Skip to main content

Hotfixes

The following lists hotfixes for the Identity Platform release 21.04.

21.04 hotfixes

Release No.

Release Date

Ref ID

Issue / Description

21.04-15

11-Sep-2023

EE-3302

Configuration Setting for ACS URL Restriction – Added a configuration setting to turn ON or OFF the ACS URL whitelist enforcement.

Before you install this hotfix, see this KB article: How to establish trust for ACS redirects in SP-initiated SAML requests

21.04-14

20-Jul-2023

EE-3289

Fix for ACS URL Restriction in SAML Integration – Bug fix for ACS URL whitelist functionality related to EE-3252 in 21.04-13 hotfix.

21.04-13

15-Jun-2023

EE-2968

YubiKey HOTP Issue – Addressed issue with a login loop if a user taps their YubiKey and inadvertently clicks the Submit button.

EE-3207, EE-2557

Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.

EE-3225

AD-LDS Password Validation Issue – Addressed issue with AD-LDS connections that use user + password workflows in the Advanced Settings (formerly Classic Experience).

EE-3230

API Calls and Push Notification Issue in Login for Windows – Added logic for stateless API calls to load balancers for push to accept in Login for Windows.

This issue was caused by a code change to EE-2846 in the 21.04-12 hotfix.

EE-3252

ACS URL Restriction in SAML Integration – Added logic to restrict incoming ACS URL in the SAML request by validating them against a whitelist.

EE-3258

FIPS Compliance on User Handler Web Service Page – Added logic to make EncryptUser.aspx page compliant with FIPS.

21.04-12

09-March-2023

EE-2684

Passcode App Update – Supports the ability to register on more than one computer.

This requires an updated version of Passcode for Windows or Passcode for Mac.

EE-2825

Groups Lookup Issue – Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.

UI update - See this KB article How to improve performance by disabling lookups in nested groups

EE-2846

API Calls and Push Notification Issue – Added logic for stateless API calls to load balancers for push to accept.

EE-3035

Login for Endpoints Improvement – Added improvements to better handle connectivity when a service goes offline.

EE-3039

New Experience Realm Issue – Addressed issue with setting up a New Experience realm without a data store configuration.

EE-3073

EncryptUser Issue – Addressed issue with a truncated URL in EncryptUser.aspx.

EE-3074

SAML Post Issue – Added logic to support SAML Post workflow redirects through adaptive auth (group restriction).

EE-3091

Submit Button in 2019 Theme Issue – Addressed issue in 2019 Theme where the Submit button was not in focus when an MFA option is selected.

EE-3098

LDAP Authentication Improvement – Added logic to make LDAP authentication over SSL/TLS more secure.

21.04-11

18-Nov-2022

EE-2702

Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances.

EE-2712

Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option.

EE-2819

Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password.

EE-2825

Groups Lookup Issue – Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.

EE-2830

OATH Tokens Bulk Upload Issue – Addressed issue with logic in earlier hotfix to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

EE-2955

SecureAuth IWA Issue – Fixed theme-specific issue that prevented SecureAuth IWA in cloud instances to work properly with 2019 Theme.

EE-2994

Push Notification Token Issue – Added logic to better handle extra Push Notification Token that has the same name as an existing one during Mobile Service Migration.

EE-3008

OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:

  • Ability to add custom claims to OAuth2 access tokens

  • For all custom claims, you can define a scope relationship to dynamically include in the tokens

  • Client scope deny list can be inverted to an allow list

  • Configurable nbf (not before) claim time offset

  • Ability to make the claim with group values as an string array instead of a comma delimited string

21.04-10

26-Aug-2022

Note

Hotfix 21.04-10 requires the SecureAuth mobile service upgrade to v1.0.9.

Contact Support before applying this hotfix.

Before upgrading to Identity Platform release 21.04 or later, see Mobile service migration process.

EE-2569

Forgot Username Lookup Issue – Added logic to better handle forgot username lookups.

EE-2641

Third-party Authenticator Support – Added support to change the registered name of an authenticator device via QR code enrollment.

EE-2709

Mobile Services Support for MDM – Mobile service update to support validation of Mobile Device Management (MDM) devices during URL or QR enrollment.

EE-2720

OTP App Default Theme Issue – Updated logic to better handle MFA configurations for the "One-Time Passcode via Phone Call" and SMS phone setting.

EE-2816

Help Desk Mobile Device Lookup Issue – Addressed issue with inconsistent mobile device lookups on the Help Desk page.

EE-2828

OIDC Issue – Added logic to better handle the post logout redirect URI.

EE-2829

Hard Token Enrollment Support – Updated logic to enroll Hard Tokens by means of the Assign HID device field on the Self Service and Help Desk pages.

EE-2830

OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

For more information, see Bulk upload hardware OATH tokens using CSV file

EE-2852

SAML Update Issue – Addressed issue with updating SAML settings, which prevented data store lookups in the membership provider.

EE-2855

Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA.

EE-2857

Mobile Services Migration Issue – Addressed issue to correctly synchronize the deletion of OATH token and Push tokens on mobile devices if they are deleted from a user profile. This issue occurs after a migration or upgrade to the Identity Platform 21.04 or later.

21.04-9

17-Jun-2022

EE-2534

Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.

EE-2559

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.

EE-2592

QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.

EE-2606

Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.

EE-2624

Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.

EE-2638

Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix

EE-2639

Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.

EE-2652

Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.

EE-2727

Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.

EE-2750

Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP.

For information about setting up the Identity Platform and Arculix integration, see SecureAuth IdP and Arculix integration.

21.04-8

25-Mar-2022

EE-2560

Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.

EE-2586

TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.

EE-2591

CyberArk SDK Integration Support – Backported CyberArk SDK updates.

EE-2598

AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.

EE-2604

Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.

EE-2607

Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.

EE-2661

FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.

21.04-7

11-Feb-2022

EE-2476

RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.

EE-2563

Passcode Registration Issue – Addressed an issue with the Windows desktop Passcode app not registering properly with mobile services.

EE-2565

FIDO2 Biometric Support in iOS for Safari – Added support for using FIDO2 biometric credentials in iOS devices using the Safari browser.

EE-2590

Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.

21.04-6

28-Jan-2022

EE-2181

Webservice Profile Lookup Issue – Addressed issue causing removal of profile data. The following describes this issue in more detail.

A rare scenario occurs in the web service when the lookup for a user's membership succeeds, and in the same request, the profile lookup times out. The user does not receive an error and it allows the user to proceed in the login workflow.

If the login workflow included a multi-factor method (MFA), a different error message would display, related to not finding any MFA in the user's profile.

If the login workflow is only username and password, then the login would succeed and save an empty profile for the user. This issue clears all writable values in the user profile.

This issue first occurred after a previous hotfix (EE-2253) to reduce the web service timeout to a reasonable value (5 seconds).

Web service timeouts usually occur when the login to a realm has been idle for too long and suspends itself.

The hotfix prevents the user profile from clearing out by not allowing the user to continue in the current login request during a timeout. If the timeout is due to an idle realm, the second attempt normally succeeds and the user can continue the login workflow.

EE-2469

Another update addresses the following issue released in hotfix 21.04-5.

SQL Database Log Improvement – Improve null handling for SQL database logs.

EE-2475

2019 Theme Issue – Addressed display issue in 2019 Theme for the OIDCEndSession.aspx page.

EE-2540

Login for Windows Authentication Issue – Fixed issue where HOTP device did not work correctly for API authentication in Login for Windows.

EE-2552

Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications

21.04-5

19-Nov-2021

EE-1968

Password Reset Improvement – Improvement to self-service password reset functionality for a specific use case.

For more information, see the knowledge base article: Self-service password reset hotfix update

EE-2043

Custom Token Value Support – New option to Base64 encode the custom token value.

EE-2344

Azure AD Password Reset Support – Added inline support for password reset of Azure AD synced users.

EE-2350

Identity Management API Issue – Addressed issue with Identity Management (IDM) API failure to create user in the Identity Store.

EE-2438

JSON Web Token Support – Added support for iat (issued at) attribute.

EE-2443

Adaptive Group Check Issue – Addressed issue to ensure that the adaptive group check is correctly performed after an invalid password attempt.

EE-2465

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to allow Refresh Token use without the client_secret.

EE-2469

SQL Database Log Improvement – Improve null handling for SQL database logs.

EE-2477

Public / Private Mode Issue – Addressed an issue to ensure the system honors a change to the public/private mode setting in the Classic Experience.

21.04-4

21-Oct-2021

EE-2108

Web Admin Issue – Addressed issue with missing KBA/KBQ settings in the web.config in the Classic Experience.

EE-2261

OIDC Issue – Added logic to better handle double logins in use cases where the user clicks Submit, and presses Enter.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2345

Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab.

21.04-3

30-Sep-2021

EE-2121

Mobile Authentication – Fixed issue where an extra comma was incorrectly added to a payload file.

EE-2221

Account Update Issue – Addressed an issue that affected the Account Update page when using a Web Service (Multi-Datastore) with Windows SSO.

EE-2248

Email Template Support – Reinstate support to customize email templates in the Identity Platform for cloud deployments.

EE-2326

Password Reset Support – Added support to unlock account first on the Password Reset page and then redirect users to reset their password.

EE-2331

2019 Theme Issue – Reinstate support in the Classic Experience Web Admin for the URL links to Forgot Username, Forgot Password, and Restart Login pages for the 2019 Theme.

EE-2337

Web Service (Multi-Datastore) Realm Issue – Addressed login issues using TOTP OATH token with Google Authenticator.

EE-2351

This is an update to the following issue reported under EE-2120 in hotfix 21.04-1.

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2393

SAML Flow Issue – Addressed issue in which the SAML assertion strips out the OIDC request.

21.04-2

03-Sep-2021

EE-1663

Device Fingerprint Optimization – Device fingerprint profile (DFP) optimized when realm is configured in Private Mode only.

EE-1814

SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition.

EE-1969

SAML Assertion Update – Added support for FriendlyName user attribute.

To use the FriendlyName user attribute, it requires the following application setting in the web.config:

<add key=“ExtendedSAMLAttrXXFriendlyName” value=“YourFriendlyName” />

Where XX is a number between 1-10 associated with the attribute.

For Identity Platform cloud deployments, contact Support to update your web.config.

EE-2092

Added New Response Times to Audit Logs – Addressed issue to include OTP response times in audit logs.

EE-2251

International Phone Format Issue – Addressed an issue that affected some international phone number formats.

EE-2253

WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups.

EE-2265

This is an update to the following issue reported under EE-1967 in hotfix 21.04-1.

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.

EE-2304

Migration Support – Added migration support for complex use cases for upgrade customers using push tokens and TOTP in mobile services.

For more information, see SecureAuth mobile services and contact Support.

21.04-1

28-Jun-2021

EE-1652

Password Throttling API Response Message – Added additional clarification to password throttling AP response message.

EE-1855

Error Handling Improvement – Added additional logic to better manage errors that occur when using the API OTP validate endpoint.

Install this hotfix if you have:

  • Authentication API enabled

EE-1967

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.

EE-1972

Adaptive Endpoint Issue – Resolved an issue causing the endpoint to incorrectly prompt for 2FA for users in an allowed group.

EE-2029

Content and Localization Issue – Addressed issue where edits in the verbiage editor did not show up on the Logout.aspx page.

EE-2039

Performance Issue Update – Enhancement to an earlier hotfix for this issue.  Better exception handling to improve system performance during login and enrollment workflows.

EE-2040

AD LDS Account Unlocking Issue – Addressed an issue causing the Identity Platform to incorrectly see accounts locked that had been previously unlocked by (AD LDS).

Install this hotfix if you have:

  • AD LDS data store integration

Note

A fallback xml attribute for the lockout duration was added to the web.config. Contact Support for more information.

EE-2070

Login Delay Issue – Resolved an issue resulting in potential delays for the login page when using IWA or Transparent SSO.

Install this hotfix if you have:

  • IWA workflow

  • Transparent SSO workflow

EE-2077

IPv6 Address Handling Improvement – Enhanced ability to better manage IPv6 addresses.

EE-2106

Default MFA Delivery Options Improvement – Added logic so that the first MFA option on the list is always selected by default.

EE-2116

OpenID Connect Scopes Issue – Resolved an issue with OpenID scope values not rendering correctly for OIDC Authorizations.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2120

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

IDP-9523

RBAC Issue – Resolved a known issue with intermittent issues affecting RBAC configurations on initial deployment of the Identity Platform.

IDP-9528

QR Enrollment Support – Added the ability to support third party application enrollment in the New Experience user interface.