73 posts tagged with "Release"

New in this release​

Service Provider Tenant Management Enhancements​

When configuring a tenant, authentication to Tenants using Identity Provider authentication can be enabled for Service Provider users.

Passkey/FIDO2 Enhancements​

IDaaS has been enhanced to more fully support Passkey/FIDO2 authentication. Enhancements include optionally storing a user’s user ID when registering a Passkey/FIDO2 token and an authentication flow that uses Passkey/FIDO2 to allow a user to authenticate without providing their user ID.

User Authenticator Notification​

IDaaS now supports sending user notification emails when a user’s authenticators have been changed. The actions include but are not limited to creating, assigning, deleting, and state changes.

PDF eGrids​

User grids can now be exported as a PDF file or delivered to the user by email. eGrids can optionally be encrypted.

Developer Portal​

The Developer portal has been redesigned to be more user-friendly and to provide a better experience for developers. The new Developer portal includes installation instructions and hands-on tutorials to help developers get started with the IDaaS API client library. The Python API client library is also available on the Developer portal.

Resource Rules Improvements​

• A new clone action has been added to resource rules allowing administrators to clone an existing a resource rule in the same category.
• IP lists can now be associated with source IP addresses in resource rule risk factors. Administrators must configure IP Lists first before using this feature.
• Various resource rules risk factors have been redesigned and refreshed to be more user-friendly.

Group Management Enhancements​

The group list page now supports paging when an account has a large number of groups and the option to export a list of groups.

Fixed in this release​

The following issues have been fixed in this release.

1. When updating the SAML Web application logo with no additional changes, the audit logs show only the modified logo. (29395)
2. Fixed generating grid cards for selected groups. (25018)
3. When bulk importing users and the CSV file column does not specify user attributes or extra attributes, the original custom user attributes and additional custom user attributes are not deleted or modified. (29323, 29332)
4. The 'overage allowed' attribute no longer appears in the user entitlement information. (29237)
5. Fixed when updating password reset settings, duplicate authenticators throws an error. (29315)
6. Fixed when an optional user attribute column is not included in the bulk operation import file, users can no longer remove those attributes from their user profile. (29304, 29331)
7. Fixed an issue with the Desktop Credential Provider (DCP) offline token support where offline OTPs could not be downloaded after DCP was upgraded. (25145)
8. Changed the Entrust Service Gateway log configuration to automatically rotate the audit log. Previously the Gateway would shut down when this log filled. (29109)
9. When a RADIUS application is configured to perform first-factor token only authentication, the IP address was not being logged in IDaaS audits. (30335)
10. Token synchronization with an empty response did not work for Entrust Soft Tokens. (29877)
11. Importing Entrust Soft Tokens from Identity Enterprise (IdentityGuard) did not work if the tokens were being used for offline token authentication with Desktop Credential Provider. (30058)
12. User list operation filtering by smart credential push authenticator included users with smart credentials that do not support push authentication. (29635)
13. The Admin portal now displays an error if an administrator tries to remove the value for a required attribute. (29324)
14. The pre-5.4 option for registering a Gateway has been removed from the IDaaS Gateway Registration page. (29789)
15. The Submit button on the Service Provider Unlock Administrators dialog has been renamed from OK to UNLOCK. (29798)
16. Fixed IP Address entry fields in the Admin portal to accept IP addresses that end with .0 or .255. (29671)
17. Fixed errors in the API documentation for the Administration API StartSmartCredentialSignParms model. (30243)
18. Fixed errors in the API documentation for the token list operations. The label search criteria was not documented. (29727)
19. When using an offline soft token authentication transaction, a follow-up soft token push authentication transaction would fail (no push notification would be triggered and the transaction would not be initiated). (30298)
20. Fixed a problem on the User portal Activity page where it did not display correctly while loading with a slow network connection. (29638)
21. The Smart Credential Activation page in the User portal is not properly translated for some locales. (29732)
22. In the Admin portal, the Directory Sync page did not correctly sort by Sync Status. (29313)
23. In the Admin portal, when changing the Supported Scopes of an OIDC application, the OIDC signature algorithm could be reset to NONE. (28929)
24. On the OIDC consent page, disable the Cancel and Accept buttons after Accept is clicked. (28862)

Changes to Identity as a Service APIs​

Authentication API​

The following attributes have been added to models in the authentication API.

• userHandle has been added to FIDOResponse. This value includes the user information stored on the FIDO2 token when it was registered.

The following enhancements have been made to the Authentication API to return more detailed information when authentication fails. This behavior is controlled by the new General policy enableEnhancedAuthenticationDetails.

• When an authentication fails due to an invalid response, the exception returned from IDaaS can include additional information, including the number of authentication attempts remaining.
• When a user is locked out, return the error access_denied_locked instead of access_denied.
• When a user is denied authentication because they have no authenticators, return the error access_denied_no_authenticators instead of access_denied.

Administration API​

The following APIs have been added to the administration API.

• getSpIdentityProviderUsingGET returns Service Provider information.
• setSpIdentityProviderUsingPUT updates Service Provider information.
• groupsPagedUsingPOST supports paging through a list of groups.
• deliverAssignedGridByEmailUsingPOST delivers a PDF eGrid by Email.
• getSingleGridExportUsingGET returns a PDF eGrid allowing the client to export it.

The following attributes have been added to models in the Administration API.

• spIdp has been added to Tenant. This setting specifies whether a Service Provider authentication to Tenants using Identity Provider authentication has been enabled.
• userIdStored has been added to FIDOToken. This value indicates if the user's user ID was stored on the FIDO2 token when it was registered.
• newPassword has been added to UserPassword. This value contains the user's new password generated by IDaaS if the client requested it be returned.
• returnPassword has been added to UserPasswordParms. This value allows a client to request the new password generated by IDaaS be returned.
• allowedIpList, deniedIpList and type have been added to IpContext. These values show where IPLists are defined in a Resource Rule context.
• enableEnhancedAuthenticationDetails has been added to GeneralSettings. This setting indicates if additional information about the user's lockout state are returned from authentication requests.

The following models have been added to the Administration API.

• SpIdentityProvider contains information returned from getSpIdentityProviderUsingGET.
• SpIdentityProviderParms contains information passed to setSpIdentityProviderUsingPUT.
• GroupsPage contains information returned from groupsPagedUsingPOST.
• GridExport contains information returned from getSingleGridExportUsingGET.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.27 and the three previous releases 5.24, 5.25 and 5.26). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation​

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they don't support up-to-date TLS ciphers.

New in this release​

User Contact Notification​

IDaaS now supports sending user notification emails when a user’s contact information has been changed.

As part of this feature, the preexisting user contact notification feature that sent a notification when the end user changed their contact and the corresponding email templates have been removed.

Entrust Service Gateway Changes​

The command-line interface used to register the gateway has been removed. The browser-based UI is now the only supported interface for managing the gateway.

SAML Username Parameter​

IDaaS has added support for passing the IDaaS user ID as part of a SAML authentication request using the SAML Request NameID element value. Set the SAML Username Parameter value to NameID to use this option.

SAML Session Timeout​

IDaaS has added support for configuring the session timeout value for a SAML assertion. Set the SAML Session Timeout value to the timeout length in minutes. To exclude the session timeout in the SAML assertion, set the value to 0. The maximum is 720 minutes.

Enhanced Geolocation​

IDaaS now provides an option to use enhanced geolocation information with more accurate locations for IP addresses and the detection of anonymous IP addresses. With this capability, tenants can configure resource rules to disallow anonymous IP addresses. Contact Entrust for details on enabling this feature.

User Onboarding​

The user onboarding of Identity as a Service has been enhanced to support the mapping of groups or a role from an OIDC Identity Provider.

The following new settings have been added:

• New settings to request claims in an ID token or user information response. These settings can be used in addition to requesting claims using scopes.
• New settings for mapping groups or a role from an OIDC Identity Provider.

When configuring an OIDC Identity Provider note the following:

• Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP could be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large user base. Analyze the risks before enabling this option.
• Update user allows anyone with access to your chosen Identity Provider to update a user in your IDaaS account. Depending on your IDaaS configuration, updated users could be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large user base. Analyze the risks before enabling this option.
• Group Mapping allows anyone with access to your chosen Identity Provider to have their IDaaS groups include the groups defined by the Identity Provider. Groups set the policies applied to users. Enabling this setting could result in users having access to unexpected policies, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
• Role Mapping allows anyone with access to your chosen Identity Provider to have their IDaaS account role defined by the Identity Provider, including the super administrator role that has access to all the resources controlled by your IDaaS account. Enabling this setting could result in unexpected access, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.

Consumer Bundle Enhancement​

Identity Provider capability is now supported for Consumer tenants.

Token Push Notification Authentication​

Entrust Soft Token push notification authentication now supports mutual authentication.

YubiKey PIV Smart Cards​

IDaaS now supports encoding smart credentials to YubiKey PIV Smart Cards.

To encode YubiKey smart cards, you must use Entrust Entelligence Security Provider for Windows version 10.0.91 build 30 or newer.

Token Labels​

A label can now be set for assigned tokens. The label can be used by an administrator or the end user to give a meaningful label to the token.

Group Bulk Delete​

A new group delete bulk operation has been added.

Directory Sync Enhancements​

The following enhancements have been made to directory sync.

• When specifying group filters, a value with a value followed by a * (for example, Gr*) will match all groups that start with the specified value.
• When configuring directory sync an optional user unique attribute can be specified. If defined, the value specifies the name of the directory attribute that contains the directory entry unique id.

Documentation Enhancements​

The integration documentation have been removed from the administration guide and are now in a separate Technical Integration Guide.

Admin/User Portal Improvements​

The following improvements have been made to the portal.

• A link from user audits to the user profile has been added.
• The Smart Credential Details dialog has been refactored.
• A customized logo is now centered.
• All applications now appear on the User My Applications page.
• Validation on the Identity Provider configuration page has been improved.

New SAML Applications​

A new SAML application template has been added for Zuora

Fixed in this release​

The following issues have been fixed in this release:

1. Characters in userIDs or aliases that differ just by an accent character (for example, o and ö) should be treated as the same character, but they were not. This lead to unexpected errors when creating or synchronizing users. (29200, 28365, 29424)
2. When configuring Identity Providers, the JWKS URI value should be made mandatory for IDPs that require it. (28958)
3. The setting "Allow Facial Authentication" in Smart Credential Settings has been renamed to "Allow Biometric Authentication". (27006)
4. Expired grids should not be considered as a second-factor authenticator for registration. (28324)
5. Fixed an issue delivering push notification to iOS applications using the custom SDK. (27004)
6. The logging for the IdentityGuard import bulk operation has been improved. (27944)
7. The password reset dialog did not display the error returned when the password was not reset because the password was reused. (28729)
8. When creating a tenant from a Service Provider, the specified user count is now validated before the request is submitted. (28925)
9. The resource rule for an Entrust Desktop Credential Provider now allows the risk rule to be specified with no second-factor authenticator. (29094)
10. When viewing an Identity Provider as an Auditor, some fields were read/write even though the changes could not be saved. All fields should be read-only. (28864)
11. Modifying user location history was not allowed as a Help Desk administrator. The UI was checking for the wrong permission. (29485)
12. Error fetching second-factor challenge for users that do not have OTP authentication available. (29255, 29300)
13. Error submitting image for ID Proofing. (29306)
14. The maximum number of user location history entries has been increased from 10 to 30. (28514)
15. When specifying custom OAuth authorization scopes, the value did not allow the characters y or z or entrust. (28736)
16. The directory sync agent could block reading from the directory. This would cause the directory to become unresponsive without failing over to another instance. (29511)
17. When sending transaction details, the default transaction priority is now 9 instead of 0. (27979)
18. On the Customization page in the Admin portal, the Reset operation changed the language from EN to ES. (28801)
19. When getting a CA issued certificate for a SAML application, the CSR response was not accepted. (28264)
20. Address various issues in the Admin portal where an action was shown even though the administrator did not have permission to perform the action and the action failed when submitted. (28899, 28909, 28724)
21. Various audit improvements for actions, including IDP create/update and Admin API related actions. (28148, 27924, 28726)
22. The ability to create/update users when Facebook is used as an Identity Provider is now allowed. (28939)
23. Fixed an issue preventing the soft token activation lifetime from being modified. (29207)
24. Fixed an issue where the registration password is not returned when activating a soft token. (28738)
25. Fixed an issue where multiple SAML applications required authentication even though SSO was enabled. (29253)
26. Fixed an issue where the user entitlement count became out of sync with the actual number of users. (29161)
27. Identity Providers have been enhanced. When using an IDP, in addition to requesting scopes, a request can now also include id token claim names and userinfo token claim names. (28904)
28. Identity Provider authentication now works with SAML IDP initiated authentication. (28420)
29. Fixed an issue preventing creation of Mobile SDK per group policies. (28901)
30. Admins can view the user's authenticators without requiring password permissions. (29188)
31. Temporary Access Code settings now display an error for Alphabet when Replace Similar Characters is checked and duplicate characters are present. (28327)
32. Maximum Uses for Temporary Access Code is now added to a user's authenticators filter. (28328)
33. For a Twitter Identity Provider, the user related fields are no longer shown since they are not used. (28917)
34. For an OIDC Generic Device application, validation of the usercode mask in the UI has been improved. (28900)

Changes to Identity as a Service APIs​

The following attributes have been added to models in the authentication API.

• tokenPushMutualChallengeEnabled has been added to UserChallengeParameters. This attribute is used to indicate whether the token push notification authentication has mutual challenge enabled.
• tokenPushMutualChallenge has been added to AuthenticatedResponse. This attribute is the value of the token push notification authentication mutual challenge.
• applicationInfo has been added to UserAuthenticateParameters. This attribute specifies a value that is included in the authentication audit.

The following methods have been added to the administration API.

• getSubscriberAccountActiveEntitlementsUsingGET. This method returns AccountEntitlement specifying information about the entitlements defined for the account.
• getPasswordResetSettingsUsingGET. This method returns PasswordResetSettings specifying password reset settings.
• updatePasswordResetSettingsUsingPUT. This method takes PasswordResetSettings as an argument and updates the existing password reset settings.
• modifyAssignedTokenUsingPUT. This method takes AssignedTokenParms as an argument and updates attributes of an assigned token.

The method usersPagedUsingPOST has been replaced with a new V4 version. The new version limits the attributes that are returned by default.

The following attributes have been added to models in the administration API.

• verificationRequired has been added to AuthApiApplication. This attribute indicates if verification is required for the specified user.
• verificationRequired has been added to AuthApiApplicationParms. This attribute indicates whether verification should be required for the specified user.
• mutualChallengeAlphabet has been added to EntrustSTAuthenticatorSettings. This attribute is the characters used for the mutual challenge in the token push notification authentication.
• mutualChallengeLength has been added to EntrustSTAuthenticatorSettings. This attribute is the length of the mutual challenge in the token push notification authentication.
• mutualChallengeEnabled has been added to EntrustSTAuthenticatorSettings. This attribute is used to indicate whether the token push notification authentication has mutual challenge enabled.
• mutualChallengeForPercentOfRequests has been added to EntrustSTAuthenticatorSettings. This attribute is the percentage of requests that will have mutual challenge enabled.
• mutualChallengeSize has been added to EntrustSTAuthenticatorSettings. This attribute is the size of the mutual challenge in the token push notification authentication.
• mobile has been added to ActivateSmartCredentialParms. This attribute allows the client to specify whether a mobile or physical smart credential is being activated so that the activation email can be set accordingly.
• userUniqueIDAttribute has been added to DirectorySync. This attribute specifies an optional LDAP attribute that will contain the UUID of the user in the directory.
• additionalFeatures has been added to Entitlement. This attribute specifies additional features enabled for the account.
• anonymousAllowed has been added to LocationContext. This attribute specifies whether anonymous IP addresses are allowed by a resource rule.
• label has been added to Token. This attribute specifies an optional label that can be defined for an assigned token.
• acasEndpoint, ozoneEndpoint, and usPassliveEndpoint have been added to IdProofingInitResult. These attributes are additional attributes returned to an ID Proofing client.

Enterprise Service Gateway Upgrade Issue​

There is a bug in the 5.25 version of ESG that prevents it from upgrading. There are two ways of resolving this issue.

1. Instead of upgrading your existing ESG instance, you can create a new 5.26 ESG instance and delete your existing instance.

2. Before you upgrade your 5.25 ESG instance, log in to the ESG instance and run the following commands: - sudo sh -c 'rm -rf /usr/lib/python2.7/site-packages/certifi* /usr/lib/python2.7/site-packages/requests* /usr/lib/python2.7/site-packages/pam* /usr/lib/python2.7/site-packages/python_pam*' - sudo sh -c 'pip install python-pam==1.8.4 "requests<2.28" "certifi<=2020.4.5.1"'

   These commands can be run at any time prior to upgrading the ESG instance.

This issue only applies to the 5.25 version of ESG. There are no issues if you are upgrading from an earlier version of ESG.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.26 and the three previous releases 5.23, 5.24 and 5.25). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation​

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.

New in this release​

Identity Provider Improvements​

The following improvement has been made to Identity Providers:

• A new option has been added to require signature verification for responses to requests for user information.

SAML Username Parameter​

IDaaS now supports optionally passing the IDaaS user ID as part of a SAML authentication request. The value can be passed as a configured parameter, for example "Username=jdoe".

IDP Social Login​

Identity Providers in IDaaS now allows you to configure an Identity Provider with a type which prefills the well-known values. IDaaS also supports Facebook and Twitter as identity providers for you to authenticate now.

User Verification​

Identity as a Service has been enhanced to support user verification before the user is allowed to access the IDaaS portal and other applications or register for authenticators. User verification is done by invoking an OIDC Identity Provider.

New settings for user verification have been added to the Registration Settings and Group Policy Settings pages.

A new Set Verification bulk operations for setting user verification for a user has been added to allow administrators to perform two additional actions:

• Upload a group file and require user verification in bulk
• Upload a group file and set user verification to not required in bulk

The header row in the CSV file contains only one column with Name as the value. Each row in the file must be an existing IDaaS group name. To Set User Verification for all users, use the system "All Users" group name with this new option.

Fixed in this release​

The following issues have been fixed in this release.

1. Phone numbers from some countries were erroneously being rejected as invalid. (28841)
2. Issues with the regular expressions used to match attributes to be returned in SAML assertions have been fixed (28404)
3. The OTP expiry date is included in the information returned by the admin API createOTP and getOTP methods. (28332, 28289)
4. When synchronizing users from Azure AD, group names are now checked case insensitively. (28268)
5. Password authenticators for users synchronized from Azure AD were not being displayed with a proper state. (28296, 28251, 28248)
6. The authenticator filter on the user list page was showing some Token type values that were not applicable. These have been removed. (28255)
7. When the unassigned token list is refreshed, the group filter was not correctly applied. (28211)
8. Filters for the authenticator list in the user portal are now sorted by localized language. (28316)
9. The Loading... text for the authenticator list in the user portal is now localized. (28208)
10. The delete action in the assigned token list is now correctly labelled as Delete instead of delete. (28302)
11. For the assigned token list, when sorting or filtering on last used date, tokens that have a last used date of Never are now handled correctly. (28177)
12. When the message of the day is saved, unsupported HTML tags like script are automatically removed. Now, the version displayed on the customization page in the admin portal is now updated with the saved value. (27848)
13. Some of the wording on the Enroll Domain Controller Certificate dialog has been improved. (28199)
14. The audit for the Enroll Domain Controller Certificate action now includes the serial number of the certificate. (28184)
15. The option to use TCP for logging audits using the SIEM Agent in the gateway was being ignored. (28112)
16. An option to delete questions/answers from the user's knowledge-based authenticator has been added to the user portal. (28058)
17. A better error message is displayed for OAuth Device Verification if the session has expired. (27671)
18. Improved handling on the Identity Provider Add/Edit pages in the admin portal if the administrator does not have permission to list applications. (28326)

Changes to Identity as a Service APIs​

The following changes have been made to the authentication API:

The following attributes have been added to models in the authentication API.

• the attribute verificationRequired has been added to UserAuthenticateQueryResponse. This attribute indicates if verification is required for the specified user.
• the attribute userVerificationRequired has been added to AuthenticatedResponse. This attribute indicates if verification is required for the specified user.

The following changes have been made to the administration API:

The following attributes have been added to models in the administration API.

• the attribute verificationEnabled has been added to User. This attribute indicates if verification is enabled for the specified user.
• the attribute verificationRequired has been added to User. This attribute indicates if verification is required for the specified user.
• the attribute emailVerification has been added to UserParms. This attribute indicates that an email should be sent to the user if the specified user is being updated to be verified and requires verification.
• the attribute verificationRequired has been added to UserParms. This attribute indicates if the specified user should be updated to be verified.
• the attribute otpExpiryDate has been added to OTP. This attribute specifies the expiry date of the OTP.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.25 and the three previous releases 5.22, 5.23 and 5.24). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

New in this release​

Entrust Soft Token Improvements​

Added cryptographic security for soft tokens.

Domain Controller Certificate Request Review​

Domain Controller Certificate Management now displays the certificate request to allow you to confirm the request before you enroll or renew it.

RADIUS Attribute Filtering​

IDaaS now supports filters for RADIUS response attributes. When defining a RADIUS return attribute that is returning groups, filters can be used to specify which groups are returned and to return a value other than the group name.

Hide Other Applications Setting​

RADIUS applications, IDaaS integrations, and custom applications that use the IDaaS API will now be hidden in My Profile. A new setting has been added in User Portal settings to show them.

Token List Improvements​

The following enhancements have been made to the Token List.

• the assigned token list now includes soft tokens.
• an export action has been added to both the assigned and unassigned token lists.
• token reports can be exported from the reports page.

Authenticator List Pages​

The authenticator list pages for a user in both the Admin and User portals have been replaced with improved versions.

New SAML Integrations​

A new SAML application template has been added for SailPoint.

Fixed in this release​

The following issues have been fixed in this release:

1. Domain Controller Certificate Management now supports CAs created before release 5.23. (28128)
2. The regular expression filters for SAML attributes did not work correctly if the regular expression did not include an end anchor. (27970)
3. Generic Device OIDC application should be available for the consumer bundle. (27937)
4. The error displayed when a super administrator tries to change their own role has been improved. (27935)
5. The create domain controller certificate operation is only supported for PKIaaS CAs. The 2UI now only allows a PKIaaS CA to be selected. (27896)
6. The create domain controller certificate UI now validates that the entered name is unique. (27893)
7. The default search filter for audits is now shown as a Filter chip in the audit list. (27529)
8. Future date options have been added to the expiry date filter of the user location history list. (27197)
9. The bulk operation to import Entrust Legacy tokens was not generating audits for the loaded tokens. (26709)
10. The IDaaS login page occasionally returns to the userid login page after the userid was entered. (28056)
11. When customizing Email messages, the HTML <hr> tag is now allowed. (26811)
12. The new user email was sent to a new user even though user creation failed because the user has a duplicate userId or alias. (27890, 27909)
13. Access to the Password Reset capability has been added to the Standard bundle. (27964)
14. The Entrust IdentityGuard import occasionally failed for very large import files. (28000)
15. Performance problems with user sync from Azure AD especially when users are in a large number of groups have been resolved. (28231)

Changes to Identity as a Service APIs​

The following changes have been made to the Administration API.

• the following search criteria have been added to the unassignedTokenPageUsingPOST method. - type - loadDate
• the following changes have been made to the assignedTokenPageUsingPOST method. - the method now returns both hard and soft tokens. - the following search criteria have been added: - type - loadDate - lastUsedDate - the existing search criteria state now includes the new value ACTIVATING. - the following new orderByAttribute values have been added: - loadDate - lastUsedDate

The C# SDKs have been updated to target .NET Standard.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.24 and the three previous releases 5.21, 5.22 and 5.23). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

New in this release​

Domain Controller Certificate Management​

Identity as a Service now allows a customer to issue and domain controller certificates when using a PKIaaS CA.

Reset Mail Server​

A new "Reset Mail Server" action has been added to the tenant list of service providers. This action allows a service provider to reset the Mail Server configuration of a tenant back to the default IDaaS mail server.

Temporary Access Code Admin. Contact Message​

A message telling the end user to contact their administrator to receive their temporary access code can now be enabled in the Temporary Access Code policy. When enabled, a message displays on the Temporary Access Code login page during authentication.

SAML Application Improvements​

The following improvements have been made to SAML applications:

• A new action "IDP initiated URLs" has been added to the SAML application list. This action lists the URLs for the SAML application and all of the defined relays states. It also provides an option for the administrator export them.
• On the application setup page there is now an Enable/Disable option for each relay state. Disabled relay states do not appear on the user's available application page.
• When exporting SAML metadata, there is now an option to specify the lifetime of the metadata.
• When defining attribute values for SAML applications, regular expressions can now be defined to filter values or to parse out a portion of the value. IDaaS Support user attribute manipulation before sending back the value for SAML applications.

Enterprise Service Gateway CA Gateway and Microsoft Certificate Authority Proxy Upgrades​

The Enterprise Service Gateway CA Gateway Service and the Microsoft Certificate Authority (CA) Proxy have both been upgraded to versions 2.5.2. If you are using a Microsoft CA with Smart Credentials, you should upgrade the Microsoft Proxy to 2.5.2 and the Enterprise Service Gateway to 5.23.

See the Administration Guide for complete details on how to upgrade your Microsoft CA Proxy.

• Admin Guide

OIDC/OAuth Device Code Application Support​

Identity as a Service now supports OIDC/OAuth device code flow applications.

The following OIDC/OAuth endpoint has been added for a client application to initiate the device code flow:

• /api/oidc/devicecode

New SAML Integrations​

A new SAML application template has been added for ADP.

Fixed in this release​

The following issues have been fixed in this release.

1. The SIEM agent on the gateway has been enhanced to better handle a large backlog of audits. (27189)
2. The SIEM agent on the gateway now includes modified attributes in the information logged to the SIEM. (27812)
3. A new password specified in the authentication API was ignored unless the current password was expired or set by an administrator for forced update. Now the password can be changed at any time as long as the minimum lifetime of the existing password has passed. (27333)
4. Group filtering in the Directory sync agent on the gateway did not work in some situations due to a case mismatch between the group names defined in the filter and the group names defined in the directory. (27400)
5. The Update KBA Questions dialog in the Admin portal has been refreshed. The old table layout has been replaced with new UI components. (27180)
6. The full name appears in the email notification when a user updates their contact information. (26901)
7. Country flags have been added next to the user's delivery contact information. (27078)
8. Help Desk Administrators are now able to unlock individual accounts. (27560)
9. Users are no longer redirected to My Profile page when refreshing on the following pages: Authorization, Identity Providers, and IP Lists. (27488)

Changes to Identity as a Service APIs​

The following models have been added to the Authentication API:

• TempAccessCodeChallenge includes information about a temporary access code, including a flag indicating if the admin. contact message should be displayed.

The following changes have been made to existing models in the Authentication API.

• tempAccessCodeChallenge has been added to AuthenticatedResponse. This value is an instance of TempAccessCodeChallenge and is populated for the response to a temporary access code challenge.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.23 and the three previous releases 5.20, 5.21 and 5.22). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

New in this release​

Offline QR Code Transaction Verification​

IDaaS now supports offline transaction verification using Authentication API applications with the Entrust Identity soft token app when a client application submits transaction details.

Identity Provider Integrations​

The following Identity Provider integrations are available.

• The Nets E-Ident broker service.

Identity Provider Enhancements​

The following Identity Provider enhancements are available:

1. When configuring an Identity Provider, the userinfo endpoint is now optional. The claims used for authentication are based strictly on an ID token.
2. When configuring an Identity Provider, the configured groups are only associated with a user if a user is created at the time of the authentication. If a user already exists, the user's current group associations are not reset.
3. When configuring an Identity Provider, a new OIDC max age setting has been added.
4. When configuring an Identity Provider, a new OIDC authentication method request values setting has been added.
5. During an Identity Provider login from an OIDC client application, a Go Back button is now available on the login page. This allows a user to return to the OIDC client application without logging in.
6. During an Identity Provider login, the name of the Identity Provider is now included in the create user and modify user audits.
7. During an Identity Provider login, any errors during this processing now allow the user to continue and select a different type of authentication if they choose.
8. During an Identity Provider login, if a mapped IDaaS attribute value from a claim does not exist and a previous IDaaS attribute value exists, that value will remain as is.

OIDC/SAML Authentication Improvements​

When a user is authenticating in IDaaS for OIDC or SAML, there is now a Go Back button on the login page. Pressing this button will return the user to the originating client.

When a user is reauthenticating and the existing login session has expired, the userId field will be prepopulated with the userId of the expired session.

Include Grid Expiry Date in Challenge​

Select Include Grid Expiry in Challenge to display the grid expiry message. When authenticating with a grid card, a message appears on the authentication challenge page indicating the expiry date of the grid card.

Password Reset OTP Restrictions​

Select Allow Email OTP delivery to send an OTP to a user's email address.

Note: This setting appears only if you select One Time Password as a second-factor allowed for password reset.

OTP Delivery Now Asynchronous​

Previously, authentication challenge requests were blocked while delivering an OTP using SMS or Email. Now the challenge returns without waiting for the OTP to be delivered. This provides faster response time to the client. If delivery fails, an audit is generated.

Fixed in this release​

The following issues have been fixed in this release.

1. Previously, if you configured and tested the connection for the Enterprise Gateway Proxy without authentication values for username and password and then attempted to retest the connection, it threw an "Unable to connect to proxy server" error. (27172).

2. Clicking back on the alternative authentication page does not unexpectedly bring you back to the username screen when only one type of OTP delivery is configured. (26419).

3. When a Group Policy included Machine Authenticator settings that required a device fingerprint, users failed to authenticate or view authenticators in the User Portal.

4. After restarting the Safari browser, the list of available Identity Providers displays correctly. Previously, if a prior IDaaS session existed prior to a Safari restart, the list of available Identity Providers did not display. (27169)

5. Some overridden machine authenticator settings in a group policy were ignored and the default settings were used instead. This has been fixed. (27320)

6. Group policy setting categories now display in sorted order. (27230)

7. Contact names shown on the OTP Settings page now display in sorted order. (25942)

8. Some smart credential options were still present in the admin portal for accounts with a Standard or PLUS bundle that do not support smart credentials. These options have been removed. (27146)

9. Permissions for actions that are not supported in accounts with a Standard or PLUS bundle no longer appear in the Role dialog. (26388)

10. Email templates for a Trial account with a customer email server can now be customized. (26859)

11. The list of applications shown in the Identity Provider dialog no longer includes OIDC Generic Server applications. They do not support user authentication. (26140)

12. The Delete Attribute dialogs for the My Profile page have been improved so that the name of the attribute being deleted always displays. (25923)

13. The Expire Time search criteria for Audit Archives has been changed to provide date options in the future. (27048)

14. Remove None as an option for the Date search criteria for Audit list. (27025)

15. The Password Expiry search criteria for User list did not show the correct value in the chip for some custom values. (26796)

16. The SIEM agent on the Enterprise Service Gateway has been modified to better handle a large backlog of audit. (27189)

Changes to Identity as a Service APIs​

The following models have been added to the Authentication API:

• GridInfo includes information about a Grid, including expiryDate and serialNumber. A new attribute gridInfo
• TokenChallenge includes information about tokens available to answer a token challenge. A TokenChallenge includes a list of TokenInfo.
• TokenInfo includes information about a token available to answer a token challenge. Information returned for a token includes the token serial number. If an offline TVS transaction is being performed, the qrCode and qrCodeUrl values specifying the offline transaction are also included.

The following changes have been made to existing models in the Authentication API.

• gridInfo has been added to GridChallenge. This attribute specifies an array of GridInfo describing the grids that can be used to answer the challenge.
• tokenChallenge has been added to AuthenticatedResponse. This value is an instance of TokenChallenge and is populated for the response to a token challenge. It describes the tokens available to answer the challenge.
• offlineTVS has been added to UserAuthenticateParameters. Set this value to true if you are performing an offline TVS transaction.
• offlineTVS has been added to UserChallengeParameters. Set the value to true if you are performing an offline TVS transaction.

The following methods have been added to the Administration API:

• createMachineAuthenticatorUsingPOST creates a new machine authenticator for the specified user.

The following models have been added to the Administration API:

• createMachineAuthenticatorUsingPOSTreturns MachineAuthenticatorRegistrationResult and includes information about the new machine authenticator.
• MachineAuthenticatorRegistration defines the arguments passed to createMachineAuthenticatorUsingPOST.

Microsoft Internet Explorer 11 Deprecation Reversed​

In previous releases, Entrust announced that IDaaS would no longer support Microsoft IE 11 starting in August 2021. This decision has been reversed and IDaaS will continue supporting IE11 until further notice. Entrust recommends that customers switch to other browsers.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.22 and the three previous releases 5.19, 5.20 and 5.21). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

New in this release​

OTP Preferences​

The following changes have been made to per user OTP Preferences

• A new per user setting OTP Delivery Type has been added. This setting allows the user to specify the default OTP delivery type overriding the value set in OTP settings.
• An additional user registration setting has been added to prevent users allowed to edit their own contact values from also adding new contact values.
• The per user OTP preferences can now be viewed and modified by administrators

IP List Restrictions​

IDaaS now allows administrators to configure IP Lists consisting of a list of IP addresses or CIDRs. An IP List can be assigned to an Admin API application which restricts the IP addresses that can access that application.

Microsoft CA Revocation​

When a user with smart credentials is disabled or deleted or a smart credential is disabled or deleted, the certificates associated with the smart credentials are revoked in the CA. This capability is now supported for certificates issued by a Microsoft CA.

Fixed in this release​

The following issues have been fixed in this release.

1. Changes to user attributes are now audited as part of the user add or modify audit. Previously the changes generated separate audits for each user attribute.
2. When the session idle timer expires for a user logged into the user or admin portal, the user is now redirected to the Logout page instead of the Login page.
3. When a user verifies a change to their contact details, the OTP generated now uses the OTP Settings lifetime. Previously it was valid for 60 seconds.
4. In OTP Settings the option to include the OTP expiry time in a SMS message is now always shown. Previously it was only shown if SMS was the default delivery type.
5. Sending push notifications to devices whose device Id starts with a 0 was broken. This has been fixed.
6. The Using Authenticators link in the User Guide has been fixed.
7. The Unlock User option is now disabled for administrators without the required permission. The operation failed when it was performed but should not have been available.
8. The IP address was not being passed correctly for RADIUS authentication with Citrix Netscaler. As a result, location related risk-based authentication contexts were not available. This has been fixed.
9. Performance of audit archive downloads has been improved for large archives.
10. When downloading an audit archive, downloads of other archives is now blocked.
11. Audit and User searches on some Date filters set to None was defaulting to 24 hours instead of not filtering on dates resulting in the wrong results being returned.
12. Reauthenticating the OAuth authentication for a custom email server could result in the Email server name and replay address being removed.
13. Some buttons in the Admin portal do not show up when the Theme is set to a light color. The buttons have been updated to display correctly.
14. The dialogs for updating a user contact value in the User portal have been updated to include better validation of the input value, include the current value when editing an existing value, and include a Dialog title.
15. The Unlink action in the User list should not be enabled unless at least one user is selected
16. The Knowledge-based Authentication related pages in the Admin portal have been refreshed.
17. When OTP authentication is configured to show the user all of their contact options, a Voice delivery option is now included for the user's Mobile contact if it is defined.
18. User contacts with long names or values are now displayed correctly on small screens when OTP authentication is configured to show the user's contact options.
19. The Date/Time context rule slider is now available for RADIUS application Resource Rules.
20. When entering a URL for a Resource Server the value is now validated immediately. Previously the value was validated when the page was saved.
21. When the Enterprise Service Gateway is configured to use a network proxy, gateway registration requests were not using the proxy.

Changes to Identity as a Service APIs​

The following changes have been made to existing models in the Admin API.

• ipListId has been added to AdminApiApplication and AdminApiApplicationParms. This attribute specifies the UUID of the IP List assigned to the Admin API application.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.21 and the three previous releases 5.18, 5.19 and 5.20). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation​

Identity as a Service no longer supports Internet Explorer 11.

New in this release​

Custom Mail Server with OAuth​

Identity as a Service now supports configuring Custom Mail Server settings using OAuth to authenticate a SMTP connection.

Set User Registration in Bulk​

This feature is enhanced to allow administrators to perform two additional actions:

• Upload a group file and require user registration in bulk
• Upload a group file and set user registration to not required in bulk

The header row in the CSV file contains only one column with Name as the value. Each row in the file must be an existing IDaaS group name. To Set User Registration for all users, use the system "All Users" group name with this new option.

Group Policy Registration Settings​

The "Re-Register" action used to force all users to re-register after changing your registration configuration is now removed from the Registration Settings page. The same functionality can be achieved by using the new group-based Set User Registration (see above under new features).

RADIUS Application User ID Domain Processing Option​

RADIUS applications include a new setting to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format "domain\username" and the IDaaS user ID is in the format "username". The latest version of the Enterprise Service Gateway is required for this feature.

OIDC Logout Redirect Capability​

Identity as a Service now allows a customer to specify a redirect uri from client applications issuing an OIDC logout.

Location History UI Improvements​

The user location history page has been updated. It now includes the location history expiry date and highlights the value for expired locations.

OTP Audit Improvements​

The audits generated when an OTP authentication is performed have been enhanced to include the address to which the OTP was sent.

SMS OTP Enhancement​

A new option has been added to the OTP settings that allows the customer to optionally include the expiry date of the OTP in the SMS message sent to the end user.

Search Users by Password Expiry​

A new search option "Password Expiry" has been added to the user list search filter. This option allows an administrator to search for users whose passwords will expire in a specified time range. To search on the expiry date of AD passwords, the latest version of the Entrust Service Gateway is required. This feature is only available for Microsoft Active Directory.

Email Customization​

Previously, only Tier 1 production accounts were allowed to fully customize emails when using the IDaaS EMail server. Now all production accounts are allowed to fully customize emails when using the IDaaS EMail server.

Fixed in this release​

The following items have been fixed in this release.

1. Add/Edit RBAC always has one API/URL selected.
2. The performance of user report downloads has been improved especially for very large reports.
3. Attempt to clear password history for an expired password results in an error.
4. Client Credentials Grant action goes back to user portal.
5. Duplicate audit when assigning or unassigning a token to a user.
6. Entrust Legacy Token assign/unassign audit missing.
7. Generate unassigned grid cards for the first time does not refresh the list page.
8. Error when deleting one of multiple resource rules for IntelliTrust AD FS.
9. Pressing "Enter" should log the user in on the KBA screen.
10. It displays “null” on the login page if “Show OTP Delivery Contact” is checked for password reset auth flow.
11. A newly added custom user attribute does not appear in the user portal.
12. Refactoring OTP Delivery Preferences UI.
13. Accounts with the standard feature bundle should not have the OIDC/OAuth token option for users.
14. Unexpected horizontal scroll bar in Add/Edit custom user attribute dialog.
15. RADIUS authentication fails when the RADIUS application is configured for external first-factor authentication and to challenge the user to select the second-factor authenticator. Upgrade to the latest version of the Enterprise Service Gateway for this fix.
16. RADIUS authentication fails when the RADIUS application is configured for fallback from token push or smart credential push authentication. Upgrade to the latest version of the Enterprise Service Gateway for this fix.
17. When configuring a resource rule with first factor password authentication and a second factor authenticator, IP location history for a user is not updated when using RADIUS authentication with a Citrix Netscaler client. Upgrade to the latest version of the Enterprise Service Gateway for this fix.

Changes to Identity as a Service APIs​

The following attributes have been added to models in the administration API.

• includeOtpExpiryDate has been added to OTPAuthenticatorSettings. This new boolean settings indicates if the OTP expiry date should be included in OTP SMS messages.
• passwordExpirationTime has been added to User. This value specifies the expiry date of the user's password. If the user does not have a password or the password never expires this value will be null.
• expiryDate has been added to UserLocation. This value specifies the expiry date of a user location. If the user location does not expire this value will be null.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation​

Identity as a Service no longer supports Internet Explorer 11.

New in this release​

OAuth Resource Server API Protection via OAuth Roles​

Identity as a Service now supports OAuth roles which provides resource servers with role-based access control (RBAC). OAuth roles can be associated with resource server APIs and scopes. User can then be associated with these OAuth Roles.

A resource server API can be configured with RBAC enabled. In this case, the creation of OAuth access tokens is based on a user's OAuth roles and the scopes permitted by it.

An OAuth role can also extend another OAuth role to provide inheritance of scopes.

There will be a maximum number of 100 OAuth Roles and Resource Server APIs that can be configured in the system.

OAuth All Scope Request Support​

Identity as a Service now supports the scope value all_scopes to indicate that all the scopes supported by a resource server API are being requested.

Identity Provider Authentication​

Identity as a Service now allows a customer to define OIDC Identity Providers which can be used as alternative authentication to authenticate to the IDaaS portal, SAML applications and OIDC applications. Additionally, users can be created or updated in IDaaS based on the information returned from the Identity Provider.

Soft Token SDK Customized Push Message​

Identity as a Service now supports customized push notification messages for customized soft token apps that use the entrust SDK. This feature does not apply to the Entrust Identity soft token app.

Push Notification Sound Notifications for iOS Devices​

Identity as a Service now supports push notification with sound for iOS devices.

Email Customization​

Previously only accounts with a custom email server defined could fully customize emails. Now, tier one production accounts can also fully customize emails even if they are using the default email server. Trial accounts and child accounts of service providers are still restricted.

Bulk Operations​

Two new bulk operations have been added. The Set Users bulk operation supports updating users. It also includes an option to create users that do not exist. The Set Grids bulk operation supports updating the state of assigned grids. Additionally, an option has been added to the Import Users bulk operation to optionally update users that already exist.

AD Connector Improvements​

A new version of AD Connector is available for use with IDaaS. IDaaS has been enhanced to display more information about the AD Connector instance, including the state (active/inactive), version, and hostname.

Smart Credential Push Signature​

Two new APIs have been added to the IDaaS Admin API to support smart credential push signature. Push signature allows an application to sign data using a private key on the end user’s mobile smart credential using push transactions. Access to these new APIs is controlled by a new permission "SMARTCREDENTIALSSIGNATURE".

New SAML Integration​

A new SAML application template has been added for New Relic.

Changes in this release​

The following changes have been made to address issues or enhance existing functionality.

1. In 5.18 the behavior of the locked user search criteria changed. It no longer filters out users who were locked out but whose lockout has expired. However because those users are not locked, the unlock action was not available. The unlock action is now enabled for those users.
2. The group list dropdown in the Group Policy Edit page overlaid the title. This has been fixed.
3. Phone entry fields in both the admin and user portal have been improved to indicate the required phone number format.
4. The button in the Add Alias and Add Attribute dialogs in the user profile page has been renamed from Ok to Add.
5. Text entry in the Device Fingerprint dialog did not always register. This has been fixed.
6. The Group and Role selection when creating or editing a user in the Admin portal has been updated.
7. When the group membership in the user profile is modified, the Save button wasn't enabled. This has been fixed.
8. When adding and then removing a group from some group lists (for example, the user group membership) could result in the wrong group being removed.
9. When modifying the second-factor authenticators for Password Reset Settings, the Save button wasn't enabled. This has been fixed.
10. Exporting report files has been improved to support very large reports.
11. The Import User bulk operation has been improved to support importing a large number of users.
12. Issues with importing an IdentityGuard export file with names containing certain character sequences shave been addressed.
13. Issues with importing an IdentityGuard export file with non-North American phone numbers have been resolved.
14. The IdentityGuard Import and User Delete bulk operations now generate log files that can be downloaded. A sample bulk file is now provided for the user delete bulk operation.
15. The error message displayed by the Import User bulk operation when the administrator did not have access to the specified groups was not clear. This has been fixed.
16. The error message displayed by the Token Assign bulk operation when the user has the maximum number of allowed tokens has been improved.
17. An extra space included in the assigned grid export when the | separator is selected has been resolved.
18. Cloning the super admin role resulted in a role that did not have access to administrators. This has been fixed.
19. The Digital Ids listed for a PKIaaS CA were not sorted. This has been fixed.

Changes to Identity as a Service APIs​

The following attributes have been added to models in the authentication API.

• pushMessageIdentifier has been added to UserChallengeParameters. This value allows an application to specify what custom push message should be used for a push authentication.

The following attributes have been added to models in the administration API.

• lock has been added to UserParms. This value allows an administrator to lock all authenticators for a user.
• oauthRoles has been added to User. This value specifies the list of OAuth roles a user has been associated with.
• oauthRoles has been added to UserParms. This value specifies the list of OAuth role ids a user should be associated with.

The following models have been added to the administration API.

• OAuthRole has been added for OAuth roles. This model specifies the attributes of an OAuth role.
• SmartCredentialStartSignParms has been added for smart credential push signature. This model specifies the parameters passed to the start signature operation.
• SmartCredentialStartSignResponse has been added for smart credential push signature. This model specifies the response returned from the start signature operation.
• SmartCredentialCompleteSignParms has been added for smart credential push signature. This model specifies the parameters passed to the complete signature operation.
• SmartCredentialCompleteSignResponse has been added for smart credential push signature. This model specifies the response returned from the complete signature operation.

The following APIs have been added to the administration API.

• modifyUserOAuthRoleAssociationsUsingPUT. This API updates the OAuth role ids associated with a user.
• listOAuthRolesUsingGET. This API lists the OAuth roles.
• startSignSmartCredentialUsingPUT. This API starts a smart credential push signature operation.
• completeSignSmartCredentialUsingPUT. This API complete a smart credential push signature operation.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation​

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

ActiveSync now supported for Microsoft Office 365 with OAuth 2 device code authentication​

Identity as a Service now supports ActiveSync using OAuth 2 device code authentication. A new setting has been added to the ActiveSync Access page to migrate existing administration from using basic authentication to OAuth 2 device code authentication.

Group-based Policy​

The existing Settings menu has been split into two menus: Configuration and Policies.

Configuration settings apply globally to the tenant. Using Policies, administrators can adjust settings on a per group basis. For example, you can configure users in different groups to use different levels of security, such as the length of the OTP and lockout attempts.

One-step Multi-factor Authentication​

One-step multi-factor authentication is been added to RADIUS applications.

New settings have been added under RADIUS Application page to enable one-step multi-factor authentication and to specify the length of second factor response. When enabled, the user must enter their password and second-factor response in the same password field. Only temporary access code and token are supported as second-factor authenticators. Also, the second factor can be opted from the resource rules page. As a second factor authenticator, Soft token and Temporary access code are supported.

Changes to Administration Portal​

The following enhancements have been made to the administration portal:

• The Risk-based authentication (RBA) Location History table has been refreshed to include a delete and add expected location options for each row in the table. In addition, filter options have been added to search by Last Authentication Time and Country.

Trial Account Expiry​

Trial accounts now expire after 60 days instead of 30 days.

Additional enhancements to OTP-based authentication​

Administrators can now set the default OTP delivery attribute for each type of delivery - Email, SMS and Voice.

Users can now set their own OTP delivery attributes in the user portal.

Enterprise Service Gateway Deprecation​

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation​

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.

Changes to Identity as a Service APIs​

The following changes have been made to the authentication API:

• supportChoosingOtpDelivery has been deprecated from UserAuthenticateQueryParameters. Clients who support choosing OTP delivery can still work without having to supply this flag.
• supportChoosingOtpDelivery has been deprecated from UserAuthenticateQueryParameters. Clients who support choosing OTP delivery can still work without having to supply this flag.

The following changes have been made to the administration API:

The following attributes have been added to models in the administration API.

• otpSmsDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the SMS OTP when no attribute is specified.
• otpEmailDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the Email OTP when no attribute is specified.
• otpVoiceDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the Voice OTP when no attribute is specified.
• the attribute registrationEnabled has been added to User. This attribute indicates if registration is enabled for the specified user.

The value NONE has been deprecated from the enumerated type OTPDeliveryType in OTPAuthenticatorSettings. Use of default attribute specific to delivery mechanism is recommended eg. otpSmsDefaultDeliveryAttribute, otpEmailDefaultDeliveryAttribute"