Hotfixes
The following lists hotfixes for the Identity Platform release 20.06.
20.06 hotfixes
Release No. | Release Date | Ref ID | Issue / Description |
|---|---|---|---|
20.06-18 | 15-Sep-2023 | EE-2557 | Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen. |
EE-3225 | AD-LDS Password Validation Issue – Addressed issue with AD-LDS connections that use user + password workflows in the Advanced Settings (formerly Classic Experience). | ||
EE-3258 | FIPS Compliance on User Handler Web Service Page – Added logic to make EncryptUser.aspx page compliant with FIPS. | ||
EE-3302 | Configuration Setting for ACS URL Restriction – Added a configuration setting to turn ON or OFF the ACS URL whitelist enforcement. ImportantBefore you install this hotfix, see this KB article: How to establish trust for ACS redirects in SP-initiated SAML requests | ||
20.06-17 | 01-May-2023 | EE-3073 | EncryptUser Issue – Addressed issue with a truncated URL in EncryptUser.aspx. |
EE-3074 | SAML Post Issue – Added logic to support SAML Post workflow redirects through adaptive auth (group restriction). | ||
EE-3098 | LDAP Authentication Improvement – Added logic to make LDAP authentication over SSL/TLS more secure. | ||
EE-3207 | Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen. | ||
EE-3216 | OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens). For more information, see Bulk upload hardware OATH tokens using CSV file | ||
20.06-16 | 07-Dec-2022 | EE-2684 | Passcode App Update – Supports the ability to register on more than one computer. This requires an updated version of Passcode for Windows or Passcode for Mac. |
EE-2702 | Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances. | ||
EE-2967 | API Update – Update compatibility between newer Identity Platform enrollment data and existing APIs. | ||
EE-3008 | OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:
| ||
20.06-15 | 16-Sep-2022 | EE-2712 | Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option. |
EE-2819 | Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password. | ||
EE-2828 | OIDC Issue – Added logic to better handle the post logout redirect URI. | ||
EE-2855 | Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA. | ||
20.06-14 | 19-Jul-2022 | EE-2559 | Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret. |
EE-2592 | QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page. | ||
EE-2638 | Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge. After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix | ||
EE-2714 | Push-to-Accept in L4W Issue – Addressed issue with Push-to-Accept not working consistently in Login for Windows (L4W). | ||
EE-2720 | One-Time-Passcode (OTP) App Default Theme Issue – Addressed an issue when a Classic Experience realm MFA is set to use "One-Time Passcode via Phone Call and SMS". The MFA displayed to the end user does not show an option to select SMS. | ||
EE-2750 | Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP. For information about setting up the Identity Platform and Arculix integration, see SecureAuth IdP and Arculix integration. | ||
EE-2777 | Air-Gapped QR Code Support – Added support for QR enrollments for time-based one-time passcodes (TOTP) in an air-gapped environment. | ||
EE-2781 | Air-Gapped Identity Platform Issue – Added logic to ignore unavailable hosts in an air-gapped environment. | ||
20.06-13 | 05-Apr-2022 | EE-2476 | RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI. |
EE-2560 | Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm. | ||
EE-2591 | CyberArk SDK Integration Support – Backported CyberArk SDK updates. | ||
EE-2598 | AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services. | ||
EE-2604 | Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab. | ||
EE-2607 | Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs. | ||
EE-2624 | Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank. | ||
20.06-12 | 10-Jan-2022 | EE-2043 | Custom Token Value Support – New option to Base64 encode the custom token value. |
EE-2181 | Webservice Profile Lookup Issue – Addressed issue causing removal of profile data. The following describes this issue in more detail. A rare scenario occurs in the web service when the lookup for a user's membership succeeds, and in the same request, the profile lookup times out. The user does not receive an error and it allows the user to proceed in the login workflow. If the login workflow included a multi-factor method (MFA), a different error message would display, related to not finding any MFA in the user's profile. If the login workflow is only username and password, then the login would succeed and save an empty profile for the user. This issue clears all writable values in the user profile. This issue first occurred after a previous hotfix (EE-2253) to reduce the web service timeout to a reasonable value (5 seconds). Web service timeouts usually occur when the login to a realm has been idle for too long and suspends itself. The hotfix prevents the user profile from clearing out by not allowing the user to continue in the current login request during a timeout. If the timeout is due to an idle realm, the second attempt normally succeeds and the user can continue the login workflow. | ||
EE-2344 | Azure AD Password Reset Support – Added inline support for password reset of Azure AD synced users. | ||
EE-2443 | Adaptive Group Check Issue – Addressed issue to ensure that the adaptive group check is correctly performed after an invalid password attempt. | ||
EE-2465 | Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to allow Refresh Token use without the client_secret. | ||
EE-2469 | SQL Database Log Improvement – Improve null handling for SQL database logs. | ||
EE-2475 | 2019 Theme Issue – Addressed display issue in 2019 Theme for the OIDCEndSession.aspx page. | ||
EE-2477 | Public / Private Mode Issue – Addressed an issue to ensure the system honors a change to the public/private mode setting in the Classic Experience. | ||
20.06-11 | 05-Nov-2021 | EE-1968 | Password Reset Improvement – Improvement to to self-service password reset functionality for a specific use case. For more information, see this knowledge base article: Self-service password reset hotfix update |
EE-2108 | Web Admin Issue – Addressed issue with missing KBA/KBQ settings in the web.config in the Classic Experience. | ||
EE-2248 | Email Template Support – Reinstate support to customize email templates in the Identity Platform for cloud deployments. | ||
EE-2261 | OIDC Issue – Added logic to better handle double logins in use cases where the user clicks Submit, and presses Enter. Install this hotfix if you have:
| ||
EE-2345 | Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab. | ||
EE-2438 | JSON Web Token Support – Added support for iat (issued at) attribute. | ||
EE-2445 | URL Enrollment Issue – Addressed issue to enable biometric push notification using URL enrollment. | ||
20.06-10 | 24-Sep-2021 | EE-2121 | Mobile Authentication – Fixed issue where an extra comma was incorrectly added to a payload file. |
EE-2221 | Account Update Issue – Addressed an issue that affected the Account Update page when using a Web Service (Multi-Datastore) with Windows SSO. | ||
EE-2251 | International Phone Format Issue – Addressed an issue that affected some international phone number formats. | ||
EE-2326 | Password Reset Support – Added support to unlock account first on the Password Reset page and then redirect users to reset their password. | ||
EE-2331 | 2019 Theme Issue – Reinstate support in the Classic Experience Web Admin for the URL links to Forgot Username, Forgot Password, and Restart Login pages for the 2019 Theme. | ||
EE-2337 | Web Service (Multi-Datastore) Realm Issue – Addressed login issues using TOTP OATH token with Google Authenticator. | ||
EE-2351 | This is an update to the following issue reported under EE-2120 in hotfix 20.06-9. OIDC Issue – Added logic to better handle login prompts. Install this hotfix if you have:
| ||
20.06-9 | 16-Jul-2021 | EE-1652 | Password Throttling API Response Message – Added additional clarification to password throttling AP response message. |
EE-1663 | Device Fingerprint Optimization – Device fingerprint profile (DFP) optimized when realm is configured in Private Mode only. | ||
EE-1814 | SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition. | ||
EE-1825 | QR Enrollment Issue – Addressed issue when using an email address during login to the QR enrollment page. Install this hotfix you have:
| ||
EE-1969 | SAML Assertion Update – Added support for To use the
Where For Identity Platform cloud deployments, contact Support to update your web.config. | ||
EE-2029 | Content and Localization Issue – Addressed issue where edits in the verbiage editor did not show up on the Logout.aspx page. | ||
EE-2077 | IPv6 Address Handling Improvement – Enhanced ability to better manage IPv6 addresses. | ||
EE-2092 | Added New Response Times to Audit Logs – Addressed issue to include OTP response times in audit logs. | ||
EE-2106 | Default MFA Delivery Options Improvement – Added logic so that the first MFA option on the list is always selected by default. | ||
EE-2116 | OpenID Connect Scopes Issue – Resolved an issue with OpenID scope values not rendering correctly for OIDC Authorizations. Install this hotfix if you have:
| ||
EE-2120 | OIDC Issue – Added logic to better handle login prompts. Install this hotfix if you have:
| ||
EE-2253 | WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups. | ||
EE-2265 | This is an update to the following issue reported under EE-1967 in hotfix 20.06-8. Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable. | ||
20.06-8 | 27-May-2021 | EE-1748 | Maximum Device Count – Resolved an issue where, when users reached the maximum limit of registered devices, no warnings were displayed. |
EE-1855 | Error Handling Improvement – Added additional logic to better manage errors that occur when using the API OTP validate endpoint. Install this hotfix if you have:
| ||
EE-1856 | Security Optimization – JQuery.js file optimized for security best practices. This hotfix is required for 20.06 deployments. | ||
EE-1967 | Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable. | ||
EE-1972 | Adaptive Endpoint Issue – Resolved an issue causing the endpoint to incorrectly prompt for 2FA for users in an allowed group. | ||
EE-2040 | AD LDS Account Unlocking Issue – Addressed an issue causing the Identity Platform to incorrectly see accounts locked that had been previously unlocked by (AD LDS). Install this hotfix if you have:
NoteA fallback xml attribute for the lockout duration was added to the web.config. Contact Support for more information. | ||
EE-2050 | Security Optimization – Angular.js library optimized for security best practices. This hotfix is required for 20.06 deployments. | ||
EE-2059 | Web Service Realm Issue – Resolved an issue that caused disabled WebService realm to continue to function if the username and password existed. Install this hotfix if you have:
| ||
EE-2070 | Login Delay Issue – Resolved an issue resulting in potential delays for the login page when using IWA or Transparent SSO. Install this hotfix if you have:
| ||
EE-2110 | Security Optimization – Redirect pages optimized for security best practices. This hotfix is required for 20.06 deployments. | ||
EE-2111 | 2019 Theme Issue – Fixed an issue causing the login page in 2019 theme to not load when using Internet Explorer 11 browser. Install this hotfix if you have:
| ||
20.06-7 | 25-Mar-2021 | EE-1822 | 2019 Theme Issue - Password Inline Warning – Resolved an issue where users couldn't bypass the prompt to optionally change their password. Install this hotfix if you have:
|
EE-2003 | 2019 Theme Issue - Profile Missing page – Resolved an issue where the Restart Login link didn't display on the profilemissing.aspx page. Install this hotfix if you have:
| ||
EE-2045 | FIDO2 Authentication Issue – FIDO2 authentication ignores proxy settings. Install this hotfix if you have:
| ||
EE-2047 | FIDO2 Authentication Improvement – Error handling improvements to user login when user does not have a registered FIDO2 security key. Install this hotfix if you have:
| ||
EE-2100 | FIDO2 Authentication Improvements – Improvements related to FIDO2 authentication include:
Install this hotfix if you have:
| ||
20.06-6 | 08-Mar-2021 | EE-1854 | Web Admin Optimization – Removal of unused code and subfolder from the SecureAuth Identity Platform Web Admin project folder. |
EE-1864 | WS-Federation Update – In realms that use WS-Federation, this update requires allow-listing of URLs for the If a There is also a new optional setting to support allow-listing of more than one URL by using a comma-delimited list. Install this hotfix if you have:
| ||
EE-1897 | Performance Enhancements – Update exception handling to improve system performance during login and enrollment workflows. | ||
EE-1979 | Updates to Audit Logging for SQL – Audit logging updates for SQL data store response times. Install this hotfix if you have:
| ||
EE-2004 | SAML Request Signature Validation Certificate Issue – In certain SAML workflows, signature validation was not successful. Install this fix if you have:
ImportantBy installing this hotfix, any expired signing certificate is now enforced by the certificate expiration date. To override this setting to allow expired certificates, set the following application setting in the web.config:
| ||
EE-2051 | Self-Service Account Update Theme Issue – There were some missing labels on the AccountUpdate.aspx page using 2016 or 2019 Themes. Install this hotfix if you have:
| ||
EE-2060 | Security Optimization – OIDC authorization with PKCE optimized for security best practices. This hotfix is required for 20.06 deployments. | ||
EE-1960 | Hotfix Installer Update – Hotfix installer updates the cloud certificate URL to use | ||
EE-2046 | Hotfix Installer Update – Hotfix installer uninstalls Metricbeat. | ||
20.06-5 | 12-Jan-2021 | EE-1803 | Biometric Support – Re-enrollment in the Authenticate app in order to use biometric identification is no longer required. Install this hotfix if you have:
For more information, see Support biometric options in login workflow with Authenticate app. |
EE-1804 | Submit Form Post Issue – The Submit Form Post realm incorrectly removes password data following certain special characters. Install this fix if you have:
| ||
EE-1826 | Transformation Engine Support for OIDC / OAuth2 Workflows – Transformation Engine now supports OIDC / OAuth2 workflows. Install this fix if you have:
| ||
EE-1833 | Multiple Workflow Configuration Issues – Resolved issues with setting up a Multiple Workflow Configuration and password throttling validation issue. Install this hotfix if you have:
| ||
EE-1877 | Service Provider Metadata XML Issue – In the New Experience, the metadata XML exports in the wrong format. | ||
EE-1989 | 2019 Theme Issue with Login Workflow – Users can't login with the 2019 theme in Internet Explorer 11 or Office 365 using embedded browser controls. The Submit button stays disabled at login. Install this hotfix if you have:
| ||
EE-2004 | SAML Request Signature Validation Certificate Issue – In certain SAML workflows, signature validation was not successful. Install this fix if you have:
CautionBy installing this hotfix, any expired signing certificate is now enforced by the certificate expiration date. Contact Support to override this setting to allow expired certificates. It requires the following application setting in the web.config:
| ||
20.06-4 | 09-Nov-2020 | EE-1611 | 2016 Theme Support for Biometric MFA – The new Biometric MFA option was not available for use in the 2016 theme option. Install this hotfix if you have:
|
EE-1810 | OIDC Claim Format Issue – The email_verified claim should be sent as a boolean value. Install this hotfix if you have:
| ||
EE-1860 | Performance Optimizations – Realms created in the Classic UI are now optimized to reduce latency. Install this hotfix if you have:
| ||
EE-1868 | OIDC Issue – The OIDC algorithm header reverted back to HS256 during product upgrade. Install this hotfix if you have:
| ||
EE-1935 | Security Optimization – Admin API update to data store optimized for security best practices. This hotfix is required for 20.06 deployments. | ||
EE-1966 | Redirect with Token Issue – Redirect with token workflows were intermittently unsuccessful under certain conditions. Install this hotfix if you have:
| ||
Other | Additional logging enhancements and updated SecureAuth branding | ||
20.06-3 | 07-Oct-2020 | EE-1890 | This hotfix includes a file correction to a previous 20.06-2 hotfix addressing this issue: Certificate Issue – For customers upgrading from Identity Platform release 19.07.01 to 20.06, the SHA-1 assertion now verifies correctly. This hotfix is required for 20.06 deployments. |
20.06-2 | 02-Oct-2020 | EE-1778 | OIDC / OAuth2 Workflow Session Issue – OIDC queries in OAuth workflows now read correctly when a user has two browser tabs open when authenticating into a resource. Install this fix if you have:
|
EE-1890 | Certificate Issue – For customers upgrading from Identity Platform release 19.07.01 to 20.06, the SHA-1 assertion now verifies correctly. This hotfix is required for 20.06 deployments. | ||
EE-1902 | OIDC / OAuth 2 Issue – Fixes an issue with scope values not rendering correctly on the Post Auth tab for OpenID Connect/OAuth 2.0. Install this fix if you have:
| ||
EE-1928 | Authentication API Improvement – The Authentication API now supports Link-to-Accept via SMS and email as an available multi-factor method MFA option. Install this hotfix if you have:
| ||
20.06-1 | 11-Sep-2020 | EE-1196 | Realm List Display Issue – Classic administration realm navigation bar repositions incorrectly after save. |
EE-1524 | Azure AD UPN Domain Check – Resolves issue with unnecessary uppercase and lowercase domain name check in username. Install this hotfix if you have:
| ||
EE-1552 | Push Notification Company Name – In the SecureAuth Authenticate app login request UI, the configured company name was not accurately displaying. Install this hotfix if you have:
| ||
EE-1600 | Redirect with Token Issue – Redirect with token workflows were unsuccessful. Install this hotfix if you have:
| ||
EE-1607 | International Phone Number Issue – Ten-digit International phone numbers were automatically being prepended with “1”, making those numbers unusable for MFA. Install this hotfix if you have:
| ||
EE-1660 | Password Throttling Validation Issue – Users passwords not always validated when using Password Throttling feature. Install this hotfix if you have:
| ||
EE-1684 | Database Logging Issue – Database logs experiencing a table lock stopped writing new log entries. Install this hotfix if you have:
| ||
EE-1692 | Chrome 404 Error on Manage Accounts Page – Chrome browser would give a 404 error to users on the Manage Accounts (help desk) page if the page timed out and user logs back in, whereas other browsers would redirect them back to the page after authentication. Install this hotfix if you have:
| ||
EE-1707 | Corrupted CyberArk Username – When using CyberArk for the directory credentials, the username would become corrupted during simultaneous connections. Install this hotfix if you have:
| ||
EE-1739 | 2019 Theme Not Rendering Correctly – Pages in the realm root were not rendering correctly when using the 2019 theme. Install this hotfix if you have:
| ||
EE-1749 | Admin Console Issue – Admin console may not load after reboot.
| ||
EE-1772 | Error Verbiage Improvements – In OAuth flow, if the authorization code ID and saved code ID do not match, it displayed the error message, "this code has already been used" which is misleading. Error message now reads as "Authorization Code does not match or has already been used". Install this hotfix if you have:
| ||
EE-1774 | Biometric Method Issue – For a Mobile Login (Push Notification) method involving any biometric as the Request Type in the Classic Experience, some configuration fields are greyed out. Install this hotfix if you have:
| ||
EE-1781 | Transformation Engine Issue – Resolves issue in which the Transformation Engine did not work correctly when used with WS-Federation. Install this hotfix if you have:
| ||
EE-1608 | Resetting IIS Settings – After making changes to IIS and then changes to the SecureAuth Web Admin, the changes made in IIS were reverted to the previous configuration. Install this hotfix if you have:
| ||
EE-1619 | Invalid SQL Password Issue – Password data was cut off in the database when using encrypted password format, resulting in an invalid user password at login. Install this hotfix if you have:
| ||
EE-1680 | Debug Log Cleanup – Debug logs required changes. This hotfix is required for 20.06 deployments. | ||
EE-1683 | SecureAuth Identity Platform was not able to effectively retrieve the email address from the Azure AD data store. Install this hotfix if you have:
|