Skip to main content

Hotfixes

The following lists hotfixes for the SecureAuth® Identity Platform release 22.02.

22.02 hotfixes

Release No.

Release Date

Ref ID

Issue / Description

22.02-14

22-Jan-2024

EE-1730, EE-3373

Security Issue – Security improvements for managing UserExchange Web Service for Custom application integrations.

EE-3380

CyberArk Username Issue – Addressed issue with not saving the CyberArk username in the Advanced Settings (on the Data tab for Datastore connection settings).

EE-3382

Single User Logout URL Issue – Added logic to the metadata for the single logout service URL.

22.02-13

26-Sep-2023

EE-3264

OIDC Endpoint Improvement – Added improvements to consent storage for supporting multiple active tokens during introspection.

Update: Added some null checks to fix issues with backward compatibility.

22.02-12

01-Sep-2023

EE-3293

Extend Realm Limit – Added improvement to extend the realm limit beyond 999.

22.02-11

17-Aug-2023

EE-3264

OIDC Endpoint Improvement – Added improvements to consent storage for supporting multiple active tokens during introspection.

EE-3302

Configuration Setting for ACS URL Restriction – Added a configuration setting to turn ON or OFF the ACS URL whitelist enforcement.

Important

Before you install this hotfix, see this KB article: How to establish trust for ACS redirects in SP-initiated SAML requests

22.02-10

13-Jul-2023

EE-2557

Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.

EE-3196

Migration Issue with Profile Datastore – Addressed issue with a SQL profile provider data store not working correctly after a Classic to New Experience realm migration.

EE-3202

Setting to Pre-Populate Username Field – Added setting to turn on or off the username autofill setting for SP-initiated login workflows.

By default, this setting is turned on. Contact Support to turn this on or off.

Relates to EE-2985 in 22.02-5 hotfix.

EE-3252 / EE-3289

ACS URL Restriction in SAML Integration – Added logic to restrict incoming ACS URL in the SAML request by validating them against a whitelist.

EE-3258

FIPS Compliance on User Handler Web Service Page – Added logic to make EncryptUser.aspx page compliant with FIPS.

EE-3259

Metadata File Download – The metadata file download in the New Experience now also goes to the root of the application realm.

EE-3264

OIDC Endpoint Improvement – Added improvements to consent storage for supporting multiple active tokens during introspection.

NOTE: There is a small bug; a resolution is coming in the next hotfix.

22.02-9

17-May-2023

EE-2846

API Calls and Push Notification Issue – Added logic for stateless API calls to load balancers for push to accept.

EE-3035

Login for Endpoints Improvement – Added improvements to better handle connectivity when a service goes offline.

EE-3091

Submit Button in 2019 Theme Issue – Addressed issue in 2019 Theme where the Submit button was not in focus when an MFA option is selected.

EE-3098

LDAP Authentication Improvement – Added logic to make LDAP authentication over SSL/TLS more secure.

EE-3165

Security Issue – Added logic to improve masking of a password field in Advanced settings.

EE-3175

Realm Migration Issue – Addressed Classic to New Experience realm migration issue with case sensitivity in folder names.

EE-3201

Pre-populate Username Field Issue – Addressed bug with prefilling the username field using the querystring value for SP-initiated workflows, during the login redirect to the SecureAuth IdP.

EE-3205

Missing MFA on 2016 Theme in New Experience Applications – Addressed issue with Admin API ignoring a setting required by only the 2016 Theme for displaying all expected MFA.

EE-3207

Unhandled SecurePortal Error – Anonymous users landing on the SecurePortal would encounter an on-screen error instead of being redirected to login screen.

EE-3221

Auth API Issue – Added logic to better handle TOTP brute force throttling for the Auth API. Change will benefit API consumers (i.e. RADIUS) when validating TOTP for users with multiple enrollments.

EE-3225

AD-LDS Password Validation Issue – Addressed issue with AD-LDS connections that use user + password workflows in the Advanced Settings (formerly Classic Experience).

EE-3230

API Calls and Push Notification Issue in Login for Windows – Added logic for stateless API calls to load balancers for push to accept in Login for Windows.

22.02-8

08-Feb-2023

EE-3055

ASP.NET DB Support – Added support for the ASP.NET database to the data store integrations in the New Experience.

EE-3073

EncryptUser Issue – Addressed issue with a truncated URL in EncryptUser.aspx.

EE-3074

SAML Post Issue – Added logic to support SAML Post workflow redirects through adaptive auth (group restriction).

22.02-7

29-Dec-2022

EE-2684

Passcode App Update – Supports the ability to register on more than one computer.

This requires an updated version of Passcode for Windows or Passcode for Mac.

EE-2968

YubiKey HOTP Issue – Addressed issue with a login loop if a user taps their YubiKey and inadvertently clicks the Submit button.

EE-3039

New Experience Realm Issue – Addressed issue with setting up a New Experience realm without a data store configuration.

22.02-6

29-Dec-2022

EE-3041

IWA Service Performance Improvement – Improve performance with with the SecureAuth IWA service.

22.02-5

14-Nov-2022

EE-2569

Forgot Username Lookup Issue – Added logic to better handle forgot username lookups.

EE-2702

Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances.

EE-2712

Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option.

EE-2825

Groups Lookup Issue – Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.

UI update - See this KB article How to improve performance by disabling lookups in nested groups

EE-2830

OATH Tokens Bulk Upload Issue – Addressed issue with logic in earlier hotfix to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

EE-2917

Password Reset Error Message Improvement – Added improvement to better customize error messages coming from the Active Directory during password resets.

EE-2955

SecureAuth IWA Issue – Fixed theme-specific issue that prevented SecureAuth IWA in cloud instances to work properly with 2019 Theme.

EE-2985

Pre-populate Username Field – For SP-initiated workflows, during the login redirect to the SecureAuth IdP, it now fills the username field with the querystring value.

EE-2986

Extended SAML Attributes Support – Added GroupList format to the Extended SAML Attribute configuration.

EE-2994

Push Notification Token Issue – Added logic to better handle extra Push Notification Token that has the same name as an existing one during Mobile Service Migration.

EE-3008

OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:

  • Ability to add custom claims to OAuth2 access tokens

  • For all custom claims, you can define a scope relationship to dynamically include in the tokens

  • Client scope deny list can be inverted to an allow list

  • Configurable nbf (not before) claim time offset

  • Ability to make the claim with group values as an string array instead of a comma delimited string

22.02-4

23-Sep-2022

EE-2592

QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.

EE-2641

Third-party Authenticator Support – Added support to change the registered name of an authenticator device via QR code enrollment.

EE-2709

Mobile Services Support for MDM – Mobile service update to support validation of Mobile Device Management (MDM) devices during URL or QR enrollment.

EE-2720

OTP App Default Theme Issue – Updated logic to better handle MFA configurations for the "One-Time Passcode via Phone Call" and SMS phone setting.

EE-2816

Help Desk Mobile Device Lookup Issue – Addressed issue with inconsistent mobile device lookups on the Help Desk page.

EE-2819

Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password.

EE-2828

OIDC Issue – Added logic to better handle the post logout redirect URI.

EE-2829

Hard Token Enrollment Support – Updated logic to enroll Hard Tokens by means of the Assign HID device field on the Self Service and Help Desk pages.

EE-2830

OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

For more information, see Bulk upload hardware OATH tokens using CSV file

EE-2857

Mobile Services Migration Issue – Addressed issue to correctly synchronize the deletion of OATH token and Push tokens on mobile devices if they are deleted from a user profile. This issue occurs after a migration or upgrade to the Identity Platform 21.04 or later.

EE-2874

Show or Hide Link Issue – Fixed issue with the show or hide link options on the Overview tab for the 2019 Theme.

EE-2930

Azure AD Name Issue – Resolved issue to correctly save the Azure AD data store as a GUID in Identity Platform cloud deployments.

22.02-3

08-Aug-2022

EE-2852

SAML Update Issue – Addressed issue with updating SAML settings, which prevented data store lookups in the membership provider.

EE-2855

Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA.

22.02-2

30-Jun-2022

IDP-10080

FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.

IDP-10235

Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP.

For information about setting up the Identity Platform and Arculix integration, see SecureAuth IdP and Arculix integration.

IDP-10256

Data Store Test Connection Improvement – The data store integration settings now has a Test Credentials button to help test your data store connection.

Available to supported data stores in Identity Platform hybrid deployments.

IDP-10267

Account Management Issue – Addressed issue with CyberArk SQL data store profile updates through the Account Management (Help Desk) page.

IDP-10279

Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.

IDP-10290

Migration Support – Added support in the Identity Platform to migrate Classic Experience realms to the New Experience.

For more information about migrating Classic Experience realms, see Classic Experience migration to the New Experience

IDP-10294

Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications

IDP-10295

Passcode App Issue – Fixed issue where it did not correctly register the Passcode app on a desktop machine.

IDP-10296

Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.

IDP-10297

TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.

IDP-10305

AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.

IDP-10309

New Application Improvement – In the New Experience, when you create a new application, endpoint, or FIDO2 enrollment page, you can select the realm number.

IDP-10325

RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.

IDP-10328

Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.

IDP-10329

Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.

IDP-10330

Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.

IDP-10343

FIDO2 Device Registration Improvement – Added support for administrators to define FIDO2 device restrictions for their end users in the global settings.

For more information about the Advanced Settings configuration, see FIDO2 WebAuthn global MFA settings

IDP-10347

Global Aux ID Support – Added support for Global Aux IDs in the Application Manager connection settings in a new "Static Attributes" section.

IDP-10400

Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix

IDP-10401

Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.

IDP-10402

Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.

IDP-10403

Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.

IDP-10442

Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.

IDP-10443

Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.

IDP-10444

Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.

IDP-10449

FIDO2 Support – Added support to enable FIDO2 devices in the Classic Experience.