Grid Card enhancements (AAAS-9804)​

IntelliTrust has been enhanced to support more grid card features, including:

• Keep track of the assigned and unassigned grid cards on your account from the Grid Cards page. - Generate unassigned grid cards that can be assigned to new users. - Recycle grid cards on your account by unassigning grid cards from one user and assigning them to another.

Reset password during authentication (AAAS-10960)​

Users can reset their IntelliTrust password when prompted to complete a password authentication challenge. This allows those who have forgotten their password to reset it and complete the password challenge. Password reset can also be used to create a new password for those without one. IntelliTrust account settings must be modified to enable password reset. See the IntelliTrust Administrator Help for more information.

Run IntelliTrust Gateway on Microsoft Hyper-V Servers (AAAS-11470)​

IntelliTrust Enterprise Service Gateways can now be run on Microsoft Hyper-V using a virtual hard disk (VHD). IntelliTrust provides the VHD which is available for download from Home > Gateways List.

Integrate applications using IntelliTrust Administrator APIs (AAAS-10859)​

Administrators can integrate IntelliTrust user administration into their application by using the IntelliTrust Administrator REST APIs. Using this IntelliTrust API allows administrators to seamlessly perform administrative actions on IntelliTrust users, such as creating users and assigning authenticators, without navigating to IntelliTrust. For details on integrating using the API, see the IntelliTrust Administrator API Guide available from the help menu in IntelliTrust.

New Authenticator: Grid Cards (AAAS-9804)​

Entrust Datacard's patented grid card is a new addition to the rainbow of authenticators supported by IntelliTrust. A grid card is a low-cost and easy to use authenticator that doesn't require a mobile device or specialized hardware. Grid cards can be printed and distributed to users for authentication.

Include user-related attributes in SAML assertions and OIDC claims (AAAS-10416)​

Administrators can customize the SAML assertions and OIDC claims sent to third party applications with two additional user-related attributes. These new attributes allow you to share user group membership information and the list of authenticators used to authenticate the session with third party applications.

Migrate user authenticators from Entrust IdentityGuard to IntelliTrust (AAAS-8847)​

Authenticators configured in an Entrust IdentityGuard account can be moved to, and reused on, an IntelliTrust account. This allows those migrating from Entrust IdentityGuard to IntelliTrust to avoid paying for new authenticators. Entrust Datacard supports migrating knowledge-based authenticators (including question and answer (Q&A) pairs), assigned hardware and software tokens, and unassigned hardware tokens. Entrust IdentityGuard passwords, Token Push authenticators, Smart Credentials, Grid Cards, location history, and registered machine fingerprints cannot be migrated.

Integrate applications using IntelliTrust Authentication APIs (AAAS-10461)​

Administrators can integrate IntelliTrust authentication into their application by using the IntelliTrust Authentication REST APIs. Using the IntelliTrust API allows end users a seamless authentication experience without being redirected from the application they are trying to access. For details on integrating using the API, refer to the Developer Guide available from the help menu in IntelliTrust.

Log in using Temporary Access Codes (AAAS-10884)​

Temporary Access Codes allow users to log in when they cannot access their primary authenticators. For example, users who forget their mobile device at home can log in with a Temporary Access Code instead of using SMS OTP or Mobile Soft Token. Temporary Access Codes can be used to logon to the IntelliTrust portal, SAML applications, OpenID Connect applications and Radius integrations.

Support for encrypted SAML assertions (AAAS-10414)​

IntelliTrust now supports encrypting SAML assertions. Encrypting assertions adds an extra layer of security by making the information unreadable to anyone other than the intended SAML Service Provider. While this feature is provided generically for any SAML application, the only built-in service provider that supports this feature currently is SalesForce.

Signed SAML metadata (AAAS-10413)​

When downloading SAML metadata from IntelliTrust, it is now signed using the SAML signing certificate. SAML service providers that validate metadata signatures will have a high level of assurance that the metadata has not been tampered with.

Web proxy support added to Enterprise Service Gateway (AAAS-8783)​

The IntelliTrust Gateway has been enhanced to support outbound connections (including 443) using a web/authentication proxy. The gateway's configuration tool now includes options to set your proxy settings. See the IntelliTrust Administrator Help for instructions on configuring an Enterprise Gateway to use a proxy.

Access ADFS application using second factor authentication (AAAS-10347)​

Users can now use IntelliTrust two factor authentication to access Active Directory Federation Services (ADFS). ADFS provides single sign-on access organizational systems and applications. Additional configuration is required within the IntelliTrust and ADFS accounts to enable IntelliTrust authentication to the ADFS plugin.

Single Logout (SLO) for CitrixOnline application (AAAS-345)​

Logging out of a CitrixOnline account automatically logs the user out of their integrated IntelliTrust account. This allows users to save time by not having to log out of their CitrixOnline and IntelliTrust accounts consecutively. Logging out from an IntelliTrust account does not automatically log the user out of their CitrixOnline account.

Single Logout (SLO) for Salesforce and Office 365 applications (AAAS-345)​

Logging out of a Salesforce or Office 365 account automatically logs the user out of their integrated IntelliTrust account. This allows users to save time by not having to log out of their SAML and IntelliTrust accounts consecutively. Logging out from an IntelliTrust account does not automatically log the user out of their SAML account.

Log in to RADIUS applications using Knowledge-based authentication (KBA) (AAAS-8714)​

Applications integrated using the RADIUS Agent in the Enterprise Service Gateway can now use knowledge-based authentication (KBA). The application must be connected to an IntelliTrust gateway instance version 3.5 or later and have its resource rule configured appropriately to support knowledge-based authenticators.

Customize resource rules for the IntelliTrust user and administration portals (AAAS-9413)​

Administrators can now modify the system-defined resource rules controlling access to the IntelliTrust user and administration portals. This provides greater control over an IntelliTrust account authentication requirements. System-defined resource rules can be modified to support two-factor authentication or first-factor password authentication. They can also be modified to allow or deny access to users logging in from a specific geographic location. Additional resource rules can be created that control access to IntelliTrust based on group membership.

Support for Active Directory Lightweight Directory Services (AAAS-9082) (AAAS-9311)​

IntelliTrust now supports Active Directory Lightweight Directory Services (AD LDS) as an IntelliTrust synchronization directory. This allows users to be synchronized from AD LDS into IntelliTrust and authenticate user passwords stored in AD LDS.

Support for Desktop IdentityGuard 11.0 (AAAS-8249)​

The IdentityGuard Agent in Enterprise Service Gateway version 3.4 has been updated to include support for the V11 APIs required by Entrust Desktop IdentityGuard 11.0. With Desktop IdentityGuard 11 and IntelliTrust, you can now use Email/SMS OTP authentication while online and knowledge-based authentication while offline. IntelliTrust requires Entrust IdentityGuard Desktop 11.0 Patch 299835 or later be installed.

Knowledge-based authentication (KBA) now supported for IdentityGuard applications (AAAS-8652)​

Applications integrated using the IdentityGuard Agent in the Enterprise Service Gateway can now use Knowledge-based authentication. The application must be connected to an IntelliTrust gateway instance version 3.4 or later and have its resource rule configured appropriately to support knowledge-based authenticators.

Increased administrative role security (AAAS-9357) (AAAS-9452)​

IntelliTrust now has increased role security by allowing administrative roles to be restricted from managing accounts with administrative roles. Each role can be given the ability to manage administrators with any role or administrators with specific roles.

Support for Microsoft Office 365 desktop and mobile applications (AAAS-8939)​

IntelliTrust now supports the desktop and mobile Microsoft Office applications. The authentication requirements for logging in to the application account are controlled by the resource rule of the O365 application on IntelliTrust. This support leverages the Active Directory Authentication Libraries (ADAL) and integration through SAML to support authentication.

Provision IntelliTrust users on Box and G Suite accounts (AAAS-8659)​

IntelliTrust now supports managing users within your Box and G Suite accounts. Actions performed on IntelliTrust users are automatically performed on the users within the Box or GSuite account. Users created, deleted, or modified on IntelliTrust are automatically created, deleted, or modified on Box or G Suite. This allows for the state of IntelliTrust and Box or G Suite users to remain consistent without any administrative overhead.

Unlock mobile smart credential authenticators through facial recognition (AAAS-8946)​

IntelliTrust now supports using facial recognition to unlock mobile Smart Credential authenticators instead of using a PIN. Facial recognition is supported in the Entrust IdentityGuard Mobile Smart Credential 3.2 application installed on iOS and Android devices. IntelliTrust includes new Smart Credential authenticator settings that allow administrators to control whether facial recognition is allowed.

CA-signed certificates now supported for gateway instances (AAAS-7811)​

By default, each gateway instance on IntelliTrust contains a self-signed SSL certificate. Administrators can now replace the self-signed SSL certificate with a certificate issued by a certificate authority (CA). The CA could be a public certificate, such as Entrust Certificate Services, or a private CA used by the customer. This certificate will be used for the IdentityGuard Agent and Radius EAP capabilities of the Enterprise Service Gateway.

Support for Legacy Entrust hardware token (AAAS-7820)​

The Legacy Entrust AT and OT Mini Tokens can now be used with IntelliTrust for authentication. The OT tokens are a time-based token and the AT tokens are a hybrid time and event-based token with a single button to display an OTP. These tokens must be bulk loaded into IntelliTrust by an administrator using your existing token seed file. Once loaded these tokens can be assigned to a user by an administrator or the user may self-register the token by proving possession using an OTP.

Note: The Entrust Pocket Token and Entrust Flexi Token are not currently supported.

ActiveSync now supported for Microsoft Office 365 (AAAS-7827)​

IntelliTrust now supports ActiveSync authentication using an Active Directory or IntelliTrust password. This support leverages SAML (ECP profile) to perform a single factor password authentication. This feature must be explicitly enabled in IntelliTrust under the Office 365 SAML application.

Note: ActiveSync is limited to password authentication and does not support multi-factor authentication.

Protect soft token with facial recognition (AAAS-8946)​

IntelliTrust now supports using facial recognition to unlock the Entrust Soft Token application as an alternative to a PIN. Facial recognition is supported on both iOS and Android devices. There is a new Entrust Soft Token authentication authenticator setting that controls whether facial recognition is available for use by user.

Note: This feature is dependent on the user having the Entrust Mobile Soft Token 3.4 application installed.

Maximum authenticator setting for resource rules (AAAS-8576)​

Each resource rule now includes a setting that defines the maximum level of authentication possible to access an application. The maximum authenticator selected must be greater than or equal to the highest level authenticator type selected for low, medium, and high risk users.

Word mapping for knowledge-based authentication (KBA) (AAAS-7066)​

Word mapping allows administrators to configure synonyms, substitutions and abbreviations for words used in user knowledge-based authentication. Once configured, users can enter a recognized synonym for a word as part of their knowledge-based authentication answer still successfully pass the challenge. For example, "Dr." can be configured as a valid word in place of "Drive" or "Doctor".

Users can choose between SMS and email OTP delivery during authentication (AAAS-7568)​

A user can now choose between receiving their OTP by email or SMS when completing an OTP authentication challenge. OTP by SMS can only be selected if a mobile device number has been registered to that user's profile. Either of these delivery methods can be used to authenticate to an IntelliTrust or application account.

Download gateway instance TLS certificate from IntelliTrust account (AAAS-7810)​

Previously users could only export a gateway instance TLS certificate by browsing to the IdentityGuard agent of that instance and downloading the certificate. With this release, the TLS self-signed certificate is created to IntelliTrust and downloaded to the gateway during registration. If the gateway is re-registered onto a new gateway appliance, the existing SSL certificate is not replaced. Users with access can download the certificate from the Gateway Instance page on their IntelliTrust account. They can then import the certificate into their RADIUS or IdentityGuard application and successfully configure the application with IntelliTrust.

Company name of account can be modified post-creation (AAAS-8440)​

The company name of an IntelliTrust account can be changed after the account has been created. The name can be changed from the account's Theme page on the Administrator portal. Only users with a role granting Edit-level access to the Theme page can modify the company name. Changing the company name of a Service Provider's account does not change the company name of any held tenant accounts.

Service Provider portal (AAAS-2692) (AAAS-4633)​

Those with access can now use the Service Provider portal to perform managerial functions on other IntelliTrust accounts. Key uses cases include being able to unlock accounts, delete accounts that are no longer in use, and track account activity metrics for financial purposes. Those logged in to IntelliTrust as a Service Provider can also access the Administrator and User portal features made available by their assigned role.

Risk-based authentication (RBA) (AAAS-3041)​

Risk-based authentication (RBA) identifies the level of risk a user represents at each authentication attempt. A user's level of risk is used to define the authentication level required to access IntelliTrust or an application. The feature is useful for those situations where account owners want those seeking access to be immediately accepted, given an extra authentication challenge, or rejected based on their apparent level of risk. The resource rules within each account dictate which risk tests are performed on each user when they attempt to authenticate.The resource rules also dictate what authentication challenges must be performed based on the RBA test results.

Mobile smart credentials available for authentication (AAAS-3831)​

Administrators can now use Entrust Datacard's Mobile Smart Credential (MSC) application to authenticate to their IntelliTrust account. Users can use the application to authenticate to IntelliTrust through push authentication or Windows Smart Card Logon (SCLO). A MSC requires access to a configured CA and smart credential definition to be activated.

Internationalization (AAAS-2229)​

Users accessing their IntelliTrust account can now change the language of the descriptive text in their IntelliTrust account from their user portal. Account level language changes can be made from the Customization section on the administrator portal.

On-Demand directory synchronization prompt (AAAS-1689)​

Administrators can now request the immediate resynchronization of a directory from their account's Directories page. Selecting the On-Demand Sync button forces a directory re-crawl operation, updating your IntelliTrust account with the latest information located on your corporate directory.

Specify SAML assertion/response signing algorithm (AAAS-6784)​

Administrators must now select the type of signing algorithm IntelliTrust uses to sign SAML response/assertions to an application when configuring a SAML application for IntelliTrust authentication.

Download account or authentication activity reports (AAAS-7157)​

Activity reports can be downloaded from the My Activity or Reports pages. A user can download a copy of their Detailed User Authentication Activity from the My Activity page on the User portal. Users with access can download any Account Audit Event report generated for a selected date range from the Reports page on the Administrator portal. Both reports are downloaded in .CSV file format.