Skip to main content


The following lists hotfixes for the Identity Platform release 22.02.

22.02 hotfixes

Release No.

Release Date

Ref ID

Issue / Description




Forgot Username Lookup Issue – Added logic to better handle forgot username lookups.


Email Template Save Issue – Addressed issue with updating and saving the OTP Email Template on the Overview tab in full cloud instances.


Firefox Login Issue – Addressed issue with Submit button in Firefox when user selects an autofill login option.


Groups Lookup Issue - Added pipeline to turn off nested group search in New Experience Datastore. UI for this feature is pending to be released at a later date.


OATH Tokens Bulk Upload Issue – Addressed issue with logic in earlier hotfix to support bulk uploads of OATH tokens (TOTP and HOTP tokens).


Password Reset Error Message Improvement – Added improvement to better customize error messages coming from the Active Directory during password resets.


SecureAuth IWA Issue – Fixed theme-specific issue that prevented SecureAuth IWA in cloud instances to work properly with 2019 Theme.


Extended SAML Attributes Support – Added GroupList format to the Extended SAML Attribute configuration.


Push Notification Token Issue – Added logic to better handle extra Push Notification Token that has the same name as an existing one during Mobile Service Migration.


OIDC Enhancements – Enhancements to OpenID Connect (OIDC) include the following updates:

  • Ability to add custom claims to OAuth2 access tokens

  • For all custom claims, you can define a scope relationship to dynamically include in the tokens

  • Client scope deny list can be inverted to an allow list

  • Configurable nbf (not before) claim time offset

  • Ability to make the claim with group values as an string array instead of a comma delimited string




QR Enrollment Page Improvement – Added new help text for end users on the QR enrollment page.


Third-party Authenticator Support – Added support to change the registered name of an authenticator device via QR code enrollment.


Mobile Services Support for MDM – Mobile service update to support validation of Mobile Device Management (MDM) devices during URL or QR enrollment.


OTP App Default Theme Issue – Updated logic to better handle MFA configurations for the "One-Time Passcode via Phone Call" and SMS phone setting.


Help Desk Mobile Device Lookup Issue – Addressed issue with inconsistent mobile device lookups on the Help Desk page.


Skip to Post Authentication Issue – Addressed issue with an incorrect skip to post authentication page using an invalid password.


OIDC Issue – Added logic to better handle the post logout redirect URI.


Hard Token Enrollment Support – Updated logic to enroll Hard Tokens by means of the Assign HID device field on the Self Service and Help Desk pages.


OATH Tokens Bulk Upload Support – Added logic to support bulk uploads of OATH tokens (TOTP and HOTP tokens).

For more information, see Bulk upload hardware tokens using CSV file


Mobile Services Migration Issue – Addressed issue to correctly synchronize the deletion of OATH token and Push tokens on mobile devices if they are deleted from a user profile. This issue occurs after a migration or upgrade to the Identity Platform 21.04 or later.


Show or Hide Link Issue – Fixed issue with the show or hide link options on the Overview tab for the 2019 Theme.


Azure AD Name Issue – Resolved issue to correctly save the Azure AD data store as a GUID in Identity Platform cloud deployments.




SAML Update Issue – Addressed issue with updating SAML settings, which prevented data store lookups in the membership provider.


Digital Fingerprint (DPF) in 2019 Theme Issue – Addressed issue with browser device fingerprint sometimes not pushing out MFA.




FIDO2 Improvements – Improvement to the user experience to display the name of FIDO devices in the login authentication delivery method list.


Enhanced SAML Consumer – Added the ability to integrate the Identity Platform as a SAML SP with Arculix or any third-party IdP.

For information about setting up the Identity Platform and Arculix integration, see Identity Platform and Arculix integration.


Data Store Test Connection Improvement – The data store integration settings now has a Test Credentials button to help test your data store connection.

Available to supported data stores in Identity Platform hybrid deployments.


Account Management Issue – Addressed issue with CyberArk SQL data store profile updates through the Account Management (Help Desk) page.


Endpoint Login Issue – When a user logs in locally on a workstation with a validated password that does not match their password stored in their organization's domain data store, the login screen will prompt the user for their domain password before MFA.


Migration Support – Added support in the Identity Platform to migrate Classic Experience realms to the New Experience.

For more information about migrating Classic Experience realms, see Classic Experience migration to the New Experience


Username Look up Performance Improvement – Added support for domain\username look ups in the New Experience to address performance issues.

To address performance issues with username look ups across multiple data stores, you can use the data store name as the "domain" identifier in the login string, like domain\username.

For example, the data store name in the New Experience is acmeAD and your login username is jsmith, you would enter acmead\jsmith as the username in the login workflow.

Data store name must only have alphanumeric characters and no spaces or symbols

For more information, see the knowledge base article: How to speed up logins to applications


Passcode App Issue – Fixed issue where it did not correctly register the Passcode app on a desktop machine.


Mobile Services Migration Issue – Addressed an Identity Platform upgrade issue with mapped OATH Tokens.


TOTP Throttling Improvement – Improvement to TOTP throttling logic; cache is correctly cleared on successful login attempt.


AppPool Performance Improvement – Improve AppPool performance with Identity Platform call to SecureAuth cloud services.


New Application Improvement – In the New Experience, when you create a new application, endpoint, or FIDO2 enrollment page, you can select the realm number.


RBAC Configuration Issue – Addressed an issue with saving configuration changes to the role-based access control (RBAC) on the UI.


Adaptive Auth Redirect Issue – Addressed issue with signature validation in SP-init redirect to a different realm.


Country Code Lookup Issue – Addressed issue with the default country code issue on the Classic Multi-Factor Methods tab.


Audit Log Update – Update in the Auth API to mask knowledge-based answers (KBA) in the Audit logs.


FIDO2 Device Registration Improvement – Added support for administrators to define FIDO2 device restrictions for their end users in the global settings.

For more information about the Advanced Settings configuration, see FIDO2 WebAuthn global MFA settings


Global Aux ID Support – Added support for Global Aux IDs in the Application Manager connection settings in a new "Static Attributes" section.


Digital Fingerprint Issue – Addressed issue with user agent string picking up identical digital fingerprint settings in Google Chrome and Microsoft Edge.

After applying the hotfix, this issue can still occur for a specific configuration. See this KB article for a workaround: Workaround for digital fingerprint hotfix


Remove Mobile Device Issue – Addressed issue with removing mobile devices on the Account Management (Help Desk) page.


Session URL Issue – EncryptUser.aspx has a ReturnURL to send the encrypted user cookie after authentication. This fix allows a dynamic ReturnURL, if it is provided and our ReturnURL is left blank.


Application Integration Support – Added support for unique application integrations that do not require the selection of a data store in the application integration settings.


Legacy Mobile App Registration Issue – Fixed an issue where legacy SecureAuth Authenticate app mobile registrations were not showing as an MFA method.


Option to Hide HID Token Button Support – Added support to optionally hide the HID token button in the Self-Service and Help Desk pages.

To use this feature, go to the Classic UI > Post Authentication tab for the Account Management Help Desk or Self-Service page configuration and set the Hard Token Button display type to Show or Hide.


Proof Key for Code Exchange (PKCE) Improvement – Improve PKCE support to revoke access tokens without a client secret.


FIDO2 Support – Added support to enable FIDO2 devices in the Classic Experience.