Skip to main content


The following lists hotfixes for the SecureAuth® Identity Platform release 23.07.

23.07 hotfixes

Release No.

Release Date

Ref ID

Issue / Description




Performance Issue – Fixed data store loading issues in New Experience applications.




IWA Fallback Improvement – This update ensures that the username field is selected by default when falling back to the forms-based authentication page.


Debug Logs Update – Security update to prevent sensitive information about SQL service accounts in debug logs for SQL connections created in the New Experience.


Help Desk Page Issue – Addressed an issue with apostrophe handling in GET User requests for Help Desk pages.




SecureAuth Auth API Update – Improvements in the SecureAuth API to support Dynamic IP blocking. SecureAuth RADIUS now supports consuming this new change.

See the SecureAuth RADIUS release notes for the latest update.




CyberArk Username Issue – Addressed issue with not saving the CyberArk username in the Advanced Settings (on the Data tab for Datastore connection settings).


Single User Logout URL Issue – Added logic to the metadata for the single logout service URL.


ASP.NET Issue – Added improvement to async in ASP.NET targeting dynamic IP blocking.


Authentication Issue – Addressed an issue with random authentication errors.


Hardstop Verbiage Customization – Added key to allow customization of the "Hardstopped by Analyze Engine" message.

To add the new hardstop_message key , you must use the "Update Resource" function on the updatewebconfig page.


AppSetting to Extend SAML Attribute Limit – Added the ability to extend the SAMLAttrCountLimit appsetting value to more than the default 10 attributes in a SAML assertion.

You can change the SAMLAttrCountLimit value to a number greater than 10. Then, you must include the following appsetting values for each additional attribute.

string attributeName = Tools.ReadAppSettings("SAMLAttr" + i + "Name"); 
string attributeFriendlyName = Tools.ReadAppSettings("SAMLAttr" + i + "FriendlyName"); 
string attributeFormat = Tools.ReadAppSettings("SAMLAttr" + i + "Format"); 
string samlAttributeValue = Tools.ReadAppSettings("SAMLAttr" + i + "Value"); 
string matchExpression = Tools.ReadAppSettings("SAMLAttr" + i + "FilteredGroup");

Note: At this time, this is a manual setting. There will be a UI update coming in a future hotfix.


Include OATHOTP.aspx Page – This new post-authentication page will generate the TOTP for all the user’s enrolled devices.


Level of Assurance (LOA) Provider – We've integrated a machine-learning based Assurance Provider to analyze login patterns of users. It generates a Level of Assurance (LOA) confidence score for each user. The LOA score helps decide whether to increase or decrease user friction at the time of login.

To learn more about configuring and using LOA, see SecureAuth Level of Assurance (LOA) Provider settings.



EE-1730, EE-3373

Security Issue – Security improvements for managing UserExchange Web Service for Custom application integrations.


OIDC Realm Issue – Addressed issue for an edge case between OIDC Consent + Windows SSO + Transformation Engine.


AppSetting for ACS URL Restriction – Added missing <appSetting> for the ACS URL Restriction.

This relates to EE-3302 in the 23.07-1 hotfix.


Update Web.Config Issue – Added logic to preserve unique modifications running the update for the web.config file.


Updates to Send FIDO2 Confirmation Email – Updates include logging enhancement, and a resource field for the replyDisplayName for the email output.

This relates to EE-3359 in the 23.07-2 hotfix.




AD LDS Data Store Issue – Addressed a test connection issue for the AD LDS data store in the New Experience.


SMS Issue with OTP – Addressed an issue where OTPs were sent as voice messages instead of SMS. This happened when using Voice/SMS combo option for Phone MFA method in themes 2013 and 2016 Light.




Transparent Single Sign-On Issue – Addressed an issue when using custom token user data with a comma which invalidated the TSSO. We utilized the existing Delimiter setting to allow adjustments to parsing the cookie data with a delimiter known not to clash with user data.


CyberArk Credentials Issue – Addressed issue with not being able to save the CyberArk Vault username in the Advanced Settings.


MFA Method Order Improvement – Added improvement to retain the RegMethodOrder value in the web.config after you make a change in the New Experience.

After installing the hotfix, to apply this update, adjust each policy. Simply tweak a setting in each policy, save, revert, then save again.


Send FIDO2 Confirmation Email – Added a configuration setting to send a confirmation email to end users when they enroll or remove a FIDO2 authenticator in their profile.

To learn more about configuring this setting, see How to send a confirmation email about a FIDO2 device


Support for Preferred MFA in RADIUS 23.11 – Added support for the Preferred Auto-Submit Method set by an Admin in a policy.

To learn more about Preferred MFA for RADIUS, see SecureAuth RADIUS version 23.11 release notes.




SVG Image Support – Added support for .svg images in Advanced Settings for Company Logo on login pages.


Migration Issue with Profile Datastore – Addressed issue with a SQL profile provider data store not working correctly after a Classic to New Experience realm migration.

Hotfix merge into this release (EE-3202)

Setting to Pre-Populate Username Field – Added setting to turn on or off the username autofill setting for SP-initiated login workflows.

By default, this setting is turned on. Contact Support to turn this on or off.


Conditional Access – Added out of the box integration with Conditional Access and the Identity Platform.

To learn more, see Microsoft Conditional Access Custom Controls integration guide.


FIPS Compliance on User Handler Web Service Page – Added logic to make EncryptUser.aspx page compliant with FIPS.


Metadata File Download – The metadata file download in the New Experience now also goes to the root of the application realm.


HID Hard Token Improvement – Added an optional serial number field for HID hard token enrollments. This is also supported in CSV file uploads.


2016 Light Theme Issue – Username + Password login workflow does not work correctly when the user enters their username and presses Enter instead of Tab to the password field.


Configuration Setting for ACS URL Restriction – Added a configuration setting to turn ON or OFF the ACS URL whitelist enforcement.


Before you install this hotfix, see this KB article: How to establish trust for ACS redirects in SP-initiated SAML requests


Password Change on Disabled Accounts Issue – Addressed issue affecting disabled accounts with a Change Password on Next login setting.


SecureStore Issue – Addressed file locking issue with SecureStorageAPI during file sync to secondaries.