Skip to main content


The following lists hotfixes for the Identity Platform release 21.04.

21.04 hotfixes

Release No.

Release Date

Ref ID

Issue / Description




Configuration Setting for ACS URL Restriction – Added a configuration setting to turn ON or OFF the ACS URL whitelist enforcement.

Before you install this hotfix, see this KB article: How to establish trust for ACS redirects in SP-initiated SAML requests




Fix for ACS URL Restriction in SAML Integration – Bug fix for ACS URL whitelist functionality related to EE-3252 in 21.04-13 hotfix.




YubiKey HOTP Issue – Addressed issue with a login loop if a user taps their YubiKey and inadvertently clicks the Submit button.

EE-3207, EE-2557

Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.


AD-LDS Password Validation Issue – Addressed issue with AD-LDS connections that use user + password workflows in the Advanced Settings (formerly Classic Experience).


API Calls and Push Notification Issue in Login for Windows – Added logic for stateless API calls to load balancers for push to accept in Login for Windows.

This issue was caused by a code change to EE-2846 in the 21.04-12 hotfix.


ACS URL Restriction in SAML Integration – Added logic to restrict incoming ACS URL in the SAML request by validating them against a whitelist.


FIPS Compliance on User Handler Web Service Page – Added logic to make EncryptUser.aspx page compliant with FIPS.




Passcode App Update – Supports the ability to register on more than one computer.

This requires an updated version of Passcode for Windows or Passcode for Mac.


Groups Lookup Issue – Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.

UI update - See this KB article How to improve performance by disabling lookups in nested groups


API Calls and Push Notification Issue – Added logic for stateless API calls to load balancers for push to accept.


Login for Endpoints Improvement – Added improvements to better handle connectivity when a service goes offline.


New Experience Realm Issue – Addressed issue with setting up a New Experience realm without a data store configuration.


EncryptUser Issue – Addressed issue with a truncated URL in EncryptUser.aspx.


SAML Post Issue – Added logic to support SAML Post workflow redirects through adaptive auth (group restriction).


Submit Button in 2019 Theme Issue – Addressed issue in 2019 Theme where the Submit button was not in focus when an MFA option is selected.


LDAP Authentication Improvement – Added logic to make LDAP authentication over SSL/TLS more secure.




Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances.


Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option.


Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password.


Groups Lookup Issue – Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.


OATH Tokens Bulk Upload Issue – Addressed issue with logic in earlier hotfix to support bulk uploads of OATH tokens (TOTP and HOTP tokens).


SecureAuth IWA Issue – Fixed theme-specific issue that prevented SecureAuth IWA in cloud instances to work properly with 2019 Theme.


Push Notification Token Issue – Added logic to better handle extra Push Notification Token that has the same name as an existing one during Mobile Service Migration.


OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:

  • Ability to add custom claims to OAuth2 access tokens

  • For all custom claims, you can define a scope relationship to dynamically include in the tokens

  • Client scope deny list can be inverted to an allow list

  • Configurable nbf (not before) claim time offset

  • Ability to make the claim with group values as an string array instead of a comma delimited string




Hotfix 21.04-10 requires the SecureAuth mobile service upgrade to v1.0.9.

Contact Support before applying this hotfix.

Before upgrading to Identity Platform release 21.04 or later, see Mobile service migration process.


Forgot Username Lookup Issue – Added logic to better handle forgot username lookups.


Third-party Authenticator Support – Added support to change the registered name of an authenticator device via QR code enrollment.


Mobile Services Support for MDM – Mobile service update to support validation of Mobile Device Management (MDM) devices during URL or QR enrollment.


OTP App Default Theme Issue – Updated logic to better handle MFA configurations for the "One-Time Passcode via Phone Call" and SMS phone setting.


Help Desk Mobile Device Lookup Issue – Addressed issue with inconsistent mobile device lookups on the Help Desk page.


OIDC Issue – Added logic to better handle the post logout redirect URI.


Hard Token Enrollment Support – Updated logic to enroll Hard Tokens by means of the Assign HID device field on the Self Service and Help Desk pages.


OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

For more information, see Bulk upload hardware OATH tokens using CSV file


SAML Update Issue – Addressed issue with updating SAML settings, which prevented data store lookups in the membership provider.


Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA.


Mobile Services Migration Issue – Addressed issue to correctly synchronize the deletion of OATH token and Push tokens on mobile devices if they are deleted from a user profile. This issue occurs after a migration or upgrade to the Identity Platform 21.04 or later.




Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.


Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.


QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.


Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.


Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.


Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix


Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.


Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.


Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.


Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP.

For information about setting up the Identity Platform and Arculix integration, see SecureAuth IdP and Arculix integration.




Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.


TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.


CyberArk SDK Integration Support – Backported CyberArk SDK updates.


AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.


Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.


Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.


FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.




RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.


Passcode Registration Issue – Addressed an issue with the Windows desktop Passcode app not registering properly with mobile services.


FIDO2 Biometric Support in iOS for Safari – Added support for using FIDO2 biometric credentials in iOS devices using the Safari browser.


Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.




Webservice Profile Lookup Issue – Addressed issue causing removal of profile data. The following describes this issue in more detail.

A rare scenario occurs in the web service when the lookup for a user's membership succeeds, and in the same request, the profile lookup times out. The user does not receive an error and it allows the user to proceed in the login workflow.

If the login workflow included a multi-factor method (MFA), a different error message would display, related to not finding any MFA in the user's profile.

If the login workflow is only username and password, then the login would succeed and save an empty profile for the user. This issue clears all writable values in the user profile.

This issue first occurred after a previous hotfix (EE-2253) to reduce the web service timeout to a reasonable value (5 seconds).

Web service timeouts usually occur when the login to a realm has been idle for too long and suspends itself.

The hotfix prevents the user profile from clearing out by not allowing the user to continue in the current login request during a timeout. If the timeout is due to an idle realm, the second attempt normally succeeds and the user can continue the login workflow.


Another update addresses the following issue released in hotfix 21.04-5.

SQL Database Log Improvement – Improve null handling for SQL database logs.


2019 Theme Issue – Addressed display issue in 2019 Theme for the OIDCEndSession.aspx page.


Login for Windows Authentication Issue – Fixed issue where HOTP device did not work correctly for API authentication in Login for Windows.


Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications




Password Reset Improvement – Improvement to self-service password reset functionality for a specific use case.

For more information, see the knowledge base article: Self-service password reset hotfix update


Custom Token Value Support – New option to Base64 encode the custom token value.


Azure AD Password Reset Support – Added inline support for password reset of Azure AD synced users.


Identity Management API Issue – Addressed issue with Identity Management (IDM) API failure to create user in the Identity Store.


JSON Web Token Support – Added support for iat (issued at) attribute.


Adaptive Group Check Issue – Addressed issue to ensure that the adaptive group check is correctly performed after an invalid password attempt.


Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to allow Refresh Token use without the client_secret.


SQL Database Log Improvement – Improve null handling for SQL database logs.


Public / Private Mode Issue – Addressed an issue to ensure the system honors a change to the public/private mode setting in the Classic Experience.




Web Admin Issue – Addressed issue with missing KBA/KBQ settings in the web.config in the Classic Experience.


OIDC Issue – Added logic to better handle double logins in use cases where the user clicks Submit, and presses Enter.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab.




Mobile Authentication – Fixed issue where an extra comma was incorrectly added to a payload file.


Account Update Issue – Addressed an issue that affected the Account Update page when using a Web Service (Multi-Datastore) with Windows SSO.


Email Template Support – Reinstate support to customize email templates in the Identity Platform for cloud deployments.


Password Reset Support – Added support to unlock account first on the Password Reset page and then redirect users to reset their password.


2019 Theme Issue – Reinstate support in the Classic Experience Web Admin for the URL links to Forgot Username, Forgot Password, and Restart Login pages for the 2019 Theme.


Web Service (Multi-Datastore) Realm Issue – Addressed login issues using TOTP OATH token with Google Authenticator.


This is an update to the following issue reported under EE-2120 in hotfix 21.04-1.

OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


SAML Flow Issue – Addressed issue in which the SAML assertion strips out the OIDC request.




Device Fingerprint Optimization – Device fingerprint profile (DFP) optimized when realm is configured in Private Mode only.


SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition.


SAML Assertion Update – Added support for FriendlyName user attribute.

To use the FriendlyName user attribute, it requires the following application setting in the web.config:

<add key=“ExtendedSAMLAttrXXFriendlyName” value=“YourFriendlyName” />

Where XX is a number between 1-10 associated with the attribute.

For Identity Platform cloud deployments, contact Support to update your web.config.


Added New Response Times to Audit Logs – Addressed issue to include OTP response times in audit logs.


International Phone Format Issue – Addressed an issue that affected some international phone number formats.


WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups.


This is an update to the following issue reported under EE-1967 in hotfix 21.04-1.

Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.


Migration Support – Added migration support for complex use cases for upgrade customers using push tokens and TOTP in mobile services.

For more information, see SecureAuth mobile services and contact Support.




Password Throttling API Response Message – Added additional clarification to password throttling AP response message.


Error Handling Improvement – Added additional logic to better manage errors that occur when using the API OTP validate endpoint.

Install this hotfix if you have:

  • Authentication API enabled


Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable.


Adaptive Endpoint Issue – Resolved an issue causing the endpoint to incorrectly prompt for 2FA for users in an allowed group.


Content and Localization Issue – Addressed issue where edits in the verbiage editor did not show up on the Logout.aspx page.


Performance Issue Update – Enhancement to an earlier hotfix for this issue.  Better exception handling to improve system performance during login and enrollment workflows.


AD LDS Account Unlocking Issue – Addressed an issue causing the Identity Platform to incorrectly see accounts locked that had been previously unlocked by (AD LDS).

Install this hotfix if you have:

  • AD LDS data store integration


A fallback xml attribute for the lockout duration was added to the web.config. Contact Support for more information.


Login Delay Issue – Resolved an issue resulting in potential delays for the login page when using IWA or Transparent SSO.

Install this hotfix if you have:

  • IWA workflow

  • Transparent SSO workflow


IPv6 Address Handling Improvement – Enhanced ability to better manage IPv6 addresses.


Default MFA Delivery Options Improvement – Added logic so that the first MFA option on the list is always selected by default.


OpenID Connect Scopes Issue – Resolved an issue with OpenID scope values not rendering correctly for OIDC Authorizations.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


OIDC Issue – Added logic to better handle login prompts.

Install this hotfix if you have:

  • OIDC / OAuth2 integrations


RBAC Issue – Resolved a known issue with intermittent issues affecting RBAC configurations on initial deployment of the Identity Platform.


QR Enrollment Support – Added the ability to support third party application enrollment in the New Experience user interface.