Skip to main content

Hotfixes

The following lists hotfixes for the Identity Platform release 20.06.

20.06 hotfixes

Release No.

Release Date

Ref ID

Issue / Description

20.06-19

14-Jun-2024

EE-3376

Hard Token Enrollment Support – Updated logic to enroll Hard Tokens by means of the Assign HID device field on the Self Service and Help Desk pages.

20.06-18

15-Sep-2023

EE-2557

Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.

EE-3225

AD-LDS Password Validation Issue – Addressed issue with AD-LDS connections that use user + password workflows in the Advanced Settings (formerly Classic Experience).

EE-3258

FIPS Compliance on User Handler Web Service Page – Added logic to make EncryptUser.aspx page compliant with FIPS.

EE-3302

Configuration Setting for ACS URL Restriction – Added a configuration setting to turn ON or OFF the ACS URL whitelist enforcement.

Important

Before you install this hotfix, see this KB article: How to establish trust for ACS redirects in SP-initiated SAML requests

20.06-17

01-May-2023

EE-3073

EncryptUser Issue – Addressed issue with a truncated URL in EncryptUser.aspx.

EE-3074

SAML Post Issue – Added logic to support SAML Post workflow redirects through adaptive auth (group restriction).

EE-3098

LDAP Authentication Improvement – Added logic to make LDAP authentication over SSL/TLS more secure.

EE-3207

Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.

EE-3216

OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

For more information, see Bulk upload hardware OATH tokens using CSV file

20.06-16

07-Dec-2022

EE-2684

Passcode App Update – Supports the ability to register on more than one computer.

This requires an updated version of Passcode for Windows or Passcode for Mac.

EE-2702

Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances.

EE-2967

API Update – Update compatibility between newer Identity Platform enrollment data and existing APIs.

EE-3008

OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:

  • Ability to add custom claims to OAuth2 access tokens

  • For all custom claims, you can define a scope relationship to dynamically include in the tokens

  • Client scope deny list can be inverted to an allow list

  • Configurable nbf (not before) claim time offset

  • Ability to make the claim with group values as an string array instead of a comma delimited string

20.06-15

16-Sep-2022

EE-2712

Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option.

EE-2819

Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password.

EE-2828

OIDC Issue – Added logic to better handle the post logout redirect URI.

EE-2855

Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA.

20.06-14

19-Jul-2022

EE-2559

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.

EE-2592

QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.

EE-2638

Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix

EE-2714

Push-to-Accept in L4W Issue – Addressed issue with Push-to-Accept not working consistently in Login for Windows (L4W).

EE-2720

One-Time-Passcode (OTP) App Default Theme Issue – Addressed an issue when a Classic Experience realm MFA is set to use "One-Time Passcode via Phone Call and SMS". The MFA displayed to the end user does not show an option to select SMS.

EE-2750

Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP.

For information about setting up the Identity Platform and Arculix integration, see SecureAuth IdP and Arculix integration.

EE-2777

Air-Gapped QR Code Support – Added support for QR enrollments for time-based one-time passcodes (TOTP) in an air-gapped environment.

EE-2781

Air-Gapped Identity Platform Issue – Added logic to ignore unavailable hosts in an air-gapped environment.

20.06-13

05-Apr-2022

EE-2476

RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.

EE-2560

Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.

EE-2591

CyberArk SDK Integration Support – Backported CyberArk SDK updates.

EE-2598

AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.

EE-2604

Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.

EE-2607

Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.

EE-2624

Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.

20.06-12

10-Jan-2022

EE-2043

Custom Token Value Support – New option to Base64 encode the custom token value.

EE-2181

Webservice Profile Lookup Issue – Addressed issue causing removal of profile data. The following describes this issue in more detail.

A rare scenario occurs in the web service when the lookup for a user's membership succeeds, and in the same request, the profile lookup times out. The user does not receive an error and it allows the user to proceed in the login workflow.

If the login workflow included a multi-factor method (MFA), a different error message would display, related to not finding any MFA in the user's profile.

If the login workflow is only username and password, then the login would succeed and save an empty profile for the user. This issue clears all writable values in the user profile.

This issue first occurred after a previous hotfix (EE-2253) to reduce the web service timeout to a reasonable value (5 seconds).

Web service timeouts usually occur when the login to a realm has been idle for too long and suspends itself.

The hotfix prevents the user profile from clearing out by not allowing the user to continue in the current login request during a timeout. If the timeout is due to an idle realm, the second attempt normally succeeds and the user can continue the login workflow.

EE-2344

Azure AD Password Reset Support – Added inline support for password reset of Azure AD synced users.

EE-2443

Adaptive Group Check Issue – Addressed issue to ensure that the adaptive group check is correctly performed after an invalid password attempt.

EE-2465

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to allow Refresh Token use without the client_secret.

EE-2469

SQL Database Log Improvement – Improve null handling for SQL database logs.

EE-2475

2019 Theme Issue – Addressed display issue in 2019 Theme for the OIDCEndSession.aspx page.

EE-2477

Public / Private Mode Issue – Addressed an issue to ensure the system honors a change to the public/private mode setting in the Classic Experience.

20.06-11

05-Nov-2021

EE-1968

Password Reset Improvement – Improvement to to self-service password reset functionality for a specific use case.

For more information, see this knowledge base article: Self-service password reset hotfix update

EE-2108

Web Admin Issue – Addressed issue with missing KBA/KBQ settings in the web.config in the Classic Experience.

EE-2248

Email Template Support – Reinstate support to customize email templates in the Identity Platform for cloud deployments.

EE-2261

OIDC Issue – Added logic to better handle double logins in use cases where the user clicks Submit, and presses Enter.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2345

Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab.

EE-2438

JSON Web Token Support – Added support for iat (issued at) attribute.

EE-2445

URL Enrollment Issue – Addressed issue to enable biometric push notification using URL enrollment.

20.06-10

24-Sep-2021

EE-2121

Mobile Authentication – Fixed issue where an extra comma was incorrectly added to a payload file.

EE-2221

Account Update Issue – Addressed an issue that affected the Account Update page when using a Web Service (Multi-Datastore) with Windows SSO.

EE-2251

International Phone Format Issue – Addressed an issue that affected some international phone number formats.

EE-2326

Password Reset Support – Added support to unlock account first on the Password Reset page and then redirect users to reset their password.

EE-2331

2019 Theme Issue – Reinstate support in the Classic Experience Web Admin for the URL links to Forgot Username, Forgot Password, and Restart Login pages for the 2019 Theme.

EE-2337

Web Service (Multi-Datastore) Realm Issue – Addressed login issues using TOTP OATH token with Google Authenticator.

EE-2351

This is an update to the following issue reported under EE-2120 in hotfix 20.06-9.

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

20.06-9

16-Jul-2021

EE-1652

Password Throttling API Response Message – Added additional clarification to password throttling AP response message.

EE-1663

Device Fingerprint Optimization – Device fingerprint profile (DFP) optimized when realm is configured in Private Mode only.

EE-1814

SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition.

EE-1825

QR Enrollment Issue – Addressed issue when using an email address during login to the QR enrollment page. 

Install this hotfix you have:

  • Multi-Factor App Enrollment – QR Code realm

EE-1969

SAML Assertion Update – Added support for FriendlyName user attribute.

To use the FriendlyName user attribute, it requires the following application setting in the web.config:

<add key=“ExtendedSAMLAttrXXFriendlyName” value=“YourFriendlyName” />

Where XX is a number between 1-10 associated with the attribute.

For Identity Platform cloud deployments, contact Support to update your web.config.

EE-2029

Content and Localization Issue – Addressed issue where edits in the verbiage editor did not show up on the Logout.aspx page.

EE-2077

IPv6 Address Handling Improvement – Enhanced ability to better manage IPv6 addresses.

EE-2092

Added New Response Times to Audit Logs – Addressed issue to include OTP response times in audit logs.

EE-2106

Default MFA Delivery Options Improvement – Added logic so that the first MFA option on the list is always selected by default.

EE-2116

OpenID Connect Scopes Issue – Resolved an issue with OpenID scope values not rendering correctly for OIDC Authorizations.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2120

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2253

WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups.

EE-2265

This is an update to the following issue reported under EE-1967 in hotfix 20.06-8.

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.

20.06-8

27-May-2021

EE-1748

Maximum Device Count – Resolved an issue where, when users reached the maximum limit of registered devices, no warnings were displayed.

EE-1855

Error Handling Improvement – Added additional logic to better manage errors that occur when using the API OTP validate endpoint.

Install this hotfix if you have:

  • Authentication API enabled

EE-1856

Security Optimization – JQuery.js file optimized for security best practices.

This hotfix is required for 20.06 deployments.

EE-1967

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.

EE-1972

Adaptive Endpoint Issue – Resolved an issue causing the endpoint to incorrectly prompt for 2FA for users in an allowed group.

EE-2040

AD LDS Account Unlocking Issue – Addressed an issue causing the Identity Platform to incorrectly see accounts locked that had been previously unlocked by (AD LDS).

Install this hotfix if you have:

  • AD LDS data store integration

Note

A fallback xml attribute for the lockout duration was added to the web.config. Contact Support for more information.

EE-2050

Security Optimization – Angular.js library optimized for security best practices.

This hotfix is required for 20.06 deployments.

EE-2059

Web Service Realm Issue – Resolved an issue that caused disabled WebService realm to continue to function if the username and password existed.

Install this hotfix if you have:

  • Web Service (Multi-Datastore) integration disabled on the Data tab

EE-2070

Login Delay Issue – Resolved an issue resulting in potential delays for the login page when using IWA or Transparent SSO.

Install this hotfix if you have:

  • IWA workflow

  • Transparent SSO workflow

EE-2110

Security Optimization – Redirect pages optimized for security best practices.

This hotfix is required for 20.06 deployments.

EE-2111

2019 Theme Issue – Fixed an issue causing the login page in 2019 theme to not load when using Internet Explorer 11 browser.

Install this hotfix if you have:

  • 2019 Theme selected on the Overview tab

20.06-7

25-Mar-2021

EE-1822

2019 Theme Issue - Password Inline Warning – Resolved an issue where users couldn't bypass the prompt to optionally change their password.

Install this hotfix if you have:

  • 2019 Theme selected on the Overview tab

EE-2003

2019 Theme Issue - Profile Missing page – Resolved an issue where the Restart Login link didn't display on the profilemissing.aspx page.

Install this hotfix if you have:

  • 2019 Theme selected on the Overview tab

EE-2045

FIDO2 Authentication Issue – FIDO2 authentication ignores proxy settings.

Install this hotfix if you have:

  • FIDO2 WebAuthn enabled as MFA method

EE-2047

FIDO2 Authentication Improvement – Error handling improvements to user login when user does not have a registered FIDO2 security key.

Install this hotfix if you have:

  • FIDO2 WebAuthn enabled as MFA method

EE-2100

FIDO2 Authentication Improvements – Improvements related to FIDO2 authentication include:

  • Added audit logging to all FIDO2 calls with response times

  • Update issue with not loading New Experience data stores behind a proxy

  • Disabling login call to FIDO2 when this MFA is not applicable

Install this hotfix if you have:

  • FIDO2 WebAuthn enabled as MFA method

20.06-6

08-Mar-2021

EE-1854

Web Admin Optimization – Removal of unused code and subfolder from the SecureAuth Identity Platform Web Admin project folder.

EE-1864

WS-Federation Update – In realms that use WS-Federation, this update requires allow-listing of URLs for the wreply field.

If a wreply setting is configured, the hotfix will use the host of this setting for the new allow-list.

There is also a new optional setting to support allow-listing of more than one URL by using a comma-delimited list.

Install this hotfix if you have:

  • WS-Federation integrations

EE-1897

Performance Enhancements – Update exception handling to improve system performance during login and enrollment workflows.

EE-1979

Updates to Audit Logging for SQL – Audit logging updates for SQL data store response times. 

Install this hotfix if you have: 

  • SQL data store integration

EE-2004

SAML Request Signature Validation Certificate Issue – In certain SAML workflows, signature validation was not successful.

Install this fix if you have:

  • SAML applications configured in the Application Manager

  • SAML applications configured in the Post Authentication tab

Important

By installing this hotfix, any expired signing certificate is now enforced by the certificate expiration date.

To override this setting to allow expired certificates, set the following application setting in the web.config:

<add key="BlockSAMLRequestCertExpiration" value="False" />

EE-2051

Self-Service Account Update Theme Issue – There were some missing labels on the AccountUpdate.aspx page using 2016 or 2019 Themes.

Install this hotfix if you have:

  • Self-service Account Update page configured

  • 2016 or 2019 Theme selected in the Overview tab

EE-2060

Security Optimization – OIDC authorization with PKCE optimized for security best practices.

This hotfix is required for 20.06 deployments.

EE-1960

Hotfix Installer Update – Hotfix installer updates the cloud certificate URL to use https.

EE-2046

Hotfix Installer Update – Hotfix installer uninstalls Metricbeat.

20.06-5

12-Jan-2021

EE-1803

Biometric Support – Re-enrollment in the Authenticate app in order to use biometric identification is no longer required.

Install this hotfix if you have:

  • Enabled the Authentication app previously and now want to use Biometric identification in the login workflow without users re-enrolling.

For more information, see Support biometric options in login workflow with Authenticate app.

EE-1804

Submit Form Post Issue – The Submit Form Post realm incorrectly removes password data following certain special characters.

Install this fix if you have:

  • Submit Form Post configurations

EE-1826

Transformation Engine Support for OIDC / OAuth2 Workflows – Transformation Engine now supports OIDC / OAuth2 workflows.

Install this fix if you have:

  • OIDC / OAuth2 integrations

EE-1833

Multiple Workflow Configuration Issues – Resolved issues with setting up a Multiple Workflow Configuration and password throttling validation issue.

Install this hotfix if you have:

  • Multiple Workflow Configuration enabled and configured in the Workflow tab

  • Password Throttling enabled and configured in the Workflow tab

EE-1877

Service Provider Metadata XML Issue – In the New Experience, the metadata XML exports in the wrong format.

EE-1989

2019 Theme Issue with Login Workflow – Users can't login with the 2019 theme in Internet Explorer 11 or Office 365 using embedded browser controls. The Submit button stays disabled at login.

Install this hotfix if you have:

  • 2019 Theme selected in the Overview tab

EE-2004

SAML Request Signature Validation Certificate Issue – In certain SAML workflows, signature validation was not successful.

Install this fix if you have:

  • SAML applications configured in the Application Manager

  • SAML applications configured in the Post Authentication tab

Caution

By installing this hotfix, any expired signing certificate is now enforced by the certificate expiration date.

Contact Support to override this setting to allow expired certificates. It requires the following application setting in the web.config:

<add key="BlockSAMLRequestCertExpiration" value="False" />

20.06-4

09-Nov-2020

EE-1611

2016 Theme Support for Biometric MFA – The new Biometric MFA option was not available for use in the 2016 theme option.

Install this hotfix if you have:

  • 2016 Theme selected in the Overview tab

  • Biometric identification enabled as an authentication option in the Multi-Factor Methods settings > Authentication Apps OR

  • Mobile Login Requests (Push Notifications) enabled in the Multi-Factor Methods tab

EE-1810

OIDC Claim Format Issue – The email_verified claim should be sent as a boolean value.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-1860

Performance Optimizations – Realms created in the Classic UI are now optimized to reduce latency.

Install this hotfix if you have:

  • Realms created using the Classic UI experience

EE-1868

OIDC Issue – The OIDC algorithm header reverted back to HS256 during product upgrade.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-1935

Security Optimization – Admin API update to data store optimized for security best practices.

This hotfix is required for 20.06 deployments.

EE-1966

Redirect with Token Issue – Redirect with token workflows were intermittently unsuccessful under certain conditions.

Install this hotfix if you have:

  • Redirect with Token configurations in the Workflow and / or Adaptive Authentication tab

Other

Additional logging enhancements and updated SecureAuth branding

20.06-3

07-Oct-2020

EE-1890

This hotfix includes a file correction to a previous 20.06-2 hotfix addressing this issue:

Certificate Issue – For customers upgrading from Identity Platform release 19.07.01 to 20.06, the SHA-1 assertion now verifies correctly.

This hotfix is required for 20.06 deployments.

20.06-2

02-Oct-2020

EE-1778

OIDC / OAuth2 Workflow Session Issue – OIDC queries in OAuth workflows now read correctly when a user has two browser tabs open when authenticating into a resource.

Install this fix if you have:

  • OIDC / OAuth2 integrations

EE-1890

Certificate Issue – For customers upgrading from Identity Platform release 19.07.01 to 20.06, the SHA-1 assertion now verifies correctly.

This hotfix is required for 20.06 deployments.

EE-1902

OIDC / OAuth 2 Issue – Fixes an issue with scope values not rendering correctly on the Post Auth tab for OpenID Connect/OAuth 2.0.

Install this fix if you have: 

  • OIDC / OAuth2 integrations

EE-1928

Authentication API Improvement – The Authentication API now supports Link-to-Accept via SMS and email as an available multi-factor method MFA option.

Install this hotfix if you have:

  • Authentication API enabled in the API tab

  • Link-to-Accept enabled in the Classic UI experience

20.06-1

11-Sep-2020

EE-1196

Realm List Display Issue – Classic administration realm navigation bar repositions incorrectly after save.

EE-1524

Azure AD UPN Domain Check – Resolves issue with unnecessary uppercase and lowercase domain name check in username.

Install this hotfix if you have:

  • Azure AD integrated with the Identity Platform

EE-1552

Push Notification Company Name – In the SecureAuth Authenticate app login request UI, the configured company name was not accurately displaying.

Install this hotfix if you have:

  • Authentication Apps enabled in a Policy OR

  • Mobile Login Requests enabled in the Multi-Factor Methods tab

  • Users employing the SecureAuth Authenticate app for authentication

EE-1600

Redirect with Token Issue – Redirect with token workflows were unsuccessful.

Install this hotfix if you have:

  • Redirect with Token configurations in the Workflow and / or Adaptive Authentication tab

EE-1607

International Phone Number Issue – Ten-digit International phone numbers were automatically being prepended with “1”, making those numbers unusable for MFA.

Install this hotfix if you have:

  • Phone MFA methods enabled in a Policy

  • Phone MFA methods enabled in the Registration Methods tab

EE-1660

Password Throttling Validation Issue – Users passwords not always validated when using Password Throttling feature.

Install this hotfix if you have:

  • Password Throttling enabled and configured in the Workflow tab

EE-1684

Database Logging Issue – Database logs experiencing a table lock stopped writing new log entries.

Install this hotfix if you have:

  • Database logging enabled in the Logs tab

EE-1692

Chrome 404 Error on Manage Accounts Page – Chrome browser would give a 404 error to users on the Manage Accounts (help desk) page if the page timed out and user logs back in, whereas other browsers would redirect them back to the page after authentication.

Install this hotfix if you have:

  • Manage Accounts page configured in the Post Authentication tab

  • Users employing Chrome browser

EE-1707

Corrupted CyberArk Username – When using CyberArk for the directory credentials, the username would become corrupted during simultaneous connections.

Install this hotfix if you have:

  • CyberArk integration for the directory integration credentials on the Data tab

EE-1739

2019 Theme Not Rendering Correctly – Pages in the realm root were not rendering correctly when using the 2019 theme.

Install this hotfix if you have:

  • 2019 Theme selected in the Overview tab

  • Realm root pages configured in the Post Authentication tab

EE-1749

Admin Console Issue – Admin console may not load after reboot.

  • This hotfix is required for 20.06 deployments.

EE-1772

Error Verbiage Improvements – In OAuth flow, if the authorization code ID and saved code ID do not match, it displayed the error message, "this code has already been used" which is misleading. Error message now reads as "Authorization Code does not match or has already been used".

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-1774

Biometric Method Issue – For a Mobile Login (Push Notification) method involving any biometric as the Request Type in the Classic Experience, some configuration fields are greyed out.

Install this hotfix if you have:

  • Mobile Login (Push Notification) MFA method set up to use any Biometric as the Request Type in the Multi-Factor Methods tab

EE-1781

Transformation Engine Issue – Resolves issue in which the Transformation Engine did not work correctly when used with WS-Federation.

Install this hotfix if you have:

  • Transformation Engine enabled and configured

EE-1608

Resetting IIS Settings – After making changes to IIS and then changes to the SecureAuth Web Admin, the changes made in IIS were reverted to the previous configuration.

Install this hotfix if you have:

  • Windows Auth IIS settings changed from the SecureAuth default

EE-1619

Invalid SQL Password Issue – Password data was cut off in the database when using encrypted password format, resulting in an invalid user password at login.

Install this hotfix if you have:

  • SQL data store integration

  • Password format as encrypted

EE-1680

Debug Log Cleanup – Debug logs required changes.

This hotfix is required for 20.06 deployments.

EE-1683

SecureAuth Identity Platform was not able to effectively retrieve the email address from the Azure AD data store.

Install this hotfix if you have:

  • Azure AD integrated in the Data tab

  • Email 1 property mapped to an Azure AD attribute