The following lists hotfixes for the Identity Platform release 21.04.

21.04 hotfixes

Release No.

Release Date

Ref ID

Issue / Description




Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.


Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.


QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.


Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.


Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.


Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix


Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.


Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.


Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.




Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.


TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.


CyberArk SDK Integration Support – Backported CyberArk SDK updates.


AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.


Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.


Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.


FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.




RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.


Passcode Registration Issue – Addressed an issue with the Windows desktop Passcode app not registering properly with mobile services.


FIDO2 Biometric Support in iOS for Safari – Added support for using FIDO2 biometric credentials in iOS devices using the Safari browser.


Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.




Webservice Profile Lookup Issue – Addressed issue causing removal of profile data. The following describes this issue in more detail.

A rare scenario occurs in the web service when the lookup for a user's membership succeeds, and in the same request, the profile lookup times out. The user does not receive an error and it allows the user to proceed in the login workflow.

If the login workflow included a multi-factor method (MFA), a different error message would display, related to not finding any MFA in the user's profile.

If the login workflow is only username and password, then the login would succeed and save an empty profile for the user. This issue clears all writable values in the user profile.

This issue first occurred after a previous hotfix (EE-2253) to reduce the web service timeout to a reasonable value (5 seconds).

Web service timeouts usually occur when the login to a realm has been idle for too long and suspends itself.

The hotfix prevents the user profile from clearing out by not allowing the user to continue in the current login request during a timeout. If the timeout is due to an idle realm, the second attempt normally succeeds and the user can continue the login workflow.


Another update addresses the following issue released in hotfix 21.04-5.

SQL Database Log Improvement – Improve null handling for SQL database logs.


2019 Theme Issue – Addressed display issue in 2019 Theme for the OIDCEndSession.aspx page.


Login for Windows Authentication Issue – Fixed issue where HOTP device did not work correctly for API authentication in Login for Windows.


Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications




Password Reset Improvement – Improvement to self-service password reset functionality for a specific use case.

For more information, see the knowledge base article: Self-service password reset hotfix update


Custom Token Value Support – New option to Base64 encode the custom token value.


Azure AD Password Reset Support – Added inline support for password reset of Azure AD synced users.


Identity Management API Issue – Addressed issue with Identity Management (IDM) API failure to create user in the Identity Store.


JSON Web Token Support – Added support for iat (issued at) attribute.


Adaptive Group Check Issue – Addressed issue to ensure that the adaptive group check is correctly performed after an invalid password attempt.


Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to allow Refresh Token use without the client_secret.


SQL Database Log Improvement – Improve null handling for SQL database logs.


Public / Private Mode Issue – Addressed an issue to ensure the system honors a change to the public/private mode setting in the Classic Experience.




Web Admin Issue – Addressed issue with missing KBA/KBQ settings in the web.config in the Classic Experience.


OIDC Issue – Added logic to better handle double logins in use cases where the user clicks Submit, and presses Enter.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab.




Mobile Authentication – Fixed issue where an extra comma was incorrectly added to a payload file.


Account Update Issue – Addressed an issue that affected the Account Update page when using a Web Service (Multi-Datastore) with Windows SSO.


Email Template Support – Reinstate support to customize email templates in the Identity Platform for cloud deployments.


Password Reset Support – Added support to unlock account first on the Password Reset page and then redirect users to reset their password.


2019 Theme Issue – Reinstate support in the Classic Experience Web Admin for the URL links to Forgot Username, Forgot Password, and Restart Login pages for the 2019 Theme.


Web Service (Multi-Datastore) Realm Issue – Addressed login issues using TOTP OATH token with Google Authenticator.


This is an update to the following issue reported under EE-2120 in hotfix 21.04-1.

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


SAML Flow Issue – Addressed issue in which the SAML assertion strips out the OIDC request.




Device Fingerprint Optimization – Device fingerprint profile (DFP) optimized when realm is configured in Private Mode only.


SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition.


SAML Assertion Update – Added support for FriendlyName user attribute.

To use the FriendlyName user attribute, it requires the following application setting in the web.config:

<add key=“ExtendedSAMLAttrXXFriendlyName” value=“YourFriendlyName” />

Where XX is a number between 1-10 associated with the attribute.

For Identity Platform cloud deployments, contact Support to update your web.config.


Added New Response Times to Audit Logs – Addressed issue to include OTP response times in audit logs.


International Phone Format Issue – Addressed an issue that affected some international phone number formats.


WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups.


This is an update to the following issue reported under EE-1967 in hotfix 21.04-1.

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.


Migration Support – Added migration support for complex use cases for upgrade customers using push tokens and TOTP in mobile services.

For more information, see SecureAuth mobile services and contact Support.




Password Throttling API Response Message – Added additional clarification to password throttling AP response message.


Error Handling Improvement – Added additional logic to better manage errors that occur when using the API OTP validate endpoint.

Install this hotfix if you have:

  • Authentication API enabled


Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.


Adaptive Endpoint Issue – Resolved an issue causing the endpoint to incorrectly prompt for 2FA for users in an allowed group.


Content and Localization Issue – Addressed issue where edits in the verbiage editor did not show up on the Logout.aspx page.


Performance Issue Update – Enhancement to an earlier hotfix for this issue.  Better exception handling to improve system performance during login and enrollment workflows.


AD LDS Account Unlocking Issue – Addressed an issue causing the Identity Platform to incorrectly see accounts locked that had been previously unlocked by (AD LDS).

Install this hotfix if you have:

  • AD LDS data store integration


A fallback xml attribute for the lockout duration was added to the web.config. Contact Support for more information.


Login Delay Issue – Resolved an issue resulting in potential delays for the login page when using IWA or Transparent SSO.

Install this hotfix if you have:

  • IWA workflow

  • Transparent SSO workflow


IPv6 Address Handling Improvement – Enhanced ability to better manage IPv6 addresses.


Default MFA Delivery Options Improvement – Added logic so that the first MFA option on the list is always selected by default.


OpenID Connect Scopes Issue – Resolved an issue with OpenID scope values not rendering correctly for OIDC Authorizations.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


RBAC Issue – Resolved a known issue with intermittent issues affecting RBAC configurations on initial deployment of the Identity Platform.


QR Enrollment Support – Added the ability to support third party application enrollment in the New Experience user interface.