73 posts tagged with "Release"

New in this release​

Face Biometric Authentication with Entrust Identity Mobile​

The IDaaS Face Biometric Authenticator has been enhanced to support Face Biometrics registered and authenticated from the Entrust Identity Mobile application. Face Biometric authenticators managed on the Entrust Identity Mobile application can be configured so that the user's biometric information is stored on the mobile device rather than in the Onfido cloud.

Face Biometric authentication using the Entrust Identity Mobile app has a user experience similar to token push authentication.

• The user gets a notification on the mobile device.
• The mobile app is launched.
• From the mobile app, the user performs a workflow that does a motion capture of the user's face.
• The user is authenticated if the motion capture matches their previously registered biometric.

Face Biometric authentication has the option to include a mutual authentication challenge to prevent the user from accidentally responding to an attacker's authentication request.

User Certificate Authentication Matching Policy Update​

IDaaS has enhanced its User Certificate Authentication matching policy, enabling fine-grained control for user matching. The new settings allow the configuration of one-to-one mappings between certificate components and user attributes.

The list of supported certificate components has been expanded to include both strong and weak components:

• Strong components: securityId, sha256PublicKey, subjectKeyIdentifier, serialNumber
• Weak components: commonName, rfc822Name, userPrincipalName, directoryName, subjectDN

Entrust highly recommends using strong components for user matching. When only weak components are configured, all matching rules must be satisfied to successfully authenticate a user.

In addition, the settings support specifying mandatory and prohibited certificate policy OIDs, ensuring that only certificates with the appropriate policies can be used. This applies to both certificates issued by trusted Certificate Authorities and IDaaS-issued smart credentials.

Support for Entrust Identity Mobile Features​

The following changes have been made to IDaaS to support new functionality in Entrust Identity.

• The latitude and longitude of push notification transactions are included in the information sent to the mobile app so that it can display the location from which the transaction was launched.
• A new policy "Allow Device Biometric Authentication" has been added for Entrust Soft Tokens. This allows an administrator to disable the use of the device biometric for unlocking the mobile app.

User Portal / Admin Portal Enhancements​

An end user can select favorite applications in the user portal. Favorite applications are displayed first on the Applications page.

The admin portal has been enhanced to support searching the menu.

Microsoft Entra ID Read-Only Authorization​

When adding a Microsoft Entra ID directory to IDaaS for user synchronization, the option to select Read-Only Authorization is provided.

Authentication Notification Enhancements​

When enabling User Authenticator Notifications, the administrator can now select which authenticators cause notifications.

FIDO/Passkey Enhancements​

FIDO/Passkey authenticators now support subdomains for Relying Party IDs. For example, IDaaS can be configured so that an authenticator registered from register.mydomain.com can be used to authenticate from authenticate.mydomain.com. The Allowed Relying Party ID hostnames policy allows subdomains to be specified.

SAML/OIDC Enhancements​

The following enhancements have been made for SAML and OIDC applications

• When configuring a SAML application, a new setting, SAML Max Authentication Age, can be specified. If configured, this setting specifies the maximum time before a user needs to reauthenticate.
• The ForceAuthn parameter in SAML authentication requests is now supported. If set to true, reauthentication by the user will be required.
• SAML ForceAuthn or OIDC max_age in a request that force a re-authentication will now preserve an existing IDaaS session.
• Resource rules that disable SSO no longer apply to reauthenticating the same SAML or OIDC application. Setting the application max authentication age to 0 will disable SSO for the application.
• If the IDP max authentication age is configured, then a SAML ForceAuthn or OIDC max _age request is propagated to third-party IDPs. The smaller value is used.
• A new option "Include Authentication Claims" has been added to the OAuth Resource Server configuration. If enabled The acr, amr, and auth_time claims are included in the OAuth access token.
• A new option "Show Login Redirect URL in My Profile" has been added to OIDC applications. This setting controls whether the OIDC application with the redirect URL displays in the User portal.
• OIDC applications with an expired or expiring certificate are now flagged with an icon in the Application List page.
• When SAML attribute encryption is enabled for a SAML application, the default algorithm is now RSA-OAEP instead of RSA version 1.5.

Token Report Enhancements​

The token report now includes additional fields, including the platform for Entrust Soft Tokens and an indication of whether the token supports push notification.

Service Provider Role Updates​

Permission to delete tenants has been added to the Service Provider On-boarding Administrator role.

New Integrations​

The following integrations have been added.

• A new SAML application template for Air.
• A new SAML application template for Druva.
• A new SAML application template for Freshworks.
• A new OIDC application template for Freshworks.

Fixed or changed in this release​

1. The FIDO/Passkey authenticator can now be chosen when configuring resource rules for IDaaS ADFS, IDaaS Apache Filter and IDaaS ISAPI application. (35988)
2. Add missing descriptions for various Email Template variables. (34070, 34069)
3. Generate audits for Onfido configuration errors detected when performing Face Biometric operations. (37017)
4. Improve wording of user/authenticator unlock notification email. (36506)
5. Audit for user portal settings change should not include settings that have not changed. (36654)
6. User provisioning using SCIM is now supported for accounts with the PLUS bundle. (36658)
7. Fix broken links and misleading steps in the Microsoft Entrust ID EAM integration guide. (36805)
8. Password expiry notification option to mobile should only be available when the user has a token supporting push notification. (34479)
9. When an option attribute is modified for a user synchronized from AD, the Security ID attribute gets modified to null. (34634)
10. In the User portal, step-up authentication should not be required to view the details of a Face Biometric authenticator. (36292)
11. The Dashboard shows the wrong count for expired applications if both OIDC and SAML applications have an expired certificate. (36445)
12. The SecurityID attribute can be modified using the Admin API when it is mapped from the directory. (34403, 33806)
13. The Option to add an Entrust Soft Token from the User portal was erroneously disabled when user was locked but lockout was expired. (36692)
14. IDaaS ESG package registry now includes net-snmp and net-snmp-utils for customers who want to install and configure these packages. (36882)
15. Offline tokens with Entrust Identity Desktop Credential Provider did not work for the Google Authenticator. (35917)
16. IDaaS Administration Guide now includes a description of the attributes that can be included in an audit. (36808)
17. Entrust Soft Token activation audit now includes the platform of the mobile device. (36302)
18. Add Face Biometric authenticator audit now includes state attribute. (36478)
19. Option to set Face Biometric authenticator expiry date to Never should not display a date. (36716)
20. Creating a domain-based Identity Provider is missing the option to select other Identity Providers. (36739)
21. Identity Provider initiated log in not showing organizations. (36665)
22. When configuring a Microsoft EAM OIDC application, the JSON configuration is missing the default application ID. (37164)

Changes to Identity as a Service APIs​

Authentication API​

The following changes have been made to the authentication API to support the enhancements made to Face Biometric authentication.

The following changes have been made to existing models:

• the attribute pushMutualChallenge has been added to the models AuthenticatedResponse and UserAuthenticateQueryResponse. This value contains the mutual authentication challenge that should be displayed to the user. This attribute applies to both token and face biometric authentication. This attribute replaces the existing attribute tokenPushMutualChallenge which still exists in both models but has been deprecated.
• the attribute pushMutualChallengeEnabled has been added to the models UserAuthenticateQueryParameters and UserChallengeParameters. This value indicates if the client supports mutual authentication challenges. This attribute applies to both token and face biometric authentication. This attribute replaces the existing attribute tokenPushMutualChallengeEnabled which still exists in both models but has been deprecated.
• the following changes have been made to FaceChallenge: - the attribute applicantId has been removed. It was not used in previous releases. - the attribute device has been added. This attribute indicates if the Face Biometric was registered on WEB or MOBILE. - the attributes id and qrCode have been added. These attributes are not used for authentication. - the attributes sdkToken and workflowRunId remain. When authenticating for a mobile Face Biometric authenticator, the sdkToken will be null and the workflowRunId will be the transactionId used to call the authenticate complete method to get the authentication response.

In addition to the changes made to support the enhancements to Face Biometric authentication, the following changes have also been made to the authentication API.

The following method deprecated in an earlier release has been removed:

• requestPasskeyChallengeUsingPOST (POST /api/web/v1/authentication/passkey)

The following model deprecated in an earlier release has been removed:

• PasskeyChallengeParameters

The following changes to existing models have been made:

• the attribute registeredCredentialsNameshas been added to FIDORegisterChallenge. This attribute specifies the names of FIDO tokens already registered to the user.

Administration API​

The following changes have been made to the administration API to support the enhancements made to Face Biometric authentication.

The following method has been added:

• sendFaceActivationEmailUsingPUT (PUT /api/web/v1/face/{faceid}/activation). This method sends an email containing a QR code or link used to launch Face Biometric authenticator activation in the mobile app.

The following changes have been made to existing models:

• the following attributes have been added to FaceAuthenticator - created - the date the authenticator was created. - lastUsed - the date the authenticator was last used for authentication. - mobile - a flag indicating if the authenticator was registered in the mobile app. - serialNumber - an external identifier for the Face Authenticator.
• the attribute deliverActivationEmail has been added to FaceCreateParms. This flag indicates if an activation email will be sent when a Face Authenticator is created.
• the attribute id has been added to FaceUpdateParms. This attribute specifies which Face Biometric authenticator is to be updated. If not specified and the user has a single Face Biometric, that authenticator will be updated. If the user has multiple authenticators, an error will be returned.
• the attribute maxFacesPerUser has been added to GeneralSettings. This policy specifies the maximum number of Face Biometric authenticators a user can have.

In addition to the changes made to support the enhancements to Face Biometric authentication, the following changes have also been made to the administration API.

The following method has been added:

• deleteTenantEntitlementUsingDELETE (DELETE /api/web/v4/tenants/{tenantid}/entitlements/{type}). This method deletes the specified entitlement from the specified tenant of a service provider.

The following changes to existing models have been made:

• The attribute subscriptionLineId has been added to Entitlement. This setting is used internally for configuring entitlements of an account.
• The attribute allowDeviceBiometric has been added to EntrustSTAuthenticatorSettings. This setting specifies if an end user is allowed to use the device biometric to unlock the Entrust Soft Token in the Entrust Identity mobile app.
• The attribute registeredCredentialsNameshas been added to FIDORegisterChallenge. This attribute specifies the names of Passkey/FIDO2 tokens already registered to the user.
• The attribute overageType has been added to SmsVoice. This setting is used internally for configuring SMS/Voice entitlements of an account.
• The attribute deleteEntitlement has been added to SmsVoiceParms. This setting is used internally for configuring SMS/Voice entitlements of an account.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.37 and the three previous releases 5.34, 5.35 and 5.36). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

Organizations​

IDaaS has been enhanced to support organizations. An IDaaS user can belong to one or more organizations. When the user authenticates using a SAML or OIDC application, the authentication response indicates the organizations to which the user belongs. When a user belongs to multiple organizations, they are also asked to select the organization they are accessing.

Customer applications that support multiple tenants can map their tenants to IDaaS organizations and use this information to determine which tenant the authenticating user is accessing.

Domain-based Identity Provider Selection​

Third-party Identity Providers can be configured to be associated with domains.

When an IDaaS authentication flow is configured to support external Identity Providers, they can be configured to use the external Identity Providers associated with a user's domain.

This allows a customer to define a single authentication flow that applies to users using different Identity Providers based on the user's domain.

Face Biometric Authenticator using Onfido​

A new authenticator "Face Biometric" has been added to IDaaS. This authenticator uses Onfido technology to perform strong biometric authentication of a user. The Face Biometric authenticator is available when authenticating to SAML and OIDC applications, and to the IDaaS portal.

Step-up authentication for User Portal Update Operations​

When configuring the resource rules for the User portal, a separate resource rule can now be specified for User portal update operations. This allows the customer to require separate authentication before a user is allowed to modify their user profile or manage their own authenticators.

User Portal Configuration Enhancements​

The User portal can now be configured to restrict the actions are available to the end users. Additionally, the User portal configuration has been reorganized so that all the settings are accessed from the new Policies > User Portal menu.

SAML Enhancements​

SAML IDP initiated authentication has been enhanced so that the request can specify the Service Provider the user is authenticated to using the Service Provider Entity ID and the Relay State (if required) by Relay State value. The URL would have the following format.

https://<tenant>/api/saml/SAML2/SSO?spentityid=<spentityid>&RelayState=<RelayState>

This feature allows a customer to generate IDP URLs that can be bookmarked.

Bulk Enhancements​

A new bulk operation to delete grids has been added to IDaaS. This bulk operation can delete either assigned or unassigned grids.

Upcoming Cross-Origin Requests (CORS) Handling Changes​

IDaaS will be making the following changes to how CORS is handled in IDaaS in a future release. In 5.36, IDaaS will track invalid requests and Entrust will notify customers that will be impacted by these changes.

• IDaaS will reject requests that contain an Origin header with a value of null.
• The IDaaS Configuration setting "Enable CORS" will be enabled by default meaning that applications that are making cross-origin requests to IDaaS APIs will need to define the list of allowed origins in IDaaS CORS configuration.

Service Provider Management Removed​

The service provider management capabilities supported for Google and Box have been removed. User provisioning is now supported using SCIM.

New Integrations​

The following integrations have been added.

• A new SAML application template for Alibaba Cloud.

Fixed or changed in this release​

5.36.1 Patch​

1. OTP authentication for step-up authentication fails under some conditions. (36822)
2. Default value of IDaaS Face Biometric Authentication Input Name policy does not match new Onfido value for default workflows. (36770)
3. IDaaS does not accept some valid values for Onfido API key when configuring Onfido. (36883)
4. When changing Onfido API key or Web Hook token configuration in IDaaS the wrong value is saved unless both values are changed. (36721)
5. Access to the User Portal Entrust Soft Token activate/reactivate operation now requires the Entrust Soft Token Edit permission instead of the Add permission. This means the user portal can be configured to allow end users to activate or reactivate existing tokens without allowing them to create new tokens. (36908)

5.36​

1. When configuring the network proxy for ESG the Save button should be disabled when the proxy test fails. (36143)
2. Enterprise Service Gateway heartbeats might not be tracked correctly due to clock skew between ESG and IDaaS. (36066)
3. Mobile SmartCredential activation dialog updated to reference the Entrust Identity mobile app and not the old Entrust SmartCredential app. (35607)
4. User report fails for users that have not completed activation. (36626)
5. User verification fails with error service_authentication.email_template_not_found. (35956)
6. Authentication flow not displayed correctly in user portal when using Safari. (36058)
7. The attributes SecurityID and User Principal Name are no longer shown in the User Portal > User Profile. (35321)
8. Offline token download not working for Desktop Credential Provider. (36049)
9. Improved audits when a SAML or OIDC application is modified. (35662)
10. Rename Microsoft Azure AD to Microsoft Entra ID in the IDaaS documentation. (35518)
11. Administrator should be blocked from upgrading Managed Service Provider from Trial to Production if there are not entitlements available. (34708)
12. Fix log rotation configuration for Enterprise Service Gateway. (35661)
13. Directory Test action is now disabled for Gateways with versions prior to 5.35. (35900)
14. Authentication Flow graphics should not have connection dots for IDPs without second factor. (34972)
15. Fix sorting in User Certificate Settings page. (36630)
16. When password is changed from Entrust Identity mobile app, the IDaaS audit is missing the resource name. (34178)
17. IDaaS Developer Portal includes an extra newline in the section linking to the license. (35960)

Changes to Identity as a Service APIs​

Authentication API​

The following models have been added to support Face Biometric authentication.

• FaceChallenge specifies the attributes needed to launch a Face Biometric authentication.

The following attributes have been added to existing models to support Face Biometric authentication.

• the attribute faceChallenge has been added to AuthenticatedResponse.
• the attribute faceResponse has been added to UserAuthenticateParameters.

Administration API​

The following methods have been added to support management of Face Biometric authenticators.

• DELETE /api/web/v1/face/{faceid} (deleteFaceUsingDELETE) - Delete the specified Face Biometric authenticator.
• POST /api/web/v1/users/{userid}/face (createFaceUsingPOST) - Create a Face Biometric for the given user.
• PUT /api/web/v1/users/{userid}/face (updateFaceUsingPUT) - Update the Face Biometric for the given user.
• GET /api/web/v1/users/{userid}/faces (getFacesUsingGET) - Get the Face Biometrics for the given user.
• GET /api/web/v1/users/{userid}/settings/face (getUserFaceSettingsUsingGET) - Get the Face Biometric settings for the given user.

The following models have been added for Face Biometric Authenticators.

• FaceAuthenticator specifies the attributes for a Face Biometric.
• FaceCreateParms specifies the attributes passed when creating a Face Biometric.
• FaceUpdateParms specifies the attributes passed when modifying an existing Face Biometric.
• UserFaceSettings specifies the settings for the Face Biometric authenticator.

The following methods have been added to support management of Organizations.

• POST /api/web/v1/organizations (createOrganizationUsingPOST) - Create an organization.
• GET /api/web/v1/organizations/{id} (getOrganizationUsingGET) - Get the specified organization.
• PUT /api/web/v1/organizations/{id} (putOrganizationUsingPUT) - Update the specified organization.
• DELETE /api/web/v1/organizations/{id} (deleteOrganizationUsingDELETE) - Delete the specified organization.
• POST /api/web/v1/organizations/{orgid}/users/{userid} (createUserOrganizationAssociationUsingPOST) - Add the specified user to the specified organization.
• DELETE /api/web/v1/organizations/{orgid}/users/{userid} (deleteUserOrganizationAssociationUsingDELETE) - Remove the specified user from the specified organization.
• POST /api/web/v1/organizationspaged (organizationsPagedUsingPOST) - List organizations matching the given search criteria.
• PUT /api/web/v1/users/{userid}/organizations (modifyUserAOrganizationAssociationsUsingPUT) - Modify the organizations for the specified user.

The following models have been added for Organizations.

• Organization specifies the attributes of an organization.
• OrganizationPage specifies a page of organizations returned from the list operation.
• OrganizationParms specifies the parameters passed when creating or modifying an organization.
• UserOrganizationParms specifies the parameters passed when modifying the organizations to which a user belongs.

The following changes to existing models have been made to support Organizations.

• the attribute organizationIdshas been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute specifies a list of organizations to which a user created after authenticating to an external IDP will be assigned.
• the attribute organizations has been added to User and UserParms. This attribute specifies a list of organizations to which the user belongs.

The following changes to existing models have been made to support Domain-based IDPs.

• the boolean attribute idpDomainBased has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute indicates if the AuthenticationFlow will only use domain-based IDPs.
• the attribute domains has been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute specifies a space separated list of domains associated with the IDP.

When specifying a password value for a user the provided value can now be passed as cleartext (the existing behavior) or provided as a bcrypt protected value (new behavior). This allows a customer to import existing bcrypt protected passwords into IDaaS using the IDaaS administration API. To support this functionality the following changes have been made existing models.

• the attribute passwordFormat has been added to UserPasswordParms.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.36 and the three previous releases 5.33, 5.34 and 5.35). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

User Certificate Authentication​

A new user certificate authenticator has been added to IDaaS. This authenticator can be used in a passwordless login flow or as a second-factor in User Login flow or IDP login flow.

User certificates can be either certificates issued by third-party CAs or certificates in IDaaS-issued smart credentials. The third-party CAs need to be added to the IDaaS Trusted CA list and marked as a user certificate CA. Additionally, to align with the new user certificate authenticator, issuing CAs will no longer be automatically used in device verification. A new option was added to allow specifying issuing CAs to be used in device verification.

User certificates issued by 3rd party CAs are matched against the user's attributes to locate the user in IDaaS. Supported certificate components for this matching process include subject DN, subject alternative Name, and serial number. For user attributes, user ID, user principal name, security ID, and custom attributes are supported. User certificates from IDaaS-issued smart credentials do not use the certificate matching process.

Device Verification Enhancements​

IDaaS device verification has been enhanced to support verification performed using the forthcoming release of the Entrust Device Agent (formerly Identity Bluetooth Reader).

Support Microsoft Entra ID External Authentication Method (EAM)​

IDaaS has added support for Microsoft Entra ID EAM where IDaaS can provide second-factor authentication for customers authenticating to Microsoft Entrust ID.

IDaaS Password, KBA and IDP authenticators are classified as knowledge type authenticators by IDaaS and so are not accepted by Microsoft Entra ID EAM as acceptable second-factor authenticators.

Directory Configuration Validation​

A new Test action has been added for Directories. The Test action tests the directory configuration against the directory and reports on any errors found in the configuration.

Certificate Expiry Notification​

When Notifications are enabled in IDaaS (Configuration > Notification) notifications are sent indicating when SAML and OIDC certificates are nearing expiry or have expired.

OIDC/SAML Enhancements​

OIDC and SAML now support external authentication as a first-factor optionally without any second-factor authentication. SAML and OIDC applications can be configured to return to the client without user intervention when an error occurs during authentication. These capabilities allow a customer to configure their Service Provider to only use IDaaS risk capabilities to decide whether a user is allowed or denied access.

Customers should only use external authentication when they know that the client is performing first-factor authentication. Additionally, single sign-on should be disabled for a resource rule using external authentication.

When an OIDC authentication fails due to access denied, more error information can be included in the response returned to the client. This is controlled by the existing General setting "Enabled Enhanced Authentication Details."

IDaaS now supports the OAuth 2.0 Web Message Response Mode.

OIDC Authentication Context Class Reference (ACR) and Authentication Methods References (AMR) claims are now populated based on the authenticators used in IDaaS to authenticate the user.

External Risk Enhancements​

Support for Generic External Risk Engines has been added to IDaaS. This allows customers to integrate their own risk engines with IDaaS.

Developer Portal Enhancements​

The IDaaS Developer Portal has been enhanced with a new Docs section that includes documents describing how to integrate IDaaS with various services. New in this release is Protecting AWS API Gateway.

The IDaaS administration and authentication SDKs are now available by way of a private registry, facilitating easier integration into customer projects. Initially, Java, CSharp, and Python SDKs are available in the registry. Support for the Php SDK has been discontinued. The Python SDK now requires Python 3.7 or higher. The CSharp SDK has been updated to support .NET 8.0. For instructions on adding the private registry into your project, see the IDaaS Developer Portal.

Bulk Enhancements​

The locale of the user can now be specified when creating or updating users.

Configure Allowed Smart Credential Definitions​

When configuring smart credentials, an administrator can specify a list of allowed smart credential definitions. This allows an administrator to restrict which smart credential definitions can be selected when activating a smart credential.

Enhanced Configuration for IDaaS Desktop Application​

When configuring an IDaaS Desktop Application, the administrator can now configure if the client application can determine whether the client IP address is used for Audits but not Resource Rule Conditions.

New Integrations​

The following integrations have been added.

• A new SAML application template for Amazon Business.
• A new SAML application template for Confluent Cloud.
• A new SAML application template for SiteMinder.
• A new RADIUS application template for OpenVPN.

Fixed or changed in this release​

1. Return a specific error grid_max_num_per_user when assigning a grid to a user who already has the maximum number of grids allowed. (33750)
2. Improvements to OIDC and IDP audits. (26886, 34533, 34538, 34907, 35123, 35180, 35353)
3. RADIUS push authentication does not properly handle repeated requests from VPN causing the authentication to be rejected. (35811)
4. Changes to the user authenticator page in 5.34 added a requirement for the SETTINGS:VIEW permission causing the page to fail to load for administrators without that permission. This permission is no longer required. (35424)
5. When a user selects a different locale during login they are given an option to set that locale as their default locale. If the user chose not to save that value in some scenarios, it would be saved regardless. (32335)
6. User list operation filtering for disabled users failed with error that the requested operation could not be performed. (34302)
7. Custom mail server error still present in UI after OAuth re-authentication. (35139)
8. URLs in message of the day may be truncated. (34523)
9. Updates to OTP default delivery settings not displayed in UI after save. (35179)
10. Alternate OTP delivery options ignored when authenticating for password. (35609)

Changes to Identity as a Service APIs​

Authentication API​

The following changes have been made to support user certificate authentication:

• The model UserCertificateChallenge has been added.
• The attribute userCertificateChallenge of type UserCertificateChallenge has been added to AuthenticatedResponse.
• The model UserCertificateResponse has been added.
• The attribute userCertificateResponse of type UserCertificateResponse has been added to UserAuthenticateParameters.
• The type USER_CERTIFICATE has been added as an allowed value where ever authentication types are specified.

Administration API​

The type USER_CERTIFICATE has been added as an allowed value where ever authentication types are specified.

The type USER_CERTIFICATE_LOGIN has been added to the list of allowed Login Flow types.

New v2 versions of the following authentication APIs have been created to support the new USER_CERTIFICATE authentication type and the USER_CERTIFICATE_LOGIN login flow.

• GET /api/web/v2/authenticationflows (getAuthenticationFlowsUsingGET) - List authentication flows.
• POST /api/web/v2/authenticationflows (createAuthenticationFlowUsingPOST) - Create an authentication flow.
• DELETE /api/web/v2/authenticationflows/{id} (removeAuthenticationFlowUsingDELETE) - Delete an authentication flow.
• GET /api/web/v2/authenticationflows/{id} (getAuthenticationFlowUsingGET) - Get an authentication flow.
• PUT /api/web/v2/authenticationflows/{id} (updateAuthenticationFlowUsingPUT) - Modify an authentication flow.

The attribute allowIgnoreIpAddressForRba has been added to AuthApiApplication and AuthApiApplicationParms. This value specifies whether the client can specify that the client IP address is used for audits but not for resource rule conditions. This attribute only applies to IDaaS Desktop applications.

The following APIs have been added:

• GET /api/web/v1/scdefns/users/{userId} (listAllowedSCDefnsUsingGET) - List smart credential definitions that are allowed for the specified user.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.35 and the three previous releases 5.32, 5.33 and 5.34). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

IDP plus Second-Factor Authentication​

When using a third-party identity provider for authentication, IDaaS second-factor authentication can now be included in the authentication flow.

Step-Up Authentication to Edit User Profile​

The User portal can be configured to require step-up OTP authentication before a user is allowed to edit their user profile. The user attributes that receive the OTP can be configured in the policy.

OIDC Certificate Management​

The certificates used for OIDC applications can now be managed, including having them certified by a Certificate Authority.

Grid Delivery Address Selection​

When the end user or an administrator chooses to deliver a grid, the email address to use can now be selected. The allowed addresses can be configured in the policy.

Restrict OTP Delivery Types​

The OTP delivery types that are available for OTP authentication can now be specified in the policy.

Administrator Support for Entrust Soft Token Manual Activation​

When an administrator activates an Entrust Soft Token from the Administration portal, they now have the option to view the manual activation parameters.

Automatically Send Registration Magic Link​

The Registration Magic Link can now be configured so that it is automatically delivered when a user is created.

User ID Quick Search​

The user list in the admin portal now has a "Search for User ID" quick search option.

New Integrations​

The following integrations have been added.

• A new RADIUS application template for PAM RADIUS Plug-in.
• A new SAML application template for Fastly
• A new SAML application template for Lucidchart
• A new SAML application template for Soloinsight

The following Identity as a Service integrations have been renamed from IntelliTrust to IDaaS:

• IDaaS AD FS Adapter
• IDaaS Apache Filter
• IDaaS Desktop
• IDaaS ISAPI Filter

The Identity as a Service integration IntelliTrust ForgeRock has been removed. The OIDC ForgeRock application is still available.

Fixed or changed in this release​

1. When creating a tenant from a managed service provider, the country of the tenant and the mobile phone number of the first administrator are now optional. (34504)
2. When creating a tenant from a managed service provider, tenant creation fails if the service provider's entitlements are expired. The entitlement is now verified before trying to create the tenant. (34224)
3. Improved the performance of token queries and reports when the tenant has a large number of tokens. (34584, 34916)
4. Improved the performance of user export for tenants with a large number of users. (33632)
5. Device verification is now fully supported for Passkey, IDP, and Smart Login authentication. (34273, 34274, 34275)
6. Device verification caused unexpected errors if the user entered an invalid password during password change. (34528)
7. The tab titles in the User portal and Administration portal have been changed to use black instead of the primary account color. (34284)
8. Fixed the ESG setup_static_ip.sh script. (35025)
9. Previously an imported PKIaaS CA only supported OCSP for certificate revocation. Now CRLs are also supported. (34672)
10. Smart login now supports single sign-on. (33162)
11. The User portal operations to verify ownership of a phone number now consume SMS/Voice entitlements. (26751)
12. SAML metadata download fails when "All Certificates" is selected. (35034)
13. Addressed issues where travel velocity was performed for IP addresses without a location. (34364)
14. Improved the display of the Message of the Day in the login page on mobile devices. (34005)
15. Smart Login is now available for managed service provider tenants. (34581)
16. Fixed an issue with directory sync where errors could result in the user entitlement counts to be incorrect until the daily entitlement verification task was performed. (29178, 31441)
17. Addressed some issues in how authentication flows display in the Administration portal. (34807)
18. The subject name for a SYNCADD user audit should be clickable. (34478)
19. The IDP remove audit should not include all the details of the removed IDP. (34688)
20. Return a better error message when a duplicated trusted CA certificate is added. (33108)
21. Improve the formatting of authentication audits containing device certificate risk factor evaluation results so that the device certificate DN displays properly. (32896)
22. Improve the formatting of the Passkey button text on Safari. (34058)
23. Optional custom user attributes synchronized from the directory could be modified using the Administration API. (34402, 34405)
24. OTP authentication settings modify audit contained attributes whose values did not change. (34685, 34698)
25. The audit generated when a user is created or a soft token is created as part of user creation after an IDP authentication has the wrong subject name. (34524, 34534)
26. The audit generated when an inactive user authenticates with Passkey/FIDO2 was missing the Authenticator value. (31770)
27. PKIaaS CA actions on Issuing CA list page should be disabled for administrators that do not have permission to perform the action. Performing the action caused a permission denied error. (32930)
28. When configuring an Identity Provider, the JWKS Endpoint is now required for all IDPs except for Twitter. (34585)
29. The wrong error was displayed in the Administration portal if the administrator tried to remove a synchronized group from the user. (34379)
30. Passkey authentication did not work for managed service providers authenticating to a child account. (34277)
31. Some strings in the user portal were not translated for all locales. (34362, 34532)
32. Make the mobile application name consistent between the Activate Smart Credential and Activate Soft Token dialogs. (34648)
33. The "Add Client Credential Grant" option should be disabled for administrators that do not have permission to perform the operation. Performing the action results in a no permission error. (34509)
34. Improve the audit generated when a custom mail server is updated with a new password to indicate that the password was changed. (32904)
35. Fix password reset for AD passwords for users whose DN contains values that need to be escaped. (34285)
36. Only audits that have a subject name that are user IDs should be clickable. (34521)
37. The reset password audit shows the forceUpdate attribute even though it has not changed. (33042)
38. Changing the state of the ESG password agent could fail. (34641)
39. Creating a Generic Server OIDC Application is now only available in an account with the premium bundle. (34540)
40. Identity Provider configuration now supports acr values request. Supply a space separated list of acr values. If supplied then at least one of specified ones must be returned from the IDP to be successful. (34620)
41. If an OIDC request specifies a claims request for acr or amr as essential with specified values, then if at least one of the specified values cannot be achieved, the request wil fail. (34673)
42. Fixed an issue where the name and description of a resource rule containing groups synchronized from AD could not be updated. (34594)
43. Fixed an issue where the FIDOTOKEN add permission could not be set when creating or editing a role in the admin portal. (35259)
44. Updated phone number validation that was rejected phone numbers with new area codes for some countries. (35223)

Changes to Identity as a Service APIs​

Authentication API​

The attribute ignoreIPAddressForRBA has been added to UserAuthenticateQueryParameters, UserChallengeParameters, and UserAuthenticateParameters. When this attribute is set to true, the IP address provided to an authentication request is included in authentication audits but is not used for risk-based authentication. By default, the IP address is used for both audits and risk-based authentication.

The attribute expires has been added to UserAuthenticateQueryResponse. It specifies the expiry time of the authentication token.

Administration API​

The following changes have been made to support selecting which email attribute is used when delivering a grid to a user.

• The model EmailParms has been added.
• The API deliverAssignedGridByEmailUsingPOST now takes EmailParms as a parameter.
• The attribute emailParms of type EmailParms has been added to the model GridAssignParms. This attribute is used when calling the API assignGridByIdUsingPUT and assignGridBySerialNumberUsingPUT.
• The attribute emailParms of type EmailParms has been added to the model GridCreateParms. This attribute is used when calling the API createGridUsingPOST.

The following changes have been made to define the OTP Settings policy used to define which delivery types can be used to deliver OTPs.

• The model OTPDeliveryMethod has been added. It defines an OTP delivery method and indicates if that method can be used for delivering OTPs.
• The attribute deliveryMethodshas been added to the model OTPAuthenticatorSettings. It defines an ordered list of OTP delivery methods that can be used for delivery OTPs. The first entry in the list is the default delivery method.
• The attribute otpDefaultDelivery in the model OTPAuthenticatorSettings has been deprecated and is replaced by deliveryMethods.

The following changes have been made to support defining IDP plus second-factor authentication and other improvements to Identity Providers.

• The attribute idpLoginSecondStep has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute defines the list of authenticators that are required for IDP second-factor authentication.
• The attribute acrValues has been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute defines a list of authentication context request values to include in the authentication request to the 3rd-party IDP.
• The attribute descriptions for OidcIdentityProvider and OidcIdentityProviderParms have been improved.

Other changes made to the Administration API:

• The attribute companyCountry in the model TenantParms is no longer required when creating a new tenant.
• The attribute mobile in the model UserParms used to create the first administrator of the tenant is no longer required when creating a new tenant.
• The version of the method createTenantAsyncUsingPOST has been updated from v4 to v5. The non-compatible changes requiring this change are not related to authentication clients and will not impact IDaaS customers.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.34 and the three previous releases 5.31, 5.32 and 5.33). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

Authentication Flows​

IDaaS supports several authentication flows:

• The standard userID authentication flow where the user enters their userID and is then prompted for an optional first-factor password followed by a selection of second-factor authenticators.
• The Passkey authentication flow where the user uses their Passkey token to authenticate. Their userID is provided by the Passkey token.
• The Smart Login authentication flow where the user uses their Entrust Identity Smart Credential to authenticate to IDaaS. Their userID is provided by the smart credential.
• The Identity Provider (IDP) authentication flow where the user uses a third-party Identity Provider to authenticate. Their userID is provided by the IDP.

Prior to 5.33, some authentication flows (userID and Smart Login) were configured in the resource rules and some authentication flows (Passkey and IDP) were defined outside the resource rules in the applications. In 5.33, the authentication flows are now defined as a separate entity and linked to the resource rules. These changes provide the following benefits:

• Configuration of all authentication flows is the same.
• All authentication flows now support single-sign on and user registration and verification.
• Resource rule contexts, which can be used to deny access to an application apply to all the authentication flows. Prior to 5.33, Passkey and IDP authentication were not restricted by the context rules in the resource rule.
• Authentication flows can be shared with multiple resource rules.

The IDaaS portal authentication UI has been updated as part of this feature. Only the authentication flows defined for the application are shown. For example, the User portal can be configured so that only IDP authentication is shown.

The IDaaS user portal and administration portal can have different authentication flows. A user browsing to the account URL (ex: https://mycompany.us.trustedauth.com) will see the authentication flow for the user portal which may not be an authentication flow that allows access to the administration portal. In this scenario, a user wishing to access the administration portal can do so by adding ?action=admin to their URL. For example https://mycompany.us.trustedauth.com/#/?action=admin.

As part of these changes, the existing Resources menu has been split into two top-level menus. A new Security menu includes items related to authenticating to applications, including a new Authentication Flows menu item for managing authentication flows. The existing Resources menu includes items related to managing resources such as Grids, Tokens, and Smart Credentials.

When IDaaS 5.33 is deployed, existing resource rules will be converted. Where necessary, new authentication flows will be created and linked to resource rules.

Support Entrust Identity Mobile Hardware Storage for Smart Credentials​

An upcoming version of Entrust Identity Mobile will support storing smart credential private keys in hardware. Hardware storage on iOS only supports Elliptic Curve (EC) keys. When configuring smart credentials in IDaaS, there is now an option to select EC as the key type in addition to RSA. Additionally, there is new policy for smart credentials to indicate to Entrust Identity Mobile that smart credential private keys must be stored in hardware storage or will be stored in hardware storage if available. Existing versions of Entrust Identity Mobile will fail to encode the smart credential if EC keys are specified and will not store private keys in hardware even if required by IDaaS policy.

FIDO2/Passkey Authenticator Improvements​

An "Allowed Relying Party ID Hostnames" list has been added to FIDO2/Passkey policy. This list restricts the hostnames that can register FIDO2/Passkey tokens.

Strict Access Option for Resource Rules​

In IDaaS if a user matches multiple resource rules, if one or more resource rules allows access then the user is allowed access using those resource rules. A new "Enable Strict Access for Application" option has been added to resource rules. If enabled and the resource rule denies access and the user is denied access even if other resource rules allow access.

Magic Link Redirect​

An application creating an IDaaS Registration Magic Link can now include a redirect URL. After registration completes, the user's browser is redirected to that URL. The Magic Link policy now includes a policy to enable Redirect and to list URLs that are allowed for redirect.

Redirect URLs are only supported with Magic Links created using the administration API. They cannot be specified for Magic Links created from the administration portal.

Support Existing Entrust PKIaaS CAs​

IDaaS has been supporting Entrust PKIaaS CAs created by IDaaS. Now customers can use Entrust PKIaaS CAs created from Entrust Certificate Services.

Customize Google Authenticator Name​

Most 3rd-party soft tokens are compatible with Google Authenticator for activation and authentication. This means that customers using 3rd-party soft tokens with IDaaS can use the IDaaS Google Authenticator with those tokens. IDaaS now allows a customer to customize the name of the authenticator to match the token that the customer is using.

User Registration Enhancements​

The following enhancements have been made to user registration:

• User registration can now include an option to create a new grid for the user.
• User registration can now include an option to perform password management for the user. If the user does not have a password, they can create a password. If the user has a password that is expired or set for forced update, the user can change it. Currently, password creation is only supported for IDaaS-managed passwords and not for AD passwords.

Support Multiple Smart Credential Definitions in User Portal​

When activating a smart credential in the IDaaS User portal, if multiple smart credential definitions are configured, the user is now asked to choose which smart credential to use. The user no longer needs to choose between activating for mobile or physical smart credentials. That information is provided by the selected smart credential definition.

Enhance Password Expiry Notification​

An upcoming version of Entrust Identity Mobile will support handling password expiry notifications. In IDaaS, support for delivering password expiry notifications to mobile has been added. This includes a new Mobile option for the Password Expiry Notifications policy.

Azure AD Directory Permission Changes​

When authenticating to Azure AD, IDaaS no longer requests all the permissions required to perform all directory-related operations (synchronizing users and groups, changing or resetting user passwords). Instead, IDaaS requests minimal permissions and is given the permissions allowed for the authenticating directory credentials. If IDaaS does not have permission to perform an operation, the operation fails. This allows, for example, a customer to configure their directory to only provide read permissions supporting user synchronization without having write permission to support password change.

Enterprise Service Gateway (ESG) Platform Update​

ESG has been updated to use a new OS. Versions of ESG prior to 5.33 are still supported for 3 versions after release, but they can not be upgraded in place. To upgrade existing ESGs to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

New Integrations​

The following integrations have been added.

• A new SAML application template for FortiSIEM
• A new SAML application template for Gong
• A new SAML application template for Huddle
• A new SAML application template for Mimecast
• A new SAML application template for Netskope
• A new SAML application template for Ziflow

Fixed or changed in this release​

1. Push authentication in RADIUS did not fall back to token authentication when the push transaction expired. (34332, 34308, 34196)
2. Administrators logging into the IDaaS portal using device certificate authentication were only given access to the User portal. (34190, 33919)
3. User attributes synchronized from AD should be read-only when editing the user profile in the Administrator or User portal. (34300, 34291)
4. Magic Link email not using user locale for email subject and expiry date. (33924, 33556)
5. Audits for IDP initiated SAML/OIDC logins now include the application name in the audit. (34099)
6. The IntelliTrust Desktop application can now be configured to support FIDO2/Passkey authentication. (33783)
7. The activation email for mobile smart credential now includes a link to the Entrust Identity mobile application instead of the old Entrust Smart Credential mobile application. (33676, 33621, 33512)
8. IDaaS did not correctly handle incoming SAML requests if the RelayState parameter was not URL encoded. (33673)
9. Hardware tokens were not unassigned as expected when a synchronized user is deleted because they were removed from the directory. (33627)
10. The Administrator portal removed spaces from user aliases that contained multiple spaces. (33209)
11. Smart login authentication not saved in location history or counted in the authentications per application statistics. (33166, 33169)
12. Passkey login authentication not saved in location history or counted in the authentications per application statistics. (33168, 33167)
13. Check that the same Trusted Certificate Authority is not added twice. (32614)
14. When directory synchronization was configured to synchronize "Group Matching Group Filter" and the group filter was empty, all groups were synchronized. It should not synchronize any groups. (33201)
15. Improvements to policy caching to ensure policy changes are applied immediately. (33773)
16. IDaaS allows groups in a directory group filter that differ only with leading or trailing whitespace. (22843)
17. Improve message in failure audit if authentication fails because there are no active resource rules. (34134)
18. IDaaS accounts with Standard bundle were unable to add SAML applications. (33852)
19. The basic authentication option has been removed from Secure Device Provisioning. (30691)
20. The refresh option on the managed service provider tenant list page now displays all tenants being created rather than just tenants created in the current session. (33652)
21. Improved error message of synchronization from Azure AD fails because authentication token has expired. (32283)
22. Improved error in change password indicating that the password has matched an alias. (31644)
23. OIDC Authorization should only be accessible in accounts with the PREMIUM bundle. (34481)

Changes to Identity as a Service APIs​

Authentication API​

The authentication type PASSKEY has been added to the AuthenticatorType enumerated type. Previously when performing PASSKEY authentication, the API POST /api/web/v1/authentication/passkey (requestPasskeyChallengeUsingPOST) was used. This API has been deprecated. Instead, call POST /api/web/v2/authentication/users/authenticate/{authenticator} (userChallengeUsingPOST) with authenticator set to PASSKEY. The parameter userId in UserChallengeParameters is now optional. It is required when calling non-passwordless authenticators but is not required for PASSKEY.

The attribute relyingParyId has been added to FIDOToken which is returned from the APIs completeFIDORegisterUsingPOST and getSelfFIDOTokenUsingGET.

Administration API​

The following APIs have been added to manage authentication flows:

• GET /api/web/v1/authenticationflows (getAuthenticationFlowsUsingGET) - List authentication flows.
• POST /api/web/v1/authenticationflows (createAuthenticationFlowUsingPOST) - Create an authentication flow.
• DELETE /api/web/v1/authenticationflows/{id} (removeAuthenticationFlowUsingDELETE) - Delete an authentication flow.
• GET /api/web/v1/authenticationflows/{id} (getAuthenticationFlowUsingGET) - Get an authentication flow.
• PUT /api/web/v1/authenticationflows/{id} (updateAuthenticationFlowUsingPUT) - Modify an authentication flow.

The following models related to authentication flows have been added:

• AuthenticationFlowParms - The parameters passed to the create and update APIs.
• AuthenticationFlow- The results returned from the create, get, list, and update APIs.

The following APIs have been added to manage OIDC identity providers:

• GET /api/web/v1/identityproviders/oidc (listOidcIdentityProvidersUsingGET) - List identity providers.
• POST /api/web/v1/identityproviders/oidc (createOidcIdentityProviderUsingPOST) - Create an identity provider.
• POST /api/web/v1/identityproviders/oidc/configuration (fetchOidcConfigurationUsingPOST) - Get configuration information for an identity provider.
• DELETE /api/web/v1/identityproviders/oidc/{id} (deleteOidcIdentityProviderUsingDELETE) - Delete an identity provider.
• GET /api/web/v1/identityproviders/oidc/{id} (getOidcIdentityProviderUsingGET) - Get an identity provider.
• PUT /api/web/v1/identityproviders/oidc/{id} (updateOidcIdentityProviderUsingPUT) - Modify an identity provider.

The following models related to OIDC identity providers have been added:

• OidcIdentityProviderParms - The parameters passed to the create and update APIs.
• OidcIdentityProvider - The results returned from the create, get, list, and update APIs.
• OidcConfigurationParms - The parameters passed to the configuration API.
• OidcConfigurationResponse - The results returned from the configuration API.

A new version of the following APIs to manage resource rules have been created. The new v2 version of the APIs manage resource rules linked to authentication flows. The old v1 version of the APIs have been deprecated and will be removed in a future release.

• GET /api/web/v2/resourcerules (getResourceRulesUsingGET) - List all resource rules.
• POST /api/web/v2/resourcerules (createResourceRuleUsingPOST) - Create a resource rule.
• GET /api/web/v2/resourcerules/resource/{id} (getResourceRulesForResourceUsingGET) - List all resource rules for the specified resource.
• DELETE /api/web/v2/resourcerules/{id} (removeResourceRuleUsingDELETE) - Delete a resource rule.
• GET /api/web/v2/resourcerules/{id} (getResourceRuleUsingGET) - Get a resource rule.
• PUT /api/web/v2/resourcerules/{id} (updateResourceRuleUsingPUT) - Update a resource rule.

The models ResourceRule and ResourceRuleParms related to resource rules have been modified.

• The attributes highRiskAuthenticationFlow, mediumRiskAuthenticationFlow, and lowRiskAuthenticationFlow have been added. These attributes specified the authentication flows associated with this resource rule for the different risk levels. These attributes are managed by the v2 version of the resource rule APIs.
• The attributes highRiskEnableSmartLogin, highRiskFirstStep, highRiskSecondStep, mediumRiskEnableSmartLogin, mediumRiskFirstStep, mediumRiskSecondStep, lowRiskEnableSmartLogin, lowRiskFirstStepand lowRiskSecondStep have been deprecated. These attributes have been replaced by the corresponding authentication flow attributes and will be removed in a future release. These attributes are managed by the v1 version of the resource rule APIs.

Once a resource rule has been updated by the v2 version of the resource rule APIs (including the IDaaS Administrator portal), it can no longer be accessed by the v1 version of the APIs.

The following models have been changed:

• An attribute relyingPartyId has been added to FIDOToken. This value specifies the relying party from which the token was registered.
• The attribute passkeyEnabled in AuthApiApplication and AuthApiApplicationParms has been deprecated. It is no longer used.
• The attribute keyType has been added to DigitalIdConfigCertTemplate. This value specifies whether the key type RSA or ECC should be used.
• The attribute redirectUrl has been added to MagicLinkCreateParms. This value specifies the optional redirect URL that can be included in a Magic Link.
• The attributes lockedAuthenticatorTypes in User and type in UserAuthenticatorLockoutStatus have been updated to include the new authenticator types IDP, PASSKEY, and SMART_LOGIN.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.33 and the three previous releases 5.30, 5.31 and 5.32). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

Administrator Role Defined by Group Membership​

IDaaS has a new group-based policy category that defines an Administrative role. This allows a customer to assign all members of a group an administrative role.

Registration Settings UI Restructured​

The Registration Settings page has been restructured so that each category has its own page.

Magic Link for Registration​

IDaaS now provides Magic Links that allow a user to register authenticators without requiring a password to authenticate. Magic Links can be delivered by email from IDaaS to the user or returned to customer applications using the Administration API.

Account Rename​

The hostname for an account can now be modified by the Service Provider of that account. To support migration between hostnames, there is an option to keep the old hostname available.

Group Provisioning using SCIM​

SCIM can now be used to provision groups and to provision group membership of users in IDaaS.

New Default SCIM Provisioning Role​

There is now a new default role "SCIM Provisioning." This role contains the permissions required to perform provisioning to IDaaS using SCIM.

Asynchronous Account Creation​

New account creation is now performed asynchronously. To support this, the account creation UI in the Service Provider portal has been extensively changed.

New APIs to support asynchronous account creation have been added to the Administration API. The existing APIs have been deprecated and will be removed in a future release.

Directory Synchronization Improvements​

The following improvements have been made to directory synchronization.

• User aliases can now be populated from a list of one or more directory attributes.
• IDaaS attributes can now be defined as a composite of multiple directory attributes (for example, '<givenName> <sn>' to specify the user's full name) or a combination of directory attributes and static values (for example, 'ENTRUST\<samAccountName>' to specify the user's domain qualified userID).

Replace Deleted Applications​

When creating an Authentication API application, the administrator can now specify the unique ID of the application. This allows an administrator to recreate an application that was deleted with the same unique ID so that existing clients do not need to be reconfigured.

New Integrations​

The following integrations have been added.

• A new SAML application template for 15Five
• A new SAML application template for Forest Admin
• A new SAML application template for Freshservice
• A new SAML application template for HubSpot
• A new SAML application template for Jenkins
• A new SAML application template for Miro
• A new SAML application template for Onfido
• A new SAML application template for ReviewInc
• A new SAML application template for Splunk SOAR

Additionally, an integration guide is now available for the Epic Hyperdrive integration that was added in 5.31.

Fixed or changed in this release​

1. Fixed an issue where Java clients using the IDaaS APIs could not deserialize null arrays. (33036)
2. Addressed issues in the Google Workspace integration guide. (32947, 33082)
3. Updated the bulk import user sample to include securityId. (32872)
4. Disabled the refresh operation for PKIaaS CAs for administrators that do not have permission to perform the operation. (32931)
5. Removed the Referrer-Policy header that was added in 5.31. It caused issues with some IDaaS clients. (33110)
6. Renamed the "SCIM Provisioning Management" role permission to "Outbound Provisioning Management". (32862)
7. The audit generated when directory attributes are modified now includes the old and new values. (32859)
8. When updating a SAML application when Override SAML Audience is checked, the Audience value is now required. (33034)
9. Addressed issues in the "Integrate Microsoft Azure AD" Technical Guide. (32738, 33137)
10. Improvements to SCIM User Provisioning documentation. (32933)
11. Fixed broken link in "Integrate Nets E-Ident IDP Broker" section of Technical Guide. (33144)
12. Addressed FIDO token registration issues using Safari on Mac. (32702, 32700)
13. In the Service Provider portal, disable the Tenant report option for administrators that do not have permission. (33233)
14. Users added to IDaaS by directory synchronization did not receive their new grid. (32811)
15. Userid search options were disabled for accounts with more than 1 million users. The limit is now 3 million users. (33484)
16. When creating a new SAML application, the Signature Type now defaults to the expected value. (33187)
17. When creating a new SAML application, if only one SAML signing certificate is defined, it is automatically selected. (33188)
18. IDaaS now allows the Authorization Bearer token passed to authenticated endpoints to contain more than one space. The standard specifies a single space but some clients include multiple spaces. (33107)
19. Fixed language selection issue where a user was asked to confirm a change when the default language selected. (33286)
20. Fixed an issue where changing the default account locale can result in the Admin portal displaying that locale instead of English. (32915)
21. Improved text in Gateway download dialog to make it clear that the OVA can be installed onto more than just VMWare vSphere. (32069)
22. When a FIDO token is registered, its origin is now audited. (31237)
23. Changed the Registration page so that the authenticators are sorted. (30794)
24. Improved validation of input on My Authenticator page. (15217)
25. Fixed the issue on Password Reset policies page that prevented an administrator from unchecking Allow Email OTP Delivery. (33109)
26. Enabling/updating tenant management configuration failed in some cases. (33200)
27. When configuring an IDP, Security ID should not be allowed as an attribute used to identify the user. (33146)
28. Improved the formatting of the Risk Factor Evaluation Results in authentication audits. (32497)
29. The authenticator filter in the user list search criteria should only show authenticators that the administrator has permission to access. (31887)
30. Fixed an issue that prevents the custom email server configuration from being saved when the OAuth is reauthorized. (32536)
31. In the User list, when the Last Authenticated before criteria is used it includes users who have never authenticated. The UI now includes a note to indicate this. (32266)
32. Users are unable to use the OTP authenticator because they do not have contact information were not getting the expected error response when Enable Enhanced Authentication Details was checked. (32628)

Changes to Identity as a Service APIs​

Authentication API​

The following models have been changed in this release.

• serialNumbers in GridChallenge has been deprecated. Use gridInfo instead.

Administration API​

The following APIs to support asynchronous account creation have been added in this release.

• POST /api/web/v4/async/tenants (createTenantAsyncUsingPOST)
• GET /api/web/v4/async/tenants/{id}/createstatus (getCreateTenantAsyncStatusUsingGET)
• GET /api/web/v4/async/tenants/{id}/createresult (getCreateTenantAsyncResultUsingGET)

To create a new tenant from a Service Provider:

• call createTenantAsyncUsingPOST to start the tenant creation.
• call getCreateTenantAsyncStatusUsingGET repeatedly until the returned status indicates that the tenant creation is complete.
• call getCreateTenantAsyncResultUsingGet to get the tenant creation result.

The following APIs to support registration of FIDO tokens using the administration API have been added in this release.

• GET /api/web/v1/fidotokens/challenge/{id} (startCreateFIDOTokenUsingGET)
• POST /api/web/v1/fidotokens/complete/{id} (completeCreateFIDOTokenUsingPOST)

The following APIs to support the management of Magic Links for registration have been added in this release.

• PUT /api/web/v1/users/{userid}/magiclink (createMagicLinkUsingPUT)
• DELETE /api/web/v1/users/{userid}/magiclink (deleteMagicLinkUsingDELETE)

The following APIs have been deprecated in this release.

• POST /api/web/v4/tenants (createTenantUsingPOST). Tenants should be created using the new asynchronous methods described above.
• GET /api/web/v1/serviceipaddresses (getServiceIPAddressesUsingGET). IDaaS accounts now have fixed IP addresses.

The following models have been added in this release.

• CreateTenantSyncStatus contains the information returned from getCreateTenantAsyncStatusUsingGET.
• FIDORegisterChallenge contains the information returned from startCreateFIDOTokenUsingGET.
• FIDORegisterResponse contains the information passed to completeCreateFIDOTokenUsingPOST.
• MagicLinkCreateParms contains the parameters passed to createMagicLinkUsingPUT.
• MagicLinkResponse contains the information returned from createMagicLinkUsingPUT.
• UserAlternateEmails contains information about alternative email addresses available to a user.

The following models have been modified in this release.

• id has been added to AuthApiApplicationParms. When creating an authentication API application, the unique UUID of the application can be specified. If an ID is not specified, a random unique ID is generated for the new application.
• created and lastModified have been added to Group. These values specify the date when the Group was created and last modified.
• lockedAuthenticators in User has been deprecated. Use lockedAuthenticatorTypes instead.
• alternateEmails has been added to User. This value lists all the alternate email addresses defined for the user.
• magicLinkEnabled has been added to User. This flag indicates whether magic links are enabled for the user.
• aliasMappingName has been added to Directory. This value specifies the list of directory attributes whose values will be mapped to user aliases.
• previousHostname has been added to Tenant. If set, this value specifies the previous hostname of an account after it has been renamed.

Changes to Identity as a Service SDKs​

1. The order of parameters in the API functions may change. Refer to the clients' documentation for the correct order.
2. The python SDK no longer supports accessing properties using dictionary keys. Access properties using object attributes.
3. IDaaS no longer accepts paths that end in /. For example, previously both /api/web/v4/async/tenants and /api/web/v4/async/tenants/ would have been accepted. Now only /api/web/v4/async/tenants will work.
4. The 5.30 and 5.31 Java SDKs did not support models from newer versions of IDaaS that contain new attributes. This issue has been fixed in the 5.32 SDKs.

Supported TLS Ciphers​

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.32 and the three previous releases 5.29, 5.30 and 5.31). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

Device Verification using Certificates​

A new Device Certificates risk factor has been added to Resource Rules. When configured, this risk factor requires that the client be able to perform client-authenticated SSL with a certificate issued from a trusted CA to pass.

When configuring Certificate Authorities, the customer can now configure Issuing CAs which is the existing capability of configuring CAs to issue smart credentials and Trusted CAs which is a new capability for configuring CAs that have issued the certificates on the user's devices.

Device certificates are supported for SAML and OIDC applications as well as the IDaaS portals.

Certificate Details for mPKI CA Smart Credentials​

A new Certificate action is available for Smart Credentials using a mPKI CA. The Certificate action lists the certificates issued to the selected Smart Credential and allows an administrator to manage those certificates. Previously this action was only available for Smart Credentials using a PKIaaS CA.

Resource Rule Risk-factor Enhancements​

The Risk-factors in resource rules have been enhanced to include a Deny Access option. When the Deny Access option is enabled for a risk factor, access to the application is denied if that risk factor fails regardless of the results of the other risk factors.

OIDC Claim Enhancements​

Custom OIDC Claims can be defined and associated to any OIDC application. Claims can be defined to always be returned with User Info or with the ID Token. The way attributes are mapped to OIDC claims has been improved.

Microsoft AD Strong Authentication​

Microsoft Windows is changing to require that certificates used for smart-card login include the user's security identifier as an extension. IDaaS has been enhanced to include a new user attribute to store the user's security identifier and to encode this value into smart credentials. Additionally, AD and Azure directory sync have been enhanced to retrieve this value from the customer's directory and store it for IDaaS users.

If you have a CA that was created before this release you will need to update the CA configuration to support Security Identifiers.

• For an Entrust PKIaaS CA, there is a new Refresh action available from the IDaaS Issuing Certificate Authority list. This will update the necessary CA configuration.
• For Entrust mPKI or Microsoft CA the certificate profiles managed from the CA will need to be updated.

Identity Provider Enhancements​

The following enhancements have been made to identity providers:

• A new identity provider IDVaaS has been added supporting integration with Entrust's Identity Verification as a Service.
• When configuring an identity provider, additional checks can be configured that ensure IDP claim values match existing IDaaS user attributes to successfully complete IDP authentication.

Administration API Long-Lived Token​

An administration API can be configured to support long-lived tokens. When creating an administration API or refreshing its shared secret, a long-lived token is available if enabled for the application. When invoking an administration endpoint, instead of passing the authentication token returned from the administration API authentication endpoint, the long-lived token can be passed instead. The long-lived token does not expire, meaning that client applications do not need to refresh the authentication token periodically.

User Provisioning using System for Cross-Domain Identity Management (SCIM)​

IDaaS users can now be managed by 3rd-party clients using SCIM.

SAML Enhancements​

The following enhancements have been made to SAML applications:

• A SAML application can now define multiple Assertion Consumer Service (ACS) URLs.
• Each SAML application now has a public endpoint that returns the SAML metadata for the application. This endpoint can be used by SAML service providers that automatically fetch the SAML metadata.
• SAML applications can now be configured to specify the audience returned in SAML assertions. The audience can either be specified in IDaaS or requested from the SAML SP as a parameter.

Manage Inactive Users​

IDaaS now allows a customer to have users be blocked from authenticating if the user has not authenticated in a period of time.

User Search/Report Enhancements​

The following enhancements have been made to user search/export capabilities:

• The user search criteria have been enhanced to allow an administrator to search for users who have not authenticated in a period of time. Previously, only searching for users who had authenticated in a period of time was supported.
• The user export operation has been enhanced to allow an administrator to export customer defined attributes.

Phone/Email Verification APIs​

New administration APIs have been added that allow a customer application to verify that a user owns a given phone number or email address.

User Portal Improvements​

The following enhancements have been made to the user portal:

• Users synchronized from AD were unable to modify any contact values. Now they are only blocked from modifying contact values synchronized from AD. Other contact values can be modified.

New Passkey/FIDO2 Registration Policies​

The following new policies have been added to the Passkey/FIDO2 Authenticator policies to control registration.

• User Verification - controls if the user must be verified or not.
• Resident Key (User ID stored) - controls if the user ID is stored on the token during registration. This is required if the token is to be used for passwordless Passkey authentication where the user does not need to enter their user ID.
• Authenticator Attachment (platform or cross-platform) - controls whether a platform type, cross-platform type or either type of token can be registered.

Additionally, the option to select whether the User ID is stored during registration has been removed from the token registration dialog. The behavior is now controlled by policy.

Rate Limiting​

Rate limiting is now enforced for trial accounts. The current limits are:

• Authentication requests: 5 requests per second (50 requests in a 10-second time window)
• Request to retrieve audits: 1 requests per second (10 requests in a 10-second time window)
• Administration requests: 3 requests per second (30 requests in a 10-second time window)

New Integrations​

The following integrations have been added.

• A new OIDC application template for ConnectWise
• A new SAML application template for ConnectWise ScreenConnect
• A new SAML application template for Epic Hyperdrive. This template is designed to be used with the Entrust Epic Hyperdrive plugin.
• A new SAML application template for Fivetran
• A new SAML application template for Pingdom
• A new RADIUS application template for Sophos XG Firewall

Additionally, the existing RADIUS integration Fortinet has been renamed to Fortinet-FortiGate.

Fixed or changed in this release​

1. Some dates in IDaaS API responses included milliseconds and some did not. Now all date values are consistent and do not include milliseconds. (31481)
2. Refreshing the page after changing the user locale in the User portal prompts the user to change the locale back to the original value. (31955)
3. Changing the locale on the login page is not always correctly applied. (31962, 32025, 32107)
4. The TLS configuration of the IdentityGuard Agent on the Enterprise Service Gateway (ESG) has been updated. It now supports TLSv1.2 and TLSv1.3 and the ciphers TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. (16301, 31970)
5. When importing Mobile SDK push notification credentials into IDaaS, the credentials were rejected if they contained extra fields not used by IDaaS. Now those fields are ignored and the credentials are imported. (32040)
6. When configuring the Knowledge-Based Authenticators Minimum Challenge Size and Default Challenge Size a value of 1 should be allowed. (32523)
7. The error message displayed when trying to delete a group assigned to an unassigned grid card was incorrect. (31475)
8. The messages displayed in the Service Provider portal for the delete tenant dialog and the reset resource rule dialogs were incorrect. (31950)
9. The smart credential activation dialog was not formatted correctly for some locales. (31590)
10. When creating a CA the UI now prevents the administrator from entering a duplicate name. (32507)
11. When creating a custom role the UI crashes when trying to add a group. (32061)
12. When a locale is selected during authentication it is not used if the user needs to register. (32015)
13. When a service provider unlocks administrators of a tenant it should not make service provider administrators in that tenant active. (32382)
14. The audit generated when removing a RADIUS application should not list all the attributes of the application. (31133)
15. Improve the formatting of the Registration Settings page. (31974)
16. When a user has a FIDO/Passkey token registration for another application, the user portal registration should require that the user register a FIDO/Passkey token for the user portal. (31606)
17. The audit displayed when a user used a temporary access code as a replacement for a token erroneously stated Grid authentication instead of Token authentication. (32018)
18. The UI now trims leading and trailing whitespace for the Password Expiry Notification Days setting. (31983)
19. Improved handling if the user currently logged into the user portal does not match the userid specified in the password expiry link. (31927)
20. Improved how the number of days until your password expires shown in the password expiry notification email is calculated. (31976)
21. The smart credential unblock dialog has been refreshed. (31363)
22. If a duplicate expected location is added to the RBA settings an error is now returned. Previously duplicates were removed without error. (29346)
23. Improvements made to the OIDC application audits to remove some UUID values that were audited. (24876)
24. When change the password in the portal for user's in a group with group specific policy for the password expiry the password expiry date from the global policy was used. (32341)
25. Client Credentials Grant for OAuth2 resources are now sorted. (31520)
26. Change Password dialog displayed wrong password rules for Include Lowercase set to Not Allowed. (32383)
27. The User Portal session expiry warning dialog can display negative values until expiry. (32019)
28. Users with alternative email addresses for OTP may not see the Alternative Authentication option during login. (32647)
29. The default Group Name Attribute for AD directory synchronization has been changed from sAMAccountName to cn. This change only applies when creating new directories and not to existing directories. (31090)
30. Access to the user location history page in the Administration portal required the settings View permission which should not be required. (31545)
31. The Export Audits dialog in the Administration portal does not display the Filters value if it is set to 1 Hour. (31944)
32. AD Connector page may crash in the UI the if administrator does not have the necessary permission to view it. (32633, 32656)
33. Dates included in Emails are in English and do not use the user's locale. (15278, 31769)
34. ActiveSync Device authentication issues have been addressed. Only OAuth authentication is supported now. (32199, 32730)
35. Prepare Identity as a Service for Salesforce link in Technical Integration Guide is broken. (32060)
36. Email template preview triggers browser console error. (31899)
37. Unable to set the attribute mapping for an Azure directory configuration. (32512)
38. For APIs that do not return a result, the API guides in the developer portal now show the response as "Successful" instead of "No Response". (31024)

Changes to Identity as a Service APIs​

Authentication API​

The following models have been updated in this release:

• authToken has been added to UserAuthenticateQueryParameters. If passed to the authentication query, the query will determine if authentication is allowed with the given auth token.
• authenticationCompleted has been added to UserAuthenticateQueryResponse. It indicates if further authentication is required when the auth token was passed as a parameter.
• deviceCertAuthDesired has been added to UserAuthenticateQueryResponse. This attribute is currently not used by the public authentication API.
• deviceCertAuthDesired has been added to AuthenticatedResponse. This attribute is currently not used by the public authentication API.
• registrationAuthenticatorAttachment, registrationRequireResidentKey and registrationUserVerification have been added to FIDORegisterChallenge. These attributes are arguments that describe how the FIDO token should be registered.

Administration API​

The following APIs have been added in this release:

• POST /api/web/v1/contact/verification/challenge (contactVerificationChallengeUsingPOST)

  Given a phone or email contact value this method sends an OTP challenge to the contact using email or SMS.

• POST /api/web/v1/contact/verification/authenticate (contactVerificationAuthenticateUsingPOST)

  Validate the challenge generated by a previous call to contactVerificationChallengeUsingPOST.

The following models have been added in this release:

• OTPVerificationChallengeValue contains the parameters passed to contactVerificationChallengeUsingPOST.
• OTPVerificationChallengeResponse contains the response returned from contactVerificationChallengeUsingPOST.
• OTPVerificationAuthenticateValue contains the parameters passed to contactVerificationAuthenticateUsingPOST.
• OTPVerificationAuthenticateResponse contains the response returned from contactVerificationAuthenticateUsingPOST.
• DeviceCertificateContext defines the device certificate context for a resource rule.

The following models have been updated in this release:

• inactivityGracePeriod has been added to GeneralSettings. This attribute specifies the amount of time an administrator can grant to a user who has been deactivated due to inactivity to authenticate.
• manageInactiveUsers has been added to GeneralSettings. This attribute specifies if inactive users are blocked from authenticating.
• userInactivityThreshold has been added to GeneralSettings. This attribute specifies the amount of time a user has to be inactive before they are blocked from authenticating.
• frozen has been added to User. This attribute specifies if a user has been frozen (blocked from authenticating) due to inactivity.
• frozenGracePeriod has been added to User. If a user blocked from authenticating due to inactivity has been granted a grace period for the administrator this attribute specifies when that grace period expires.
• securityId has been added to User and UserParms. This attribute specifies the users security identifier and is used to encode the value into the certificates of their smart credentials which will become a requirement to support Microsoft Windows smart-card login.
• userCreationTime and lastModifiedhave been added to User. These attributes specify the date the user was created and last modified.
• applyGracePeriod has been added to UserParms. This attribute is used to specify a grace period to users who have been blocked from authenticating due to inactivity.
• allowLongLivedToken has been added to AdminApiApplication and AdminApiApplicationParms. This attribute specifies if a long-lived token can be used to authenticate to this admin API application.
• denyAccess has been added to DateTimeContext, DeviceCertificateContext, IpContext, KbaContext, LocationContext, LocationHistoryContext, MachineContext, TransactionContext and TravelVelocityContext. This attribute specifies if access to the application associated with the resource rule is denied if this context does not pass evaluation.
• deviceCertificateContext has been added to ResourceRule. This attribute returns the device certificate context of a resource rule.
• deviceCertificateContext and removeDeviceCertificateContext have been added to ResourceRuleParms. These attributes allow the device certificate context of a resource rule to be set or deleted.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.31 and the three previous releases 5.28, 5.29 and 5.30). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service will no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.

New in this release​

SAML Signing Certificate Enhancements​

SAML Signing Certificates have been enhanced to support a signing key and certificate issued by a CA (for example, using a P12 file). Additionally, the option to generate a PKCS#10 certificate-signing request (CSR) has been enhanced to offer stronger key size options, signing algorithm options, and an optional challenge password.

SAML Metadata Enhancements​

Exported SAML Metadata now also contains the set of configured SAML Attributes.

Authentication Locale Enhancements​

When a user chooses a different locale when authenticating to the IDaaS User Portal, the user is given the option to store the new locale as their default. The locale is used to localize any messages (such as an OTP Email or SMS) sent during authentication.

Password Expiry Notification​

IDaaS now includes the ability to deliver password expiry notifications to users when their password approaches or reaches expiry. The expiry notification can be sent using EMail or SMS. EMail notifications can include a link to take the user to the password change dialog in the IDaaS user portal.

FIDO2/Passkey Authentication API Support​

The IDaaS authentication API now includes FIDO2 and Passkey authentication options. APIs for a user to register FIDO2 tokens are also available.

IDaaS Portal Improvements​

The password entry field on the login and password change pages now include an option to view the password.

The change user password dialog has been refactored. Additionally the URL https://<hostname>/#/?redirect=password&userid=<userid> (for example, https://myaccount.us.trustedauth.com/#/?redirect=password&userid=myuserid) takes the user directly to the password change dialog in the User Portal after authentication.

Enterprise Service Gateway Updates​

The version of MS CA Proxy used with IDaaS has been updated. Customers that are using IDaaS with Microsoft CAs should update the version of MS CA Proxy they have installed when they upgrade their ESG.

The ESG install documentation now includes a procedure that describes how to configure the ESG UI to use a public CA issued SSL certificate.

New OIDC Integrations​

A new OIDC/OAuth application template has been added for OAuth2 Native Apps (RFC 6749 section 4.3)

New RADIUS Integrations​

A new RADIUS application template has been added for Fortinet.

Fixed or changed in this release​

1. In past releases some customers encountered issues with their ESG when the underlying VM was modified. This required the ESG be re-initialized to recover. This issue has been addressed. (30855)
2. User Provisioning has been optimized to not perform provisioning for some user changes that do not require reprovisioning. (31311, 31323)
3. Address issues in User Provisioning where users were not provisioned or deprovisioned for some group changes. (31317, 31434)
4. User Provisioning related audits have been improved. (31312, 31294)
5. User Provisioning should not be enabled for Service Providers that are not Premium accounts. (31396)
6. Improvements to User Provisioning where attributes, including locale and some custom attributes, were not provisioned as expected. (31278, 31314, 31341)
7. Improvements to User Provisioning configuration to prevent invalid values from being configured and other UI improvements. (31326, 31461, 31492, 31496)
8. The notification sent to users when an authenticator is locked specified the wrong action. (31376)
9. Improved the label for the Smart Credential > Activation Lifetime setting in the UI. (31411)
10. Differentiate audits for FIDO2 authentication to differentiate when the userId is entered and where it comes from the FIDO2 token. (30284)
11. Improvements to Identity Provider configuration for Microsoft Identity Providers. (29118)
12. Improve audit details when the attribute filters for a SAML application are updated. (29222)
13. Fix a problem with Entrust soft token activation when the maximum time steps policy was set to 1. (31397)
14. Improved error message returned when invalid values were provided for Google Max. Time Steps and Max. Reset Time Steps settings. (29721)
15. Some links to documentation in IDaaS admin portal were broken. (30976)
16. RADIUS applications with External first-factor can now be configured to skip second-factor authentication. (31052)
17. Password blocklist did not allow the last value to be deleted. (31402)
18. Admin API authentication now ignores leading or trailing whitespace in the applicationId. (29297)
19. Improve errors logged when attempting to delete external users using the bulk delete user operation. (29530)
20. Fixed issues with date filters for authentication counts in the Admin Portal dashboard. (31519, 31522)
21. The UI in the Admin Portal for adding custom OIDC attributes has been updated. (31674)
22. Improve the audit for modifying OIDC applications to not include attributes that have not been changed. (31399)
23. The audit for delete grid card showed the action in lowercase. (31423)
24. The Admin Portal did not allow email addresses with leading or trailing whitespace. The whitespace is now automatically trimmed. (28895)
25. When creating a new site role, the option to delete groups was missing. (31189)
26. Log file for IdentityGuard bulk import operation now includes more information about errors. (30645)
27. The Azure AD reauthenticate audit used a non-standard date format for the authorizationDate value. (31443)
28. Generic Device OIDC applications should not be clickable in the User Portal. (30456)
29. When configuring a Microsoft CA in the Admin Portal, fix some formatting issues when the configuration is displayed. (31254)
30. When configuring Authorization, OIDC applications created to support Service Provider administration should not be allowed for Client Credentials Grants. (31419)
31. The list of OIDC applications listed for Add Client Credentials Grant for Authorization should be sorted. (31418)
32. OIDC applications without an Initial Login URI configured should not be clickable in the User Portal. (30458)
33. The IDaaS portal has been improved to support authentication in browsers that do not support local storage which is common for browsers running in protected mode or on mobile devices. (31641, 29604, 27564, 30924, 30224)

Changes to Identity as a Service APIs​

Authentication API​

The following APIs have been added in this release:

• POST /api/web/v1/authentication/passkey (requestPasskeyChallengeUsingPOST)

  Create a Passkey authentication challenge to begin Passkey authentication.

• GET /api/web/v1/self/fidotokens (startFIDORegisterUsingGET)

  Get a FIDO token registration challenge for the authenticated user.

• POST /api/web/v1/self/fidotokens (completeFIDORegisterUsingPOST)

  Complete registration of a FIDO token for the authenticated user.

The following models have been updated in this release:

• FIDORegisterChallenge. This model contains the attributes returned from startFIDORegisterUsingGet.
• FIDORegisterResponse. This model contains the attributes passed to completeFIDORegisterUsingPOST.
• PasskeyChallengeParameters. This model contains the attributes passed to requestPasskeyChallengeUsingPOST.
• PasskeyChallengeResponse. This model contains the attributes returned from requestPasskeyChallengeUsingPOST.

The following models have been updated in this release:

• locale has been added to UserChallengeParameters and UserAuthenticateParameters. If specified, this value specifies the locale to be used when generating messages sent for the authentication challenge or the authentication complete operation. If not specified, the user's default locale is used.
• origin has been added to UserChallengeParameters and UserAuthenticateParameters. If specified, this value specifies the origin of FIDO tokens. Only FIDO tokens registered with this origin are used for authentication.
• In previous releases, the response and newPassword attributes of UserAuthenticateParameters were erroneously labelled as required attributes. These attributes are optional.

Administration API​

The following APIs have been added in this release:

• PUT /api/web/v1/users/{userid}/password/notify (sendPasswordExpiryNotificationUsingPUT)

  This API sends a password expiry notification to the specified user.

The following models have been updated in this release:

• expiryNotificationDate has been added to UserPassword. This attribute specifies the next time that a password expiry notification will be delivered.
• passkeyEnabled has been added to AuthApiApplication. This attribute indicates if the application supports Passkey authentication.
• origin has been added to FIDOToken. This attribute indicates the origin from which this token was registered.
• showNotification has been added to User. This attribute is currently not used.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.30 and the three previous releases 5.27, 5.28 and 5.29). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service will no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.

New in this release​

User Provisioning​

IDaaS now supports provisioning of users to 3rd-party services using the System for Cross-domain Identity Management (SCIM) protocol. The first release of this feature has been tested against Salesforce.

Identity Provider Enhancements​

The following enhancements have been made to Identity Providers:

• A new user verification policy has been added to require a user to approve a user verification message. When configured, users must approve the message in order to complete verification. Administrators configure the user verification messages on the IDaaS Theme page.

• An Administrator can configure IDaaS to find users using the User Principal Name attribute or an IDaaS custom attribute during Identity Provider authentication. This is in addition to finding users using the Userid/Alias attribute.

Token Reset Bulk Operation​

A new bulk operation to perform token reset for a list of tokens has been added.

New Option on SAML/OIDC Applications to Disable Go Back Button​

A new option has been added to SAML and OIDC applications that allows an administrator to disable the Go Back button that is present during authentication.

Options to configure the User Portal​

The following options have been added to allow an administrator to configure the IDaaS User Portal

• Options to select a default tab and additional tabs that appear on the User Portal. The default tab is the landing page tab when a user logs in.
• A setting to specify the URL of the User Guide User Portal help. If set, the User Guide Help option displays this document instead of the default IDaaS documentation. This allows a customer to provide custom documentation.

Create Grid Action in User Portal​

Users can now create their own grids in the User Portal. Previously, only administrators could create grids for users.

Fixed in this release​

1. When deleting, enabling, or disabling a smart credential from the User portal, the audit specified the Admin portal. (28966, 29007)
2. When changing the variable values of a smart credential, the audit does not indicate which values were changed. (29009)
3. Sync add user audit specified edit permission instead of add permission. (29673)
4. User registration dialog and registration emails for Mobile smart credential contained outdated links for both Android and iOS apps. (30906, 30908)
5. User portal smart credential activation dialog is missing option to download Android and iOS apps. (30877)
6. Updated the encryption of PDF eGrids to use AES-256. (30949)
7. Unable to delete KBA word maps. (30960)
8. Errors updating KBA word maps. (30793)
9. KBA word maps defined in a per group policy were not correctly applied. (30947)
10. Improve the logs generated for the IdentityGuard (Identity Enterprise) import. (30941)
11. When importing tokens using the IdentityGuard (Identity Enterprise) import, the token set name from IDE is imported into the IDaaS token label. (31038)
12. When importing tokens using the IdentityGuard (Identity Enterprise) import, if the token has push authentication enabled, the push authentication is now enabled in IDaaS during import rather than after the first time the user uses the Entrust Identity application after migration. (30899)
13. Creating a smart credential in the User portal sends multiple activate requests. (30248)
14. When adding a contact in the User portal, the generated audit specifies user add. It should be user edit. (29556)
15. When a resource rule is cloned, the UI displays Edit Resource Rule. It should be Add Resource Rule. (31130)
16. When checking user aliases for uniqueness, white space was ignored. White space is significant. (31059)
17. When a resource rule Date/Time context was set without a time zone, it displayed as an unknown value the next time the resource rule was viewed. (30898)
18. When a resource rule Date/Time context was set, the start time may not be set correctly resulting in situations where it was rejected. (30669, 30900)
19. When a second-factor authenticator is checked in the resource rule it should automatically sort above all unselected authenticators. (31015)
20. Display a proper error message if a cloned resource rule is created with an existing name. (31012)
21. When viewing a resource rule as an administrator that does not have write access the External Risk Engine settings should be read-only in the UI. Note that IDaaS correctly rejects the edit request if submitted. (30792)
22. The performance of LDAP queries performed by the directory sync agent on the Enterprise Service Gateway have been improved. (27563)
23. The RADIUS agent option to perform first-factor AD password authentication directly to AD was broken. (30041)
24. The SIEM agent on the Enterprise Service Gateway could stop sending logs to syslog for some network connectivity issues. (30701)
25. The layout of PDF eGrids has been improved. (30657)
26. The authentication types and actions included in the authenticator change notification email are not localized. (30436)
27. Unable to remove the email value from a schedule report. (30655)
28. In the Admin UI, fix the tab order between fields for the EMail Server OAuth Settings page. (30472)
29. When configuring an EMail server to use OAuth, the defined scope may be removed if the OAuth server returns a null scope. (30471)
30. When configuring an EMail server to use OAuth, require the OAuth server to be reauthorized if the OAuth data changes. (30795)
31. When testing EMail server configuration for a server configured to use OAuth, only try the test a single time if the OAuth refresh token is expired. (30785)
32. Improve the audit for Email server configuration changes to show which attributes changed. (30814)
33. When accessing the Email server settings, the OAuth Authorize action should be disabled if the administrator does not have edit permission. (30557)
34. Improve the error messages displayed in the User portal when using FIDO/Passkey authentication. (30384)
35. Reports can get stuck in the schedule state preventing new reports from being started. These reports are now automatically cancelled. (29761, 31164)
36. Accounts with the standard bundle should have access to use IP lists. (30568)
37. The audit generating when modifying User RBA Settings is missing the admin permission. (29717)
38. Fix how the User Portal Change Password dialog is loaded on a slow network so that is does not display until fully rendered. (22039)
39. When modifying Active Sync settings, the Save button should not be enabled until the Test operation completes. (27969)
40. OAuth scopes during authentication are not sorted in the display. (30850)
41. Add gateway audit included information about DB proxy that is not applicable and is now removed. (29472)
42. Audit for unassigning a grid from a user should include the userId of the user. (29339)
43. When all user entitlements have been consumed, synchronizing an inactive user fails. Inactive users do not consume an entitlement. (29135)
44. Warning message displayed when editing a resource rule that has Identity Providers associated with it should only be displayed for resource rules associated with OIDC and SAML applications. (30823)
45. The default Date Range for audit and authentication searches performed on the Admin portal dashboard has been changed from 24 hours to 1 hour.
46. All new Facebook Identity Providers must use openid scope. (31350)

Changes to Identity as a Service APIs​

1. IDaaS API documentation has been refactored and moved to the Developer Portal
2. Dropped support for .NET Core 3.1 for CSharp clients and added support for .NET Framework 4.8.

Changes in this release​

The following changes have been made to address issues or enhance existing functionality.

1. All existing Facebook Identity Providers that do not use openid will require an update to use openid.

Authentication API​

The following APIs have been updated in this release:

• POST /api/web/v2/authentication/users (userAuthenticatorQueryUsingPOST)

• POST /api/web/v1/authentication/users (userAuthenticatorQueryUsingPOST)

• POST /api/web/api/v1/authentication/users (userAuthenticatorQueryUsingPOST) - returnDefaultChallenge has been added to UserAuthenticateQueryParameters. This attribute is used to indicate whether a challenge should be returned for the default authenticator. - The following attributes are also added to UserAuthenticateQueryParameters to support returning the default challenge--see UserChallengeParameters for details: summary, priority, requestDetail, pushMessageIdentifier, tokenPushMutualChallengeEnabled, offlineTVS - UserAuthenticateQueryResponse has been updated to include the following attributes with the default challenge information--see AuthenticatedResponse for details: otpDeliveryType, kbaChallenge, gridChallenge, tokenDetails, fidoChallenge, tokenChallenge, tempAccessCodeChallenge, tokenPushMutualChallenge - authenticatorLockoutStatus has been added to UserAuthenticateQueryResponse. This attribute contains detailed user authenticator lockout information. This behavior is controlled by the General policy enableEnhancedAuthenticationDetails.

• POST /api/web/v1/authentication/users/authenticate/{authenticator}/complete (userAuthenticateUsingPOST)

• POST /api/web/api/v1/authentication/users/authenticate/{authenticator}/complete (userAuthenticateUsingPOST) - Providing a JWT in the Authorization header is now optional. This change allows to authenticate a user with a single API call for authenticators that do not require a challenge.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.29 and the three previous releases 5.26, 5.27 and 5.28). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.

New in this release​

External Risk Engine Support​

IDaaS has extended risk-based authentication to include risk factors from external providers. These external providers can track additional information about a user session to determine whether this is likely the user. Only authentications using the Authentication API support External Risk Engines.

PDF eGrid Automatic Delivery​

Grid delivery can be configured so that a PDF eGrid is automatically delivered to the user when a new grid is created. Additionally, a new option has been added to registration so that a grid is automatically created when a user is created.

Resource Rule Improvements​

The following enhancements have been made to resource rules:

• For customers that are not using resource rule contexts to choose between different risk levels, a new simplified resource rule is shown that hides all of the unused configurations.
• When creating an additional resource rule for an application, the existing resource rule can be cloned.
• The information included in an authentication audit has been enhanced to show how the authentication decision was reached.

Fixed in this release​

The following issues have been fixed in this release.

1. A bash script has been added to the Enterprise Gateway to allow administrators to easily configure the static IP address of the Enterprise Gateway. The script can be found at /home/entrust/tools/setup_static_ip.sh and requires sudo privileges to run. The script prompts for the interface name, IP address, netmask, network gateway, and DNS server. After the script runs, users must then use the cockpit to register the Enterprise Gateway with Identity as a Service. (30106)
2. IDaaS features that use OAuth to authenticate to 3rd-party services have been refactored to use common OAuth functionality. These services include External Email, secure device provisioning, and Azure AD directories. Improvements include better handling of expired auth tokens. (30467)
3. A customer can now create multiple bulk operations of the same type. The bulk operations will be queued and run one at a time. Previously a second bulk operation could not be created until the first operation had completed. (29735)
4. FIDO2/Passkey token registration error handling in the User portal has been improved to better handle the error caused when the user has registered the maximum allowed number of FIDO2/Passkey tokens. (30403)
5. The password state icon shown in the User portal authenticator list could be truncated. (30451)
6. The subject of Emails sent to deliver eGrids to users were not translated for non-English locales. (30431)
7. Improved the bulk operation create dialog display when a long description is entered. (30506)
8. Audits generated when a user was updated as part of a directory sync operation indicated the audit was for the Gateway Agent instead of the user. Also, all user attributes were listed instead of just the attributes that changed. (28154)
9. Enhanced the user list password expiry filter to differentiate between a password that has expired and a password that never expires. (28311)
10. The AD Connector Delete Group operation has been renamed from "Delete Group" to "Delete AD Connector Group" so that it does not get confused with deleting IDaaS groups. (29769)
11. Importing a grid export file generated by Identity Enterprise was broken. (30493)
12. Password could not be reused even after password history was cleared. (30083)
13. An OIDC Generic Server Application should not show the "Authentication Flow" option because this type of OIDC application does not support the standard authentication flows. (30376)
14. Disable input fields when displaying a resource rule for administrators that do not have write access. The Save button was correctly disabled. (30569)

Changes to Identity as a Service APIs​

The swagger files provided for the IDaaS APIs have been updated from Swagger (OpenAPI 2.0) to OpenAPI 3.0.

Authentication API​

The concept of self-management APIs has been introduced and are included in the IDaaS authentication APIs. To use a self-management API, the customer application must do the following:

• Use the authentication API to authenticate the end user which generates an authToken.
• Call a self-management API providing the authToken as an authentication token. The self-management API will act on the user associated with the authToken.

The following self-management APIs have been added in this release:

• POST /api/web/v1/self/values (selfSetUserClientValuesUsingPOST) - store the specified list of name/value pairs for the user.
• GET /api/web/v1/self/values (selfGetUserClientValuesUsingGET) - return the stored name/value pairs from the user.
• PUT /opt/web/v1/self/values (selfDeleteUserClientValuesUsingPUT) - delete the named name/value pairs from the user.

The following models have been added in this release:

• UserClientValue defines a name/value pair that is passed to selfSetUserClientValuesUsingPOST and returned from selfGetUserClientValuesUsingGET.

User client values can be used by any application using an IDaaS authentication API application to manage user client values used by client applications.

Administration API​

The following attributes have been added to existing models:

• userValuesEnabled has been added to AuthApiApplication and AuthApiApplicationParms. This boolean value indicates whether user client values can be managed for this application.
• defaultGrid has been added to GeneralSettings. This boolean value indicates if a grid should be automatically created for a new user.
• riskEngineContext has been added to ResourceRule and ResourceRuleParms. This attribute is a list of TransactonContext and specifies external risk engines to apply to the risk authentication.

In previous versions of the Administration API swagger file, the method unblockSmartCredentialUsingPUT was incorrectly defined to return the type SmartCredentialUnblockParms. It should have been SmartCredentialUnblockResponse.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.28 and the three previous releases 5.25, 5.26 and 5.27). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.