73 posts tagged with "Release"

Smart Credential Revocation​

The following enhancements have been made to revoke or hold certificates associated with smart credentials in IntelliTrust:

• when a smart credential is deleted all certificates associated with that smart credential are permanently revoked. When a user is deleted this applies to all smart credentials owned by that user.
• when a smart credential is unassigned all verification certificates associated with that smart credential are permanently revoked.
• when a smart credential is disabled all verification certificates associated with that smart credential are revoked for hold. When a user is disabled this applies to all smart credentials owned by that user.
• when a smart credential is enabled all verification certificates associated with that smart credential are unheld. When a user is enabled this applies to all smart credentials owned by that user.

The existing IntelliTrust Certificate Authority setting "Immediately Publish CRL Upon Revocation" is obeyed for these operations". For an Entrust Managed PKI, your XAP credentials must have permission to issue RLs if you enable this setting.

In this release, these changes are only supported with Entrust Managed PKIs. Support for Microsoft CAs will be added in a future release. Certificates can always be revoked from the CA.

When performing these operations, if the certificate revocation operation fails for any reason then the entire IntelliTrust action will fail. For example, if you are trying to delete a user and the CA is not running causing a certificate revocation to fail, the IntelliTrust user will not be deleted.

Grid Bulk Enhancements​

The Assign Grids Bulk Operation now supports the use of SerialNumber or serialNumber as the header column for serial numbers, in addition to Serial Number.

The Import Grids Bulk Operation now displays the first failed row and what the corresponding error was.

The Import Grids Bulk Operation now supports the use of group as the third column header in the import file. This column header value can be used to ignore the use of this column during grid import processing. This allows the exporting of unassigned cards directly from Entrust IdentityGuard when this column header value is set.

Get Service IP Addresses API​

A new API getServiceIPAddresses has been added to the Administration API. When called, the API returns a list of public IP addresses being used by the IntelliTrust services. These IP addresses will be the source IP addresses of any request sent by IntelliTrust to an external service such as a customer's CA or email server. These values can be used by a customer who wants to whitelist IP addresses that their service will accept requests from. Note that the list of IP addresses may change dynamically so this API should be called periodically to get an up-to-date list.

Grid Card Enhancements​

IntelliTrust now supports the PENDING and CANCELED grid states from Entrust IdentityGuard.

• A PENDING grid card is a grid card that has not yet been used for authentication. Once the grid card is used for the first time, the state of the grid card automatically changes to ACTIVE.

• A CANCELED grid card is a grid card that can no longer be used. When a grid card is canceled it can no longer be unassigned from the user and it can no longer be used for authentication. CANCELED grid cards still count toward a user's Maximum Grid Cards policy setting (See Settings -> General).

IntelliTrust now prevents grid cards from being unassigned if the grid card has been used. This prevents used grid cards from accidentally being assigned to another user.

Bulk Operation Enhancements​

The following Bulk Operations have been enhanced:

Import Users

The Import Users Bulk Operation now supports the following new columns: locked and group.

The locked column supports importing users in the locked state. This column is a boolean value which can be TRUE or FALSE. When this is set to TRUE, all of the user's authenticators will be locked when the user is created. This column is optional. If this value is set to FALSE, is empty, or is omitted, the user will not be locked when created.

The group column supports assigning users directly to a group without having to run a separate User/Group assignment Bulk Operation. If provided, the user will be created and assigned to the specified group. The group must already exist in IntelliTrust. If not, the user will fail to be imported. This column is optional. If the value is empty, or is omitted, the user will not be assigned to a group.

Import Grid Cards

The Import Grid Cards Bulk Operation now supports importing grids in the PENDING and CANCELED states. In addition, this Bulk Operation now supports importing all Entrust IdentityGuard grid states. The Entrust IdentityGuard grid states are converted to IntelliTrust grid states as follows:

| IdentityGuard Grid State | IntelliTrust Grid State | | ------------------------ | ----------------------- | | CURRENT | ACTIVE | | HOLD | INACTIVE | | HOLD_PENDING | INACTIVE | | PENDING | PENDING | | CANCELED | CANCELED |

Notes:

• When importing unassigned grid cards, the state column will be ignored.
• When importing grid cards with a state value of ACTIVE, INACTIVE, CURRENT or HOLD, the last used date is set to a very early date to identify the card as being previously used.

Changes to IntelliTrust APIs​

The following API endpoints now have new versions in order to support the new Grid states:

• /v2/gridspaged/assigned
• /v2/users/{userid}/grids
• /v2/grids/{gridid}
• /v2/grids/sernum/{sernum}
• /v2/grids/{gridid}/changestate
• /v3/users
• /v3/users/multiple
• /v3/users/{id}
• /v3/users/userid
• /v3/users/externalid
• /v3/userspaged

The previous version of these endpoints will continue to be supported; however, they will not return the new grid states.

The new APIs will return a Grid object with a State whose values can now also be set as PENDING or CANCELED. Previous APIs will return the value ACTIVE and INACTIVE, respectively, for these.

Get User API

The Get User API now returns detailed lockout information for each authenticator that a user has in the lockoutStatus parameter.

The lockoutStatus for each authenticator contains following information:

• type: The authenticator type.
• remaining: The number of authentication attempts remaining before the authenticator is locked.
• lockoutDate: The date the authenticator was locked.
• lockoutExpire: The date the lockout will expire.

Transaction Details

When using transaction details with OTP or TOKEN authentication, a successful authentication response AuthenticatedResponse will now contain a corresponding TransactionReceipt object.

Smart Login​

Smart Login capability has been added to allow Passwordless authentication. When enabled, a user with a Mobile Smart Credential paired to their account can authenticate to their intelliTrust account or a SAML/OIDC application integrated with IntelliTrust without the need to provide a username and password.

New User Attribute: User Principal Name​

IntelliTrust now supports User Principal Name as a system user attribute. It can be used like any of the other system user attributes.

Smart Credential definitions can update their upn variable default value and set it to <User Principal Name>.

If there was an existing custom user attribute named User Principal Name it will be renamed as User Principal Name----Renamed----. All uses of this custom user attribute will remain as is.

All directory configurations will be updated to map the Active Directory userPrincipalName user attribute into the new system User Principal Name user attribute. This will occur at the next scheduled synchronization or it can be manually triggered by an administrator through a forced synchronization.

Microsoft CA Gateway Enhancements​

• IntelliTrust now supports key backup and recovery when using a Microsoft CA with Smart Credentials. The Key Management certificate template can be configured to support these features.

• The Certificates List page has been updated to include support for displaying Microsoft CA configuration and connectivity information.

• The previous limitation of properly synchronizing a user's DN value when ESG versions prior to 5.5 existed has been resolved. The automatic synchronization of a user's DN value is supported for versions of ESG 5.5 and later. When using a directory associated with an ESG 5.5 or later, the user's DN value will always be synchronized. When using a directory associated with an ESG 5.4 or earlier, the user's DN value will not be synchronized.

See the Administration Guide for complete details on how to configure your IntelliTrust account to use a Microsoft CA.

• Admin Guide

Smart Credential Enhancements​

IntelliTrust now supports cloning of Smart Credential definitions.

Custom Email Server​

You can configure IntelliTrust to use your own SMTP mail server for sending emails from IntelliTrust.

RADIUS Authenticator Challenge​

A new setting “Authenticator Challenge” has been added to RADIUS applications. When enabled, users authenticating to a RADIUS application will be prompted to enter the name of the second-factor authenticator they want to be authenticate with after which they will be challenged to answer their second-factor authentication challenge.

Disable Machine Authentication​

A new setting has been added to the Machine Authenticator settings to enable or disable Machine Authentication. When enabled, a user will see a Remember Me button on the login screen.

Bulk Operation Enhancements​

The following Bulk Operations have been enhanced:

Import User/Groups​

In previous versions of IntelliTrust, if a user already had a group assigned then the that user record in the Bulk Operation would fail. This restriction has been removed.

Import Grid Cards​

Support for setting the state of the Grid Card being imported has been added. A Grid Card can be imported in the ACTIVE or INACTIVE states. This value must be provided in the 4th column of the Bulk Import CSV file (see example below). If omitted, the Grid Card will be imported in the ACTIVE state. Below are examples with and without the state column.

Without the state column:

markup Card #,serialNumber,userId,,A1,B1,C1... 1, 1, alice,, P1, NH, EX...

With the state column:

markup #,serialNumber,userId,state,A1,B1,C1... 1, 1, alice, ACTIVE, P1, NH, EX... 2, 2, bob, INACTIVE, QW, 5H, EK...

Administration API for Create OTP​

IntelliTrust now provides an Administration API to create and return an OTP. This can be used in place of the Authentication API challenge for OTP-only based authentications. The retrieved OTP can then be sent by the caller to the user. The API also provides support for OTPs using PSD2.

Changes to IntelliTrust APIs​

The following have been added to the Administration APIs:

• A new method createOTPUsingPOST has been added that allows you to create and return an OTP.
• New attribute userPrincipalName in been added to the User and UserParms objects. This attribute contains the userPrincipalName of the user if that user was synchronized from a directory.

Smart Credential Provisioning Improvements​

• IntelliTrust now supports the ability to automatically provision a Smart Credential for new users when they are added to IntelliTrust. This is supported for users added through the Administrator Portal, Active Directory Sync, or Bulk Import.

• The User Portal Registration settings have been enhanced to allow users to add a Smart Credential authenticator to their account. Previously only Administrators could provision a Smart Credential for a user.

IdentityGuard Migration Support for User Creation​

The IdentityGuard User Migration has been enhanced to create users if they do not exist in IntelliTrust. The following IntelliTrust user attributes will be populated from Entrust IdentityGuard's user and contact information attributes:

• User ID
• First Name
• Last Name
• Mobile Number
• Phone Number
• Email
• Groups
• User Alias

Entrust IdentityGuard Mobile App - Custom Logo Support​

The Entrust IdentityGuard Mobile App (Android, iOS) will now display the logo from your IntelliTrust account.

Note: The IntelliTrust logo will only be displayed when registering a new Entrust Soft Token. Existing Entrust Soft Tokens will continue to display the existing logo.

IntelliTrust ForgeRock Integration​

A new application template has been added for a native IntelliTrust ForgeRock integration. Use this application template to quickly configure ForgeRock for IntelliTrust authentication.

Password Change Support for RADIUS Applications​

When authenticating to a RADIUS application using your password, the end user will now be prompted to change their existing password if it has expired or has been set to require change.

RADIUS Response Attributes​

A RADIUS application can be configured so that the RADIUS response returned to the VPN server includes additional attributes, including information such as the user's group membership.

Identity Proofing​

IntelliTrust now provides APIs that can be used to validate the identity of a person using a government-issued identity document, such as a driver's license or a passport.

Active Directory Sync Fixes​

In prior versions of IntelliTrust, Super Administrator user accounts could be disabled or deleted by the Directory Desynchronization Policy. This has been fixed so that Super Administrator accounts will not be deleted or have their state changed regardless of the Directory Desynchronization Policy.

Swedish and Danish Locales​

The IntelliTrust User Portal now has support for the Swedish and Danish languages.

Office 365 Support for Multi-Domain Federation​

The Office 365 SAML application has been enhanced to support federating with multiple domains.

This option is also available in the Generic SAML Application template.

Enterprise Service Gateway Memory Increase​

Microsoft CA Support​

The Certificates List page has been updated to include support for Microsoft Certificate Authorities (CAs).

Smart Credentials can be created using a Smart Credential definition with Digital ID configurations that are associated with a Microsoft CA.

The use of a Microsoft CA requires the installation and configuration of a Microsoft CA Proxy service running on a domain-joined Windows server.

Please review the Administration Guide for complete details on how to configure your IntelliTrust account to use a Microsoft CA.

The following limitations apply:

• Any update or refresh to the Microsoft CA configuration in the IntelliTrust Administration Portal will be propagated to the CA Gateway and a restart of the CA Gateway will occur. Current requests, for example, authentication or enrollment, to the CA Gateway will fail and need to be re-executed. Similarly, if the Password Agent or CA Gateway is restarted manually, the latest Microsoft CA configuration will also be propagated.
• Any update to the certificate template configuration in the Microsoft CA requires the Microsoft CA to be refreshed in the IntelliTrust Administration Portal.
• Certificate revocation check is supported using CRLs that use either LDAP and/or HTTP. Both protocols need to be accessible by the ESG. This requires configuring anonymous access to the LDAP CRL.
• This release does not support key recovery. Microsoft CA certificate templates should be configured without key backup/archive enabled. Support for key recovery, which includes the use of Microsoft CA key recovery agents, will be available in a future release.

More Information:

• Admin Guide

Gateway Web UI​

Version 5.5 of the Enterprise Service Gateway (ESG) provides a new web-based interface for registering the ESG with your IntelliTrust account. When the ESG boots up, a configuration URL is displayed. Administrators can open that URL in their browser and configure the ESG without having to use the CLI.

Entrust Soft Token Activation Improvements​

A new setting has been added to the Entrust Soft Token authenticator settings that allows an Administrator to select the activation methods included in the Entrust Soft Token activation email.

Options include:

• Activation link
• QR code
• Manual activation

At least one activation method must be selected.

Users will no longer automatically receive an activation email if they add a new Entrust Soft Token or a Google authenticator. They must now click a button in the activation dialog box to receive an activation email.

Changes to IntelliTrust APIs​

The following have been added to the Administration APIs for Microsoft CA support:

• DigitalIdConfig contains a new caType (EDC or MS), certTemplates (array of DigitalIdConfigCertTemplate), and dnFormatSearchbaseIncluded (boolean) properties.
• A new type DigitalIdConfigCertTemplate was added with digitalIdConfigId (string), id (string), name (string), and pivContainer (PivAuth, CardAuth, DigSig, KeyMgmt, and None).
• User contains a new dn (string) property.

IntelliTrust Desktop for Windows integration and offline token support (AAAS-8656)​

This release includes a new template to support IntelliTrust Desktop for Windows integration. This integration includes support for offline token authentication to Windows desktops.

Control Available Authenticators (AAAS-16074)​

A new setting has been added to the Registration page that allows administrators to configure the authenticators users are allowed to add to their profile. For example, if you do not want users to be able to add KBA to their account then you can remove KBA from the allowed authenticators.

Directory sync details (AAAS-17935)​

The directory sync details have been enhanced to include the Upload Results that show the metrics for new, changed, desynced, and failed results of the synchronization. Improvements have also been made to the performance of directory synchronization, including avoiding unnecessary calls to Active Directory, removal of the database, and the ability to turn off the automatic sync by setting the crawl frequency to 0.

Grid bulk operations (AAAS-17881)​

A new Bulk Operation has been added to allow administrators assign grid cards in bulk.

Audit results​

The Audit results have been enhanced so that when a Token or Smart Credential push authentication is cancelled from the mobile application, it is now audited in IntelliTrust. Previously only the Concern or Complete operations were audited.

Previously in the audits, the last column was named Message and showed the Message id of the audit. Now the last column is named Event and shows the Event Type of the audit. The Event Type is a searchable field.

Unlink users​

A new operation has been added to the Administrator Portal that allows an administrator to unlink any user who was previously synchronized from a directory.

Role Management (AAAS-18464)​

The Roles List page has been refreshed.

A new action has been added to the Roles List page that allows Administrator to clone existing roles.

Changes to IntelliTrust APIs​

The following have been changed in the IntelliTrust Authentication APIs.

Changes related to the offline token feature:

• New attribute offlineTokenResponse is added as part of authentication complete response.

Directory Server failover (AAAS-15941)​

The Directory configuration now allows administrators to add multiple directory servers for failover in case a directory cannot be reached.

Note: For Enterprise Service Gateways prior to 5.3, only the first directory > server in the list is used.

Resource rule evaluation (AAAS-18272)​

The authentication Audit Details has been enhanced to include information on the resource rule used, risk level produced, risk points assessed, authenticators used, and if available, the result of the resource rule evaluation.

Export user directory attributes (AAAS-17583)​

When you export users from the Users List page, you now have the option to export the Directory ID, Directory Object UUID, and the Directory Name.

Test ActiveSync connection (AAAS-16934)​

The ActiveSync Access page includes a Test Connection button to test the connection to your Microsoft Office 365 server.

ForgeRock OIDC template (AAAS-17863)​

A ForgeRock OIDC template is now available. Use this application template to quickly configure ForgeRock for IntelliTrust authentication.

User portal password change (AAAS-16376)​

Users now have the ability to change their Active Directory password in the IntelliTrust User Portal. Users need a current password to be able to successfully change it to a new password.

Delete multiple reports (AAAS-18235)​

The Reports page has been enhanced to allow deleting multiple reports simultaneously.

UI Enhancement (AAAS-16826)​

The following enhancements have been made to the UI:

• The search experience has been enhanced for the Users, Reports, Audits, Grid Cards, and Hardware Tokens tables.
• User search has been enhanced to allow for the following:
• Users belonging to a group
• Users who have a specific role
• Users who have or do not have a specific authenticator

Changes to IntelliTrust APIs​

The following have been changed in the IntelliTrust Administration APIs:

• New methods getAccountInfoUsingGET and updateAccountInfoUsingPUT that allow you to manage account information including the ability to update the account company name and legalAcknowledged flag
• New attribute defaultRole in the RoleUser object returned for each role returned by listSiteRolesUsingGET. This attribute indicates whether the role is a default system role.
• New attribute directoryObjectGUID in the User object returned by various user methods. This attribute contains the objectGUID of the user in the directory if that user was synchronized from a directory.
• New attribute lockedAuthenticatorTypes in the User object returned by various user methods. This attribute specifies which of a user’s authenticators are currently locked.
• New attribute directoryConnection is returned as part of Get directories call. This attribute lists the directory connections for a directory.

IntelliTrust ISAPI Filter integration (AAAS-17586)​

A new application template has been added to the Applications page for IntelliTrust ISAPI Filter.

On-demand sync (AAAS-17155)​

The Users list page has been enhanced to allow syncing individual users from a directory on-demand. This feature makes it easier to add and update individual users without having to wait for a full directory sync to complete.

Unlink directory user (AAAS-16766)​

The Users list page has been enhanced to allow unlinking a user account from its directory. This feature allows administrators to remove problem accounts that are no longer in Active Directory but are still synchronized in IntelliTrust.

Directory User Desynchronization Policy (AAAS-15944)​

The Directory configuration now allows administrators to configure what action should be taken on user accounts in IntelliTrust that are no longer found in the directory or no longer match the filters. Administrators can choose to delete the user, convert the user to a local user, or convert the user to a local user and disable the user account.

AD password change (AAAS-16376)​

This release includes the ability for users to change their AD password when it has expired or if the administrator has set the password to require a change. When the user logs in with their old password, they will be prompted to enter both current and new password in order to access IntelliTrust.

UI Enhancement (AAAS-16826)​

The following enhancements have been made to the UI:

• The Users List unlock action has been enhanced to show the user's locked authenticators.
• The Grid Cards table has been enhanced to allow bulk grid card printing. Administrators can optionally choose to include the user ID when printing assigned grid cards.

Changes to IntelliTrust APIs​

The following things have been changed in the Administration API.

The following additions have been made to the User object returned from IntelliTrust by various operations:

• A new value EXTERNAL has been added to the type attribute. If a user has the externalId attribute set, the user will have type EXTERNAL.
• A new attribute externalSource has been added to user. It can be set using the user create and modify operations and is returned in the User model. The intent of this attribute is to describe the source of the user when the user is managed externally.
• New attributes directoryId and directoryName have been added. If set, these values specify the UUID and name of the directory from which the user was synchronized if the user was synchronized from a directory. They will be null otherwise.

Because of the non-compatible change to the User type attribute, any API endpoint that returns a User object now has a new v2 version. For example: https://customer.region.trustedaut.com/api/web/v2/userspaged. The APIs with new versions include the following:

• createUserUsingPOST
• userUsingGET
• userByExternalIdUsingPOST
• userByUseridUsingPOST
• usersPagedUsingPOST
• createUsersUsingPOST
• deleteUsersUsingDELETE

A new boolean argument stopOnError has been added to the methods to perform create, delete and update operations on multiple users. If set to true, the operation stops on the first error. As part of this change, new v2 versions of the following APIs have been added:

• createUsersUsingPOST
• deleteUserUsingDELETE
• updateUsersUsingPUT

ActiveSync Access for mobile (AAAS-16379)​

ActiveSync Access integrates Microsoft Office 365 server with IntelliTrust to allow users to perform secure, multi-factor authentication-based provisioning of their Exchange ActiveSync devices.

Password and second factor lockout behaviour (AAAS-7598)​

In this feature, we have changed how the lockout behavior for second-factor authentication works. Previously, there was a separate lockout count for second-factor authentication. For example, if you did OTP authentication, the OTP lockout updated. But if you did PASSWORD+OTP authentication, the PASSWORD+SECOND FACTOR lockout updated.

In this release, the PASSWORD_AND_SECONDFACTOR authenticator is no longer treated as an authenticator type with its own lockout. For example, if the user enters the password correctly and uses TOKEN for second factor and enters an invalid token response five times, then the user's TOKEN authenticator will be locked and the user will not be able to use a TOKEN in any application until it is unlocked.

In this release, the behavior has been changed so that in second-factor authentication, the PASSWORD lockout updates if the password is invalid and the second-factor authenticator lockout count updates if the second-factor lockout count updates. Previously, a separate lockout was maintained for one factor authentication versus second-factor authentication. Now the same lockout is used for both. For example, if you do PASSWORD+OTP authentication and you enter an invalid OTP, the OTP lockout updates.

There is an upgrade impact on this change. Prior to 5.1 being installed, a user may be locked out for PASSWORD+SECOND FACTOR. After 5.1 is installed, the user will no longer be locked out.

IntelliTrust AD FS integration (AAAS-17226)​

A new application template has been added to the Applications page for Entrust Datacard AD FS Adapter.

RBA Location History (AAAS-16375)​

A new Location History Trust Threshold setting has been added to the risk-based authentication settings to set the number of times a user must log in from a location before it is trusted.

AD Sync status (AAAS-15971)​

The Directory Sync Details page has been enhanced to have more metrics for users and groups. These metrics only reflect the statistics during the crawl phase of the sync process. In addition, the details dialog now contains the most recent errors (20 maximum) reported by the gateway while syncing users/groups.

The metrics are now in a tabular format for improved readability and the sync status has an animation for clear indication of the state.

Changes to IntelliTrust APIs​

The following have been added to the Administration APIs for Active Sync Access:

• Sync and manage Exchange ActiveSync Devices from Microsoft Office 365
• Retrieve the latest information about devices (POST /api/web/v1/users/{userid}/activesyncdevices)
• Allow/Block ActiveSync Devices (PUT /api/web/v1/users/{userid}/activesyncdevices)
• Remove ActiveSync Devices (DELETE /api/web/v1/users/{userid}/activesyncdevices)
• Fetch cached Exchange ActiveSync Devices (GET /api/web/v1/users/{userid}/activesyncdevices)

Manage SAML certificates (AAAS-16382)​

You can create and delete signing certificates for SAML applications. This allows customers to manage their certificates and to use a different certificate for each application if they choose.

Sign C# SDK (AAAS-15996)​

The DLLs for the Administration and Authentication C# SDKs are now signed.

User Registration (AAAS-15194)​

User registration allows you to require users to self-register when logging in to IntelliTrust. This feature is useful for users that do not have the second-factor authenticators required to access the User portal application, SAML, or OIDC applications.

Active Directory Sync/Unsync individual users using Admin API (AAAS-17155)​

This release includes the ability to synchronize or unsynchronize individual users from Active Directory using the Administration API. This allows customers to immediately synchronize updates for a new or existing Active Directory user. Additionally, an unsynchronize endpoint is also available. This allows customers to immediately set a user back to being locally managed in IntelliTrust (disassociate the user with AD Sync). Both APIs require an Enterprise Service Gateway v5.0 or later.

Directory migration (AAAS-16766)​

In this release, you can migrate users from one directory to another directory and all the users will then be synced from the new directory. To do this, delete the directory from IntelliTrust that you want to migrate from and create a new directory that you want to migrate to. When synced using this new directory, all the users will then be synced from the new directory.

Note: If the same user is present in both directories and you remove the directory that user is originally associate with, the other directory will take over that user.

Audit archiving (AAAS-12833)​

Starting with this release, audit events are stored in the database for six months only. Older audit events (up to three years) are archived in compressed audit files available for download under Reports > Archives. The system does not retain audit events older than three years.

Changes to IntelliTrust APIs​

The following have been added to the Administration APIs:

• New methods in the Administration API to sync a user from the directory on demand and to force unsync a user who is currently synced.
• New methods in the Administration API to get and list the directories defined in the account.
• New search criteria for the Administration API user list operation:
• Match users with or without a given authenticator
• Match users with a given user type
• Match users that require (or do not require) user registration
• Return the list of locked authenticators for each user