validation of machine authentication with Android and iOS device fingerprints.

Enhanced OTP-based authentication with the ability to choose delivery contact​

Administrators can now create custom attributes to allow users to use alternate email, voice, or SMS delivery options for OTP authentication. When configured, an alternative OTP delivery attribute can be set as the default delivery method. If a user has both a default delivery contact and an alternate delivery contact, the user can click Alternative Authentication on the second-factor log in screen and choose another OTP delivery contact.

The OTP delivery options appear on the user login screen with masked values. For email addresses, the first three characters and the domain name are not masked. For example support@entrust.com is shown as sup***@entrust.com. For phone numbers, the last 4 digits are not masked. For example +12345678910 is shown as ******8910. Note that for short email addresses the actual address may be visible.

SIEM Syslog Application​

SIEM integration with Identity as a Service allows audit logs to be sent to syslog through an Enterprise Service Gateway. The Syslog SIEM application downloads audit logs from Identity as a Service into your Enterprise Service Gateway and publishes them to your on-premise SIEM syslog server.

There are two known limitations with this feature:

• the date for the audit logged with SIEM is the time that the audit was written to SIEM rather than the time the audit was generated in Identity as a Service.
• communication from the SIEM agent on the Enterprise Service Gateway to the SIEM system does not use the network proxy if it is configured for the gateway.

Unlock Rate Limitation​

To keep accounts safe, Identity as a Service now only allows unlock password once within a certain period of time. Users must now wait 15 minutes between each password unlock request. A warning appears if the request is issued before the waiting period elapses. When enabled, users receive an email notification for any password lock, unlock, or unlock attempt action on their account.

New Service Provider Roles​

This release includes two new Service Provider roles:

• Users with the Customer Support Agent role can reset resource rules, unlock administrators, view usage reports, and view account entitlements.

• The API Account On-boarding role can add tenants using the administration API calls.

Changes to Administration Portal​

The following enhancements have been made to the administration portal:

• The risk-based authentication (RBA) expected locations table now includes a filter option to search by country and a delete option for each row.

New SAML Integrations​

New SAML application templates have been added for Asana Enterprise, Expensify, monday.com, Sumo Logic and Workfront.

Changes to Identity as a Service APIs​

The following changes have been made to the authentication API:

The following attributes have been added to models in the authentication API.

• otpContactValues has been added to OTPDetails. This attribute lists the contact values that are available for delivering an OTP returned from userAuthenticateQuery.
• otpDeliveryAttribute has been added to OTPDetails. This attribute specifies the default OTP delivery attribute and is returned from userAuthenticateQuery.
• supportChoosingOtpDelivery has been added to UserAuthenticateQueryParameters. If a client supports selecting which contact value to use for delivering the OTP, this attribute should be set to true.
• otpDeliveryAttribute has been added to UserChallengeParameters. It specifies the name of the OTP contact value to use to delivery the OTP if selected by the client.

The following changes have been made to the administration API:

The version of the following administration APIs have been changed to v4. The create tenant and set entitlement APIs now require the bundle type attribute to be set which was previously ignored. The other APIs have not been changed and the versions have only changed to be consistent.

• createTenantsUsingPOST
• removeTenantUsingDELETE
• getTenantUsingGET
• getTenantsPageUsingPOST
• lockTenantUsingPUT
• unlockTenantUsingPUT
• getTenantEntitlementsUsingGET
• getTenantEntitlementUsingGET
• setTenantEntitlementUsingPUT
• getEntitlementUsageInfoUsingPOST

A new value NONE was added to the enumerated type OTPDeliveryType in OTPAuthenticatorSettings. A new version v3 was created for the APIs getOTPAuthenticatorSettingsUsingGET and updateOTPAuthenticatorSettingsUsingPUT to support the enumerated type change.

The following attributes have been added to models in the administration API to support OTP contact value changes.

• otpDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the OTP when no attribute is specified.
• showOtpDeliveryContact has been added to OTPAuthenticatorSettings. This setting specifies if the value of the OTP contact value should be shown by the client.
• userExtraAttributes has been added to User and UserParms. These attributes are used to manage the extra OTP contact values for a user.
• type has been added to UserAttribute and UserAttributeParms. This attribute specifies the type of a user attribute indicating if it is phone number or email address when used as an OTP contact value.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation​

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

Support PKI as a Service (PKIaaS)​

Entrust now provides a new PKI as a Service (PKIaaS) capability as described in the Entrust PKI as a Service. For Identity as a Service customers who have purchased the Smart Login capability, they now have the option to use PKI as a Service as the CA used to issue certificates to their smart credentials. A PKI as a Service CA can be provisioned and managed from Identity as a Service without additional setup as is required for the other CAs supported by Identity as a Service.

OAuth Resource Server API Protection​

Identity as a Service now supports OAuth (OAuth 2.0 and 2.1) Resource Server API protection. Resource Server APIs and associated scopes can be defined and used with various OAuth use cases, including Authorization Code and Client Credentials grants to issue OAuth access tokens. The existing OpenID Connect (OIDC) applications are now classified as either Web, Single-Page App (SPA), or Server applications. These applications can now also be used with OAuth. Additionally, refresh tokens can now be issued with both OIDC and OAuth access tokens. Refresh tokens can also be revoked.

The following OIDC/OAuth endpoints are deprecated. They will be removed in a future Identity as a Service release. They are replaced with the corresponding endpoints.

• /api/oidc/OIDC/authorize -> /api/oidc/authorize
• /api/oidc/OIDC/token -> /api/oidc/token
• /api/oidc/OIDC/userinfo -> /api/oidc/userinfo
• /api/oidc/OIDC/error -> /api/oidc/errors
• /api/oidc/OIDC/logout -> /api/oidc/endsession

OIDC Grant Type Deprecation​

The Implicit grant type has security implications. It will not be supported with OAuth application flows. It is currently supported with OpenID Connect (OIDC) but is deprecated. It will be removed in a future Identity as a Service release. Applications using the Implicit grant type should use the Authorization Code grant type with Proof Key for Code Exchange (PKCE) instead.

Support for Entrust Mobile Soft Token Transaction Queueing​

Entrust Identity as a Service can now be configured to allow Mobile Soft Token transactions to be queued. Previously, if a transaction was not confirmed before another one was received, the first transaction would be overwritten. Additionally, transactions may now be prioritized as well.

New SAML Integrations and Rebranding​

New SAML application templates have been added for Awardco, Citrix Workspace, Datadog, KnowBe4, Smartsheet and Zoho One. CitrixOnline has been rebranded as LogMeIn GoTo Apps and G Suite has been rebranded as Google Workspace.

SMS OTP Message Changed​

The format of the SMS OTP Message has changed from

12345678 is your Entrust Identity as a Service OTP.

to

Your Entrust Identity as a Service OTP is 12345678.

The service name (Entrust Identity as a Service) can be customized.

Changes to Administration Portal​

The following enhancements have been made to the administration portal:

• for service providers, the last super admin user in the account can no longer be deleted
• when an administrator creates a password for a user, "Change is required on first use" is now checked by default.
• the Unassign action is now available for hardware tokens listed in a user's authenticators list. Previously, Unassign was only available from the Assigned Tokens list.

Changes to IdentityGuard Agent​

The IdentityGuard Agent in the 5.16 gateway has been changed as follows:

• Improved interoperability with IdentityGuard clients performing token push authentication when fallback to token authentication is required.
• Support for TLS versions 1.0 and 1.1 has been removed.
• Support for the TLS ciphers TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, and SSL_RSA_WITH_3DES_EDE_CBC_SHA that don't support perfect forward secrecy have been removed.

Service Provider Expired Trial Account Removal​

Expired Trial accounts are automatically locked and they can no longer be accessed by tenants. Identity as a Service has a new daily process that scans these accounts and performs the following actions:

• Removes Trial accounts that are locked and that have been expired for 180 days. No recovery is possible when this happens.
• Sends an email with the list of accounts that have been removed or that will be removed shortly. Notifications are sent 14 and 7 days before removal. Note that this requires that the service provider account has notifications enabled (see Settings > Notifications).

Changes to Identity as a Service APIs​

The following changes have been made to the authentication API:

• a new attribute priority has been added to the UserChallengeParameters. This attribute can be used to specify the priority of a push transaction.

The following APIs have been added to the administration API. These APIs are currently only supported for certificates associated with smart credentials issued from a PKIaaS CA.

• exportCertificateUsingGET. This API exports a certificate associated with a smart credential.
• holdCertificateUsingPUT. Put a certificate associated with a smart credential on hold.
• revokeCertificateUsingPUT. Revoke a certificate associated with a smart credential.
• unholdCertificateUsingPUT. Remove a certificate associated with a smart credential from hold.

The following APIs have been modified in the administration API.

• a new boolean attribute revocationInfo has been added to the API getSmartCredentialUsingGET. If specified as true, the current revocation status of all the certificates associated with the smart credential being fetched is retrieved from the CA. If the attribute is not specified, it defaults to false. This attribute is only supported for smart credentials issued from a PKIaaS CA.

The following attributes have been added to models in the administration API.

• digitalIdType has been added to DigitalIdCert. This value specifies whether the certificate is associated with the PIV Card Holder or PIV Card Digital ID of the smart credential.
• pivContainer has been added to DigitalIdCert. This value specifies the name of the PIV Container on the Smart Credential in which this certificate (and its private key) is stored.
• status has been added to DigitalIdCert. This value specifies the revocation status of the certificate if retrieved from the CA. Currently this value is only supported for certificates issued from a PKIaaS CA.
• maxNumberOfPushTransactionsQueued has been added to GeneralSettings. This value specifies the maximum number of push transactions that can be queued.
• pushTransactionLifetime has been added to GeneralSettings. This value specifies the lifetime of a push transaction.

Browser Deprecation​

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

New SAML Integrations​

New SAML application templates have been added for AppDynamics, Atlassian Access, BambooHR, Envoy, Jamf Pro, MuleSoft, PagerDuty, Snowflake, Splunk.

Generic LDAP Sync​

In addition to the existing Active Directory (AD) and Azure AD sync and password authentication functionality, Identity as a Service now supports user and group synchronization, password authentication, and password management (change, unlock, and reset) from non-AD LDAP directories.

In some LDAP directories, if an account becomes locked due to too many incorrect password attempts, the account unlock feature may return an error preventing the user from unlocking their account. If this occurs, use one of the following workarounds:

1. Disable the User Unlock Account setting and enable the "Enable Forgot Password" setting in the Identity as a Service Password Authenticator Settings (Settings > Authenticators > Password). Doing this allows users to complete the reset password flow and clears the account lock after the password has been successfully reset. See Modify password authenticator settings.
2. Modify your LDAP schema to update the pwdAccountLockedTime attribute to remove the NO-USER-MODIFICATION flag to allow the pwdAccountLockedTime attribute to be removed without requiring a user's password to be changed or reset.

AD Connector enhancements​

• AD Connector can now be used for password authentication, password change and password reset scenarios for the users imported by the AD Connector.
• Redundant instances of AD Connector can now be created to support high availability setups.
• AD Connector can now be used in Cloud App federation integrations (SAML, OIDC) for the users imported by the AD connector by supporting custom AD attributes.
• AD Connector can now optionally import short user aliases together with the other login formats.

Browser Deprecations​

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

Changes to Identity as a Service APIs​

The following changes have been made to the Administration APIs:

• A new attribute groupObjectClass has been added to the DirectorySync. This value specifies the directory object class that contains a user's group membership.
• A new attribute type has been added to the Directory with values AD and LDAP. This value specifies the type of directory from which users can be synchronized.

New SAML integrations​

New SAML application templates have been added for Docusign, Dropbox Business, RingCentral, ServiceNow, Tableau, and Zoom.

Browser Deprecations​

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

Support for new languages​

Support for the following languages has been added: Dutch, Turkish, and Traditional Chinese.

User Interface improvements​

• You can now enter a list of RADIUS hostnames instead of a single comma-separated list of hostnames.
• The Entrust Soft Token activation process has been improved to make it easier to activate your token on mobile and desktop devices.
• The Google Authenticator activation now displays the manual activation parameters making it easier to activate on an TOTP-compliant application.
• The Add Application page now includes a search bar to make it easier to find the application template you are looking for.

Bulk Operation enhancements​

The import user and import user/group bulk operations now log all results to a file that can be downloaded.

Changes to Identity as a Service APIs​

A new API logoutUsingPOST has been added to the authentication API allowing the application to logout its session.

The following deprecated API endpoints have been removed from the administration API

• listUnassignedTokensUsingGET replaced by unassignedTokenPageUsingPOST
• listAssignedTokensUsingGET replaced by assignedTokenPageUsingPOST

CORS Policy​

In order to improve the security of the platform, the default CORS policy for Identity as a Service has been updated so that it is disabled by default. This may impact some customers who are calling the Identity as a Service APIs from their Web applications. If you are affected, enable CORS in the General Settings page of your Identity as a Service account and add your Web application's origin to the list of allowed Origins.

Email Template Customization​

Identity as a Service has been enhanced to allow full customization of email templates when the account has been configured to use your own mail server. When your account is using the Identity as a Service mail server, only limited email customization is available.

New SAML Integrations​

New SAML application templates have been added for Dell Boomi, Oracle EPM Cloud and Zendesk.

Unlock password without having to reset it​

A new option has been added to the Password Settings to allow users to unlock their password without having to change it when it has been locked.

Password unlock is supported for local users and users synced from On-Premise Active Directory. Password unlock for users synced from Azure AD is not supported at this time.

Get Started Wizard​

A Get Started Wizard has been added to the Dashboard page to help setup Identity as a Service.

Smart Credential Enhancements​

The following enhancements have been made to smart credentials.

• When configuring a smart credential definition, you can now specify the CA of the PIV Content Signer explicitly or you can have the PIV Content Signer come from the same CA as the digital id configurations which is the existing behavior.

• A smart credential can be created without digital id configurations.

• When activating a smart credential using the administration API, enrollment values can be specified. If the values are specified during activation rather than stored with the smart credential, the values are cached instead of stored in the database and are automatically removed after the smart credential is encoded. You may want to use this capability if you are encoding sensitive information onto the smart credential that you do not want stored in the Identity as a Service database.

• A user image can be provided as an additional attribute when activating a smart credential. If present, the user image is encoded onto the mobile smart credential.

External Authentication Bypass Second-Factor Authentication​

A new setting has been added to resource rules to allow users that do not exist in Entrust Identity as a Service to bypass second-factor authentication if the performed first-factor is external authentication.

OATH HOTP Token Support​

Entrust Identity as a Service has added support for OATH HOTP (event-based) hardware tokens to be used as a second-factor authenticator. The event window and reset event window settings for OATH HOTP tokens can be configured in the Hardware Token settings.

Bulk Assign Hardware Tokens​

A new bulk operation to assign hardware tokens to users has been added. The bulk upload is a CSV file containing "userId" and "serialNumber" columns. The following is a sample CSV for bulk assigning hardware tokens:

userId,serialNumber user1,1234567 user2,2345678 user3,3456789

Service Provider Usage Reports​

The Usage Report CSV file includes two new columns for Consumed and Previously Consumed Entitlements. The consumed column value depends on the entitlementType:

| entitlementType | The consumed column value represents | | --------------- | ------------------------------------------------ | | USERS | the number of ACTIVE users | | SMSVOICE | the number of SMS/Voice credits used | | IDPROOFING | the number of ID Proofing transactions completed | | ISSUANCE | the number of credentials successfully printed |

The consumedPrevPeriod column value shows the same values as the consumed column but in the previous month.

The serviceBundle column value for the USERS entitlementType has changed from DEFAULT to PLUS.

Changes to Identity as a Service APIs​

The following changes have been made to the Administration APIs:

• A new attribute corsEnabled has been added to the GeneralSettings. When enabled, cross-origin requests that match the values specified in corsOrigin are allowed. When disabled, cross original requests are not allowed.
• A new attribute corsOrigins has been added to the GeneralSettings. When configuring CORS on the Settings page, it passes a list of allowed CORS origins.
• A new attribute showOnboardingWizard has been added to the GeneralSettings. When enabled, the Onboarding Wizard will be shown on the Admin Portal Dashboard.
• A new attribute skipSecondFactorIfUserNotExist has been added to ResourceRule. When enabled, a user that does not exist will skip second-factor authentication.
• A new attribute algorithmType has been added to Token. This value specified the algorithm used by the token to generate OTPs.
• A new attribute additionalUserInfo has been added to ActivateSmartCredentialParms. This attribute can be used to specify additional parameters passed to the smart credential when it is encoded.

API Deprecations​

The following API endpoints are deprecated and will be removed in Identity as a Service 5.14:

| Name | Operation | Replacement | | ------------------------------- | ---------------------------- | ---------------------------- | | List Unassigned Hardware Tokens | listUnassignedTokensUsingGET | unassignedTokenPageUsingPOST | | List Assigned Hardware Tokens | listAssignedTokensUsingGET | assignedTokenPageUsingPOST |

New SAML Integrations​

A new SAML application template has been added for Workday.

Generate Unassigned Grid Cards​

Identity as a Service has been enhanced to allow you to create a large number of grid cards at a time. The maximum number you can generate at one time is dependent on your entitlement quantity.

Microsoft CA Support​

Support for renewed root and subordinate (i.e, intermediate) CAs has been added.

SMS/Voice Entitlements​

A new credit-based entitlement is introduced for OTP delivery by SMS or Voice. Tenants that want to continue using OTP authentication along with SMS or Voice delivery will require a new contract with their Service Provider. E-mail OTP delivery will still be freely available for users with a valid email address.

Enhancements in LDAP configuration of Entrust managed PKI CA​

You can now use a secure LDAP connection between Entrust and your Entrust Managed PKI CA. You can also optionally provide username and password for the authenticated LDAP connection.

Changes to SAML IDP Initiated Login​

Previously when a SAML IDP Initiated Login was performed, the user was prompted to choose whether to open the application in a new window or use the existing window. This option has been removed and now the application is always opened in a new window.

Changes to Identity as a Service APIs​

The following changes have been made to the Administration APIs:

• A new attribute smsVoice has been added to the EntitlementParms object. It defines the SMS/Voice entitlement attributes.

API Deprecations​

The following API endpoints are deprecated and will be removed in Identity as a Service 5.14:

| Name | Operation | Replacement | | ------------------------------- | ---------------------------- | ---------------------------- | | List Unassigned Hardware Tokens | listUnassignedTokensUsingGET | unassignedTokenPageUsingPOST | | List Assigned Hardware Tokens | listAssignedTokensUsingGET | assignedTokenPageUsingPOST |

IntelliTrust Rename​

As of release 5.11, the name of IntelliTrust has been changed to Identity as a Service. There is no change in functionality of your existing instance of IntelliTrust apart from the features and functionalities mentioned in these release notes.

Transaction Context Risk Support with Resource-based Authentication​

Risk-based authentication has been enhanced to verify whether transaction details included in an authentication request match the transaction rules defined in the resource rules. Transactions that do not match the transaction rules add risk to the authentication. Only authentications using the Authentication API support Transactions.

SAML Signing Certificate Enhancements​

SAML Signing Certificates have been enhanced to support certificates issued by a CA and existing self-signed certificates. To replace the default self-signed certificate with a certificate issued by a CA, there is an option to generate a PKCS#10 certificate-signing request (CSR). Your CA uses the CSR to generate a certificate which is returned to Identity as a Service as either a PKCS#7 certificate response or a list of certificates. The existing Download option has been enhanced to support options to export the SAML certificate, the root CA certificate, or the entire PKCS#7 certificate chain.

SAML Integrations​

New SAML application templates have been added for Coupa and WhiteSource.

Administration Restrictions based on Group Membership​

Administration roles have been enhanced to include restrictions on the groups an administrator can access. A role can be configured to have access to all groups, own groups (the groups the administrator belongs to), or a specific list of groups. An administrator can only access users and user authenticators that belong to a group to which they have access. Additionally, unassigned grids and tokens can be assigned to groups with similar access restrictions. Related to these changes, the ability to filter by group has been added to the assigned and unassigned grid and token list pages.

Disable Single Sign-On for Portal Applications​

It is now possible to disable Single Sign-On for portal applications. Previously, this was only available for SAML and OIDC applications. This option is enabled by default for new accounts.

Support user-based lock instead of authentication-based​

The General Settings page includes a Lockout Mode setting. This settings controls whether a locked out authenticator locks the user or only locks the authenticator. Previously only the authenticator was locked out.

Changes to Identity as a Service APIs​

The following changes have been made to the Authentication APIs:

• A new attribute transactionDetails has been added to the UserAuthenticateQueryParameters object.This attributes passes in transaction details for resource-based authentication based on transaction rules.

The following changes have been made to the Administration APIs:

• The validateUserPassword API response attribute adComplexity now returns true or false based on the contents of the password. Previously, if the AD Complexity password setting was disabled, the result would always return true.
• New objects TransactionContext and TransactionRuleRisk have been added as part of resource-based authentication support for transaction rules.
• A new attribute transactionContexts has been added to the ResourceRuleParms object. It defines the transaction rules with resource-based authentication.
• A new attribute transactionContexts has been added to the ResourceRule object. It associates transaction rules with resource-based authentication.
• A new API endpoint GET /api/web/v1/transactionrules (getTransactionRulesUsingGET) has been added that returns a list of configured transaction rules. A transaction rule is defined by a new object TransactionRuleDescription. Transaction rules are used with Resource-based authentication.
• A new API endpoint POST /api/web/v1/tokenspaged/unassigned (unassignedTokenPageUsingPOST) has been added. This endpoint provides the ability to list unassigned hardware tokens with server side searching and paging.
• A new API endpoint PUT /api/web/v1/tokens/{tokenid} (modifyTokenUsingPUT) and new object TokenParms has been added. This endpoint provides the ability to modify the group membership of an unassigned hardware token.
• A new API endpoint PUT /api/web/v2/grids/{gridid} (modifyUnassignedGridUsingPUT) and new object GridParms has been added. This endpoint provides the ability to modify the group membership of an unassigned grid.
• A new search criteria groupId is now supported in SearchParms when listing assigned or unassigned grids or tokens. This attribute allows you to list grids or tokens in a specified group.
• A new attribute groups has been added to Token. When fetching unassigned hardware tokens, the groups attribute returns the hardware token group membership.
• A new attribute groups has been added to Grid. When fetching unassigned grids, the groups attribute returns the grid group memberships.
• A new attribute groups has been added to GridCreateParms. When creating unassigned grids, the groups attribute can be used to optionally specify the group membership of the new grids.
• New attributes groupManagement and groupIds have been added to Role. When fetching a role these attributes specify the groups that the role can manage.
• A new attribute lockoutMode has been added to GeneralSettings. The attribute is returned when fetching general settings and can be set when modifying the general settings.

API Deprecations​

The following API endpoints are deprecated and will be removed in Identity as a Service 5.14:

| Name | Operation | Replacement | | ------------------------------- | ---------------------------- | ---------------------------- | | List Unassigned Hardware Tokens | listUnassignedTokensUsingGET | unassignedTokenPageUsingPOST | | List Assigned Hardware Tokens | listAssignedTokensUsingGET | assignedTokenPageUsingPOST |

SAML Attribute Editor​

IntelliTrust has a new SAML Attribute Editor. Using the editor, administrators can customize the SAML assertions sent to Service Provider applications with additional user attributes, groups, or authenticators.

IntelliTrust Oracle Eloqua Integration​

A new application template has been added for Oracle Eloqua integration. Use this application template to quickly configure Oracle Eloqua for SAML authentication through IntelliTrust.

Usage Notifications​

IntelliTrust now notifies the tenant and its MSP about the usage of user entitlements. Email will be sent to tenant and its MSP when their consumption has reached 50%, 75%, 95% and 100% of their entitlements.

Users Expiration Notifications​

IntelliTrust now notifies the tenant and its MSP about the expiry of Production and Unknown accounts. Email will be sent to tenant and its MSP when their expiry is due in 8, 4 and 2 week(s).

Microsoft Certificate Authority Proxy Upgrade​

The Microsoft Certificate Authority (CA) Proxy has been upgraded to version 1.6.0. If you are using a Microsoft CA with Smart Credentials, you should upgrade the Microsoft Proxy to 1.6.0 and the Enterprise Service Gateway to 5.10.

See the Administration Guide for complete details on how to upgrade your Microsoft CA Proxy.

• Admin Guide

IntelliTrust AD Connector​

A link has been added to the Gateways page for downloading the latest version of the IntelliTrust AD Connector.

Warnings for Insecure Authenticator Policies​

IntelliTrust will now warn you when you are attempting to save an insecure policy for your authenticators. These authenticators include:

• Password
• Grid
• OTP
• Temporary Access Code (TAC)

Note: IntelliTrust will not block you from using these policies, a warning will be displayed when you click on the Save button. Use policies that meet your security requirements.

Issuance Accounts​

The following capability has been added to Issuance accounts:

• Ability to crop photographs during enrollment automatically using face detection or manually

Changes to IntelliTrust APIs​

The following deprecated API operations have been removed per the deprecation schedule:

• listAssignedGridsUsingGET
• auditEventReportUsingPOST
• listUnassignedGridsUsingGET
• usersUsingGET
• getTenantsUsingGET

SAML Metadata Import​

IntelliTrust now supports importing SAML metadata files when configuring SAML applications. Some SAML Service Providers provide metadata XML files that contain the details on how to configure the application. Supported fields include:

• Assertion Consumer Service URL
• Service Provider Entity ID (Issuer)
• Single Logout Service URL
• SAML Signing Certificate
• SAML NameID Encoding Format

User Last Authentication Time​

An administrator now has the ability to see the last authentication time of a user. When an administrator lists users in the admin portal, the last authentication time displays in a column in the Users list.

Push Authentication Support for RADIUS EAP Applications​

IntelliTrust now supports push authentication for EAP-enabled RADIUS applications. This can be used with the Entrust Soft Token and Mobile Smart Credential authenticators.

Preview - IntelliTrust AD Connector​

You can now incrementally sync users from an on-premises Active Directory using the lightweight AD Connector native Windows application.

AD Connector will detect any changes for users and groups inside your Active Directory and send only the required updates to your IntelliTrust tenant.

Note: This feature is being released as a preview. See the Known Issues and Limitations page for more details.

Smart Credential Revocation Enhancement​

When a smart credential (or the user who owns the smart credential) is deleted or disabled, the associated certificates are revoked in the CA. If the CA is not available, the smart credential cannot be deleted or disabled in IntelliTrust. A new setting "Skip Revocation" has been added to the CA configuration. When selected, if revocation fails, IntelliTrust continues to delete or disable the smart credential. If not selected, the delete or disable operation fails. If IntelliTrust does not revoke the certificates, administrators should revoke the certificates directly in the CA.

New Apache Authentication Integration​

A new integration has been added that allows you to configure your Apache HTTP server to use IntelliTrust for multi-factor authentication.

See the Apache Filter technical integration guide for details on how to configure your Apache server.

Issuance Accounts​

The following capabilities have been added to Issuance accounts:

• Support for defining credential designs
• Enrolling applicants for credentials including support for bulk enrollment and enrollment from mobile devices
• Printing credentials
• Issuing mobile flashpass credentials to Apple iOS and Google Android devices
• Improvements for printer management including enhanced printer onboarding and print queue support
• Support for Sigma and DTC printers

Miscellaneous Improvements​

• When authenticating, clicking on the "Resend OTP" button will now display a visual confirmation that a new OTP was sent. In addition, the "Resend OTP" button will be disabled for 5 seconds in order to prevent multiple OTPs from being delivered in a short period of time.
• The Password Settings have been updated to use more inclusive language. "Password Blacklist" has been renamed to the "Password Blocklist".
• The Scheduled Reports page now includes an option to enable and disable reports.
• It is now possible to schedule a usage report using the filters applied on the Tenants list page.

Changes to IntelliTrust APIs​

The following have been added to the Administration APIs:

• The following changes to roles and permissions have been made in this release: - a new Directory Password permission has been added, which gives a right to read AD Connector directory password. - new permissions Credential Designs, Enrollments and Bulk Enrollments have been added. These permissions apply to Issuance accounts and controll access to the corresponding capabilities. - a new default role AD Connector has been added with the minimum required permissions for the AD Connector application to function. - new default roles Issuance Designer and Issuance Supervisor have been added to Issuance accounts.
• A new user attribute lastAuthTime has been added - which gives a right to display users last authentication time on the Users List page.
• New SearchByAttribute operators EXISTS and NOT_EXISTS have been added, NOT_EXISTS is mapped to Never for user's last authentication time.

The following changes have been made to the Issuance APIs:

• new methods to access and manage Print Queues have been added
• the following APIs have had non-backwards compatible changes: - the controller getPrintStatus no longer takes the printer Id as an argument. It is now GET /api/web/v1/printers/print/{printStatusId} - the controller updatePrint no longer takes the printer Id as an argument. It is now PATCH /api/web/v1/printers/print/{printStatusId}
• new options tactileFront and tactileBack have been added to PrinterPreferences related to tactile impression support. These preferences can be set for a printer or specified when submitting a print job.

SAML Relay State Support​

IntelliTrust now supports the ability to configure a list of relay state values for SAML applications. The configured relay states will appear on a user's My Profile page.

Smart Credential Self-Registration​

The registration settings now include support for allowing users to self-register a Smart Credential.

Dashboard System Alerts​

The dashboard now displays an alert if IntelliTrust is unable to deliver an email using your custom mail server after five attempts.

Directory Attribute Mappings​

In previous versions of IntelliTrust, when configuring the directory attribute mappings you had to provide a mapping for all IntelliTrust System attributes regardless of whether they were mandatory attributes. Custom attributes could be optionally mapped regardless of whether the Custom attribute was mandatory.

This has been changed so that you must only provide directory attribute mappings for attributes (system or custom) that are mandatory. If an attribute is not mandatory, then you do not need to provide a directory attribute mapping for that attribute.

As in previous releases, any users in Active Directory that are missing mandatory attributes will not be synced to IntelliTrust.

Advanced Gateway Agent Settings​

It is now possible to control some of the advanced settings of your Gateway Instances. This includes:

• Password Agent Worker Threads: Set the number of worker threads the Password Agent uses to handle Active Directory password requests.
• RADIUS Agent Worker Threads: Set the number of worker threads the RADIUS agent uses to handle RADIUS authentication requests. Note: In order to change this setting the Enterprise Service Gateway (ESG) must be at least version 5.8.
• RADIUS Agent Message Queue Max Time: Set the maximum amount of time a RADIUS message is in the queue waiting to be processed by the RADIUS Agent.

Preview - Azure AD Cloud Sync​

You can now sync users directly from Azure Active Directory without the Enterprise Service Gateway.

IntelliTrust will sync users directly from Azure into your IntelliTrust account. Users synced from Azure can also change and reset their Azure AD password through the IntelliTrust portal.

Note: This feature is being released as a preview. See the Known Issues and Limitations page for more details.

RADIUS EAP Improvements​

IntelliTrust now supports password for first-factor authentication to EAP-enabled applications. When password is configured, the user is prompted for their IntelliTrust or Active Directory password. Note: EAP password authentication requires Enterprise Service Gateway version 5.8 or later. With earlier versions of the Gateway, RADIUS authentication will fail if PASSWORD is configured as the first-factor.

This release also introduces support to allow users to select the second-factor authenticator they want to use to authenticate to an EAP-enabled application. When enabled, the VPN client prompts the user for the second-factor authenticator from the user's list of available authenticators.

RADIUS Agent Password Authentication Affinity​

This release includes a the ability to enable Password Agent affinity for RADIUS applications.

If enabled, Active Directory password authentication and change requests that are initiated as part of RADIUS authentication will be handled by the Gateway instance that initiated the request.

If disabled, the request will be handled by any Gateway instance in the gateway.

Allow Lowering of Entitlements​

Service Providers can now lower the entitlement quantity of a tenant to a value lower than the current number of users in that tenant.

Service Provider Contract Mode​

This release includes a new Contract Mode feature that allows the creation of Production and Trial tenant accounts. Trial accounts include predefined entitlements that cannot be changed. Trial accounts that are not converted to Production accounts within 30 days are permanently suspended.

Existing accounts are categorized as Unknown. Service Providers should review their accounts and categorize them accordingly as Production or Trial accounts.

Service Provider Usage Reports​

This release includes a Usage Report feature. Usage Reports can be scheduled and downloaded in a CSV file.

API Deprecations​

The following API endpoints are deprecated and will be removed in IntelliTrust 5.10:

| Name | Operation | Replacement | | --------------------- | --------------------------- | ---------------------------- | | List Unassigned Grids | listUnassignedGridsUsingGET | unassignedGridsPageUsingPOST | | List Assigned Grids | listAssignedGridsUsingGET | assignedGridsPageUsingPOST | | List Audit Events | auditEventReportUsingPOST | auditEventPageUsingPOST | | List all users | usersUsingGET | usersPagedUsingPOST | | List Tenants | getTenantsUsingGET | getTenantsPageUsingPOST |

Changes to IntelliTrust APIs​

The following have been added to the Administration APIs:

• A new endpoint /v1/directorycommons has been added that returns a list of on-premise and Azure AD directories.
• The following changes to tenant related methods have been made in this release: - a new version of the create tenant method “POST /api/web/v2/tenants” has been added. - the entitlement argument of this API is now required for both Authentication and Issuance accounts. Previously it was not required for Issuance accounts. - the entitlement argument must specify a contractMode value of either PRODUCTION or TRIAL - if the v1 version of this API is called, the new tenant is created with a contractMode of UNKNOWN - a new method that lists a page of tenants “POST /api/web/v1/tenantspaged” has been added. It replaces the existing list tenants method that returned all tenants which has been deprecated and will be removed in a future release. - a new method that lists usage information for the tenant and its child tenants “POST /api/web/v1/tenants/entitlements/usage” has been added. - all service provider controllers that return a tenant (including create, get and list) include the new contractMode value. For existing tenants that don’t have a value set for this value, the contractMode will have the value UNKNOWN.