Hotfixes

The following lists hotfixes for the Identity Platform release 21.04.

21.04 hotfixes

Release No.

Release Date

Ref ID

Issue / Description

21.04-9

17-Jun-2022

EE-2534

Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.

EE-2559

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.

EE-2592

QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.

EE-2606

Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.

EE-2624

Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.

EE-2638

Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix

EE-2639

Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.

EE-2652

Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.

EE-2727

Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.

21.04-8

25-Mar-2022

EE-2560

Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.

EE-2586

TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.

EE-2591

CyberArk SDK Integration Support – Backported CyberArk SDK updates.

EE-2598

AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.

EE-2604

Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.

EE-2607

Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.

EE-2661

FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.

21.04-7

11-Feb-2022

EE-2476

RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.

EE-2563

Passcode Registration Issue – Addressed an issue with the Windows desktop Passcode app not registering properly with mobile services.

EE-2565

FIDO2 Biometric Support in iOS for Safari – Added support for using FIDO2 biometric credentials in iOS devices using the Safari browser.

EE-2590

Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.

21.04-6

28-Jan-2022

EE-2181

Webservice Profile Lookup Issue – Addressed issue causing removal of profile data. The following describes this issue in more detail.

A rare scenario occurs in the web service when the lookup for a user's membership succeeds, and in the same request, the profile lookup times out. The user does not receive an error and it allows the user to proceed in the login workflow.

If the login workflow included a multi-factor method (MFA), a different error message would display, related to not finding any MFA in the user's profile.

If the login workflow is only username and password, then the login would succeed and save an empty profile for the user. This issue clears all writable values in the user profile.

This issue first occurred after a previous hotfix (EE-2253) to reduce the web service timeout to a reasonable value (5 seconds).

Web service timeouts usually occur when the login to a realm has been idle for too long and suspends itself.

The hotfix prevents the user profile from clearing out by not allowing the user to continue in the current login request during a timeout. If the timeout is due to an idle realm, the second attempt normally succeeds and the user can continue the login workflow.

EE-2469

Another update addresses the following issue released in hotfix 21.04-5.

SQL Database Log Improvement – Improve null handling for SQL database logs.

EE-2475

2019 Theme Issue – Addressed display issue in 2019 Theme for the OIDCEndSession.aspx page.

EE-2540

Login for Windows Authentication Issue – Fixed issue where HOTP device did not work correctly for API authentication in Login for Windows.

EE-2552

Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications

21.04-5

19-Nov-2021

EE-1968

Password Reset Improvement – Improvement to self-service password reset functionality for a specific use case.

For more information, see the knowledge base article: Self-service password reset hotfix update

EE-2043

Custom Token Value Support – New option to Base64 encode the custom token value.

EE-2344

Azure AD Password Reset Support – Added inline support for password reset of Azure AD synced users.

EE-2350

Identity Management API Issue – Addressed issue with Identity Management (IDM) API failure to create user in the Identity Store.

EE-2438

JSON Web Token Support – Added support for iat (issued at) attribute.

EE-2443

Adaptive Group Check Issue – Addressed issue to ensure that the adaptive group check is correctly performed after an invalid password attempt.

EE-2465

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to allow Refresh Token use without the client_secret.

EE-2469

SQL Database Log Improvement – Improve null handling for SQL database logs.

EE-2477

Public / Private Mode Issue – Addressed an issue to ensure the system honors a change to the public/private mode setting in the Classic Experience.

21.04-4

21-Oct-2021

EE-2108

Web Admin Issue – Addressed issue with missing KBA/KBQ settings in the web.config in the Classic Experience.

EE-2261

OIDC Issue – Added logic to better handle double logins in use cases where the user clicks Submit, and presses Enter.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2345

Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab.

21.04-3

30-Sep-2021

EE-2121

Mobile Authentication – Fixed issue where an extra comma was incorrectly added to a payload file.

EE-2221

Account Update Issue – Addressed an issue that affected the Account Update page when using a Web Service (Multi-Datastore) with Windows SSO.

EE-2248

Email Template Support – Reinstate support to customize email templates in the Identity Platform for cloud deployments.

EE-2326

Password Reset Support – Added support to unlock account first on the Password Reset page and then redirect users to reset their password.

EE-2331

2019 Theme Issue – Reinstate support in the Classic Experience Web Admin for the URL links to Forgot Username, Forgot Password, and Restart Login pages for the 2019 Theme.

EE-2337

Web Service (Multi-Datastore) Realm Issue – Addressed login issues using TOTP OATH token with Google Authenticator.

EE-2351

This is an update to the following issue reported under EE-2120 in hotfix 21.04-1.

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2393

SAML Flow Issue – Addressed issue in which the SAML assertion strips out the OIDC request.

21.04-2

03-Sep-2021

EE-1663

Device Fingerprint Optimization – Device fingerprint profile (DFP) optimized when realm is configured in Private Mode only.

EE-1814

SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition.

EE-1969

SAML Assertion Update – Added support for FriendlyName user attribute.

To use the FriendlyName user attribute, it requires the following application setting in the web.config:

<add key=“ExtendedSAMLAttrXXFriendlyName” value=“YourFriendlyName” />

Where XX is a number between 1-10 associated with the attribute.

For Identity Platform cloud deployments, contact Support to update your web.config.

EE-2092

Added New Response Times to Audit Logs – Addressed issue to include OTP response times in audit logs.

EE-2251

International Phone Format Issue – Addressed an issue that affected some international phone number formats.

EE-2253

WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups.

EE-2265

This is an update to the following issue reported under EE-1967 in hotfix 21.04-1.

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.

EE-2304

Migration Support – Added migration support for complex use cases for upgrade customers using push tokens and TOTP in mobile services.

For more information, see SecureAuth mobile services and contact Support.

21.04-1

28-Jun-2021

EE-1652

Password Throttling API Response Message – Added additional clarification to password throttling AP response message.

EE-1855

Error Handling Improvement – Added additional logic to better manage errors that occur when using the API OTP validate endpoint.

Install this hotfix if you have:

  • Authentication API enabled

EE-1967

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.

EE-1972

Adaptive Endpoint Issue – Resolved an issue causing the endpoint to incorrectly prompt for 2FA for users in an allowed group.

EE-2029

Content and Localization Issue – Addressed issue where edits in the verbiage editor did not show up on the Logout.aspx page.

EE-2039

Performance Issue Update – Enhancement to an earlier hotfix for this issue.  Better exception handling to improve system performance during login and enrollment workflows.

EE-2040

AD LDS Account Unlocking Issue – Addressed an issue causing the Identity Platform to incorrectly see accounts locked that had been previously unlocked by (AD LDS).

Install this hotfix if you have:

  • AD LDS data store integration

Note

A fallback xml attribute for the lockout duration was added to the web.config. Contact Support for more information.

EE-2070

Login Delay Issue – Resolved an issue resulting in potential delays for the login page when using IWA or Transparent SSO.

Install this hotfix if you have:

  • IWA workflow

  • Transparent SSO workflow

EE-2077

IPv6 Address Handling Improvement – Enhanced ability to better manage IPv6 addresses.

EE-2106

Default MFA Delivery Options Improvement – Added logic so that the first MFA option on the list is always selected by default.

EE-2116

OpenID Connect Scopes Issue – Resolved an issue with OpenID scope values not rendering correctly for OIDC Authorizations.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

EE-2120

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations

IDP-9523

RBAC Issue – Resolved a known issue with intermittent issues affecting RBAC configurations on initial deployment of the Identity Platform.

IDP-9528

QR Enrollment Support – Added the ability to support third party application enrollment in the New Experience user interface.