Skip to main content


The following lists hotfixes for the Identity Platform release 22.02.

22.02 hotfixes

Release No.

Release Date

Ref ID

Issue / Description




API Calls and Push Notification Issue – Added logic for stateless API calls to load balancers for push to accept.


Login for Endpoints Improvement – Added improvements to better handle connectivity when a service goes offline.


Submit Button in 2019 Theme Issue – Addressed issue in 2019 Theme where the Submit button was not in focus when an MFA option is selected.


LDAP Authentication Improvement – Added logic to make LDAP authentication over SSL/TLS more secure.


Security Issue – Added logic to improve masking of a password field in Advanced settings.


Realm Migration Issue – Addressed Classic to New Experience realm migration issue with case sensitivity in folder names.


Pre-populate Username Field Issue – Addressed bug with prefilling the username field using the querystring value for SP-initiated workflows, during the login redirect to the SecureAuth IdP.


Missing MFA on 2016 Theme in New Experience Applications – Addressed issue with Admin API ignoring a setting required by only the 2016 Theme for displaying all expected MFA.


Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.


Auth API Issue – Added logic to better handle TOTP brute force throttling for the Auth API. Change will benefit API consumers (i.e. RADIUS) when validating TOTP for users with multiple enrollments.


AD-LDS Password Validation Issue – Addressed issue with AD-LDS connections that use user + password workflows in the Advanced Settings (formerly Classic Experience).


API Calls and Push Notification Issue in Login for Windows – Added logic for stateless API calls to load balancers for push to accept in Login for Windows.

This issue was caused by a code change to EE-2846 in the Identity Platform 22.12-2 hotfix.




ASP.NET DB Support – Added support for the ASP.NET database to the data store integrations in the New Experience.


EncryptUser Issue – Addressed issue with a truncated URL in EncryptUser.aspx.


SAML Post Issue – Added logic to support SAML Post workflow redirects through adaptive auth (group restriction).




Passcode App Update – Supports the ability to register on more than one computer.

This requires an updated version of Passcode for Windows or Passcode for Mac.


YubiKey HOTP Issue – Addressed issue with a login loop if a user taps their YubiKey and inadvertently clicks the Submit button.


New Experience Realm Issue – Addressed issue with setting up a New Experience realm without a data store configuration.




IWA Service Performance Improvement – Improve performance with with the SecureAuth IWA service.




Forgot Username Lookup Issue – Added logic to better handle forgot username lookups.


Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances.


Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option.


Groups Lookup Issue – Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.


OATH Tokens Bulk Upload Issue – Addressed issue with logic in earlier hotfix to support bulk uploads of OATH tokens (TOTP and HOTP tokens).


Password Reset Error Message Improvement – Added improvement to better customize error messages coming from the Active Directory during password resets.


SecureAuth IWA Issue – Fixed theme-specific issue that prevented SecureAuth IWA in cloud instances to work properly with 2019 Theme.


Pre-populate Username Field – For SP-initiated workflows, during the login redirect to the SecureAuth IdP, it now fills the username field with the querystring value.


Extended SAML Attributes Support – Added GroupList format to the Extended SAML Attribute configuration.


Push Notification Token Issue – Added logic to better handle extra Push Notification Token that has the same name as an existing one during Mobile Service Migration.


OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:

  • Ability to add custom claims to OAuth2 access tokens

  • For all custom claims, you can define a scope relationship to dynamically include in the tokens

  • Client scope deny list can be inverted to an allow list

  • Configurable nbf (not before) claim time offset

  • Ability to make the claim with group values as an string array instead of a comma delimited string




QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.


Third-party Authenticator Support – Added support to change the registered name of an authenticator device via QR code enrollment.


Mobile Services Support for MDM – Mobile service update to support validation of Mobile Device Management (MDM) devices during URL or QR enrollment.


OTP App Default Theme Issue – Updated logic to better handle MFA configurations for the "One-Time Passcode via Phone Call" and SMS phone setting.


Help Desk Mobile Device Lookup Issue – Addressed issue with inconsistent mobile device lookups on the Help Desk page.


Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password.


OIDC Issue – Added logic to better handle the post logout redirect URI.


Hard Token Enrollment Support – Updated logic to enroll Hard Tokens by means of the Assign HID device field on the Self Service and Help Desk pages.


OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

For more information, see Bulk upload hardware OATH tokens using CSV file


Mobile Services Migration Issue – Addressed issue to correctly synchronize the deletion of OATH token and Push tokens on mobile devices if they are deleted from a user profile. This issue occurs after a migration or upgrade to the Identity Platform 21.04 or later.


Show or Hide Link Issue – Fixed issue with the show or hide link options on the Overview tab for the 2019 Theme.


Azure AD Name Issue – Resolved issue to correctly save the Azure AD data store as a GUID in Identity Platform cloud deployments.




SAML Update Issue – Addressed issue with updating SAML settings, which prevented data store lookups in the membership provider.


Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA.




FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.


Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP.

For information about setting up the Identity Platform and Arculix integration, see SecureAuth IdP and Arculix integration.


Data Store Test Connection Improvement – The data store integration settings now has a Test Credentials button to help test your data store connection.

Available to supported data stores in Identity Platform hybrid deployments.


Account Management Issue – Addressed issue with CyberArk SQL data store profile updates through the Account Management (Help Desk) page.


Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.


Migration Support – Added support in the Identity Platform to migrate Classic Experience realms to the New Experience.

For more information about migrating Classic Experience realms, see Classic Experience migration to the New Experience


Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications


Passcode App Issue – Fixed issue where it did not correctly register the Passcode app on a desktop machine.


Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.


TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.


AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.


New Application Improvement – In the New Experience, when you create a new application, endpoint, or FIDO2 enrollment page, you can select the realm number.


RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.


Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.


Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.


Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.


FIDO2 Device Registration Improvement – Added support for administrators to define FIDO2 device restrictions for their end users in the global settings.

For more information about the Advanced Settings configuration, see FIDO2 WebAuthn global MFA settings


Global Aux ID Support – Added support for Global Aux IDs in the Application Manager connection settings in a new "Static Attributes" section.


Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix


Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.


Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.


Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.


Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.


Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.


Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.


FIDO2 Support – Added support to enable FIDO2 devices in the Classic Experience.