Release Updates
Product updates to SecureAuth® Identity Platform release 24.04.
For a complete list of fixes and known issues, see Enhancements and fixes, and Known issues.
Release date: July 18, 2024
Enhancements
- User Account page
We've redesigned and renamed the Self-Service Account Update page to User Account. It's now part of the New Experience, where you can attach a modern theme and customize field visibility.
To learn more, see User Account page configuration.
Available only in hybrid deployments. Coming soon for cloud deployments.
- Microsoft Conditional Access
Support for external authentication methods (EAM) in Conditional Access with Microsoft Entra ID.
To learn more, see Microsoft Conditional Access External Authentication Method (EAM) integration guide.
- Localization support
Localization support for French-Canadian language.
- Theming configuration
Global theming configuration SSO Portal Themes is now Modern Themes, allowing theme creation for more Identity Management (IdM) pages with modern layouts.
- Session timeout improvements
For pages with the Modern Theme (SSO Portal and User Account), users now receive a session expired warning. They can choose to wait or the system will automatically restart the login process, ensuring a smoother experience.
- Profile field visibility
On the User Account page, profile fields set as "Visible (read-only)" will not display if the field is empty. This improves the user experience by reducing clutter and focusing on relevant information.
- New SAML attributes
We have expanded the list of available SAML attributes in Advanced Settings to include
Browser Session ID
,Client IP Address
, andAuthentication Method
. These new attributes are also available in the Open ID Connect ID Token Claims configuration for a profile property mapping.In the upcoming release update, these additional SAML attributes will be available for SAML integrations in the New Experience.
- Run Windows SSO warning
Added a warning that an authentication policy can only have one "Run Windows SSO" conditional rule.
- New branding
We've updated the platform with our new branding while keeping the familiar layout. Enjoy a fresh and modern look.
Fixes
Resolved an issue with Custom Controls in Conditional Access.
Resolved an issue with external authentication methods (EAM) in Conditional Access.
Fixed a SAML metadata file export issue.
Fixed an issue with the users API endpoint to modify user accounts with a Microsoft Entra ID data store.
Fixed a known issue in 24.4.1 where updating data store information in cloud deployments with SecureAuth IWA Service for Windows SSO wiped out the IWA service account password.
Fixed issues where editing an existing Split Profile data store caused an error. And creating a new Split Profile data store prevented data store selection.
Fixed issues with migrating realms from the Classic Experience to the New Experience, where it did not retain the selected data stores.
Release date: June 4, 2024
Enhancements
- Audit log update
Includes new Event ID for the SecureAuth LOA score and Confidence Level for each user.
See the Audit log section in the SecureAuth Level of Assurance (LOA) Provider settings topic.
- New conditional rule
In the authentication policy, we've added a new conditional rule, Continue to next rule. Use this rule when the Risk Engine is in its learning phase.
See step 3 in Add LOA rule in authentication policy.
- Authentication apps global MFA
New setting to Prevent re-use of TOTP to prevent unauthorized use of a previously generated TOTP.
- FIDO2 WebAuthn global MFA
New setting to Validate device registration with FIDO Alliance that enhances security.
Fixes
Resolved an issue where users had to manually clear cookies due to excessive growth from hitting multiple realms.
Updated installer to streamline updates to SecureAuth Identity Platform
Fixed an issue where saving email settings in the admin UI would clear out SMTP relay information, causing customers to stop receiving emails.
Fixed an issue where the Adaptive rule "Run Windows SSO" incorrectly prompted for MFA despite settings to skip MFA.
Resolved security issue where the IWA service account password was exposed in the data store list payload in the New Experience.
Known issue
In cloud deployments with SecureAuth IWA Service enabled for Windows SSO, updating any data store information might wipe out the IWA service account password.
Workaround: Re-enter the IWA service account password.
Note
This issue is resolved in the 24.4.2 release.
Release date: April 3, 2024
See also a list of hotfixes from previous releases that were rolled into this release and a list of known issues:
Enhancements
- Add external identity provider (IdP) in policy
New setting in the authentication policy allows you to delegate SAML-based authentication to an external identity provider, like Arculix.
To learn more, see SecureAuth IdP and Arculix integration (IdP Chaining) and SecureAuth IdP and Arculix integration (IdP Factoring).
- Aux ID for cloud storage
The data store properties have a new setting, Use Cloud Storage. Instead of storing this value in your data store, you can store this value in an Aux ID to the cloud profile database.
To learn more, see How to set up Aux ID for cloud storage.
- Dashboard enhancements
We've improved the look and feel of the Identity Platform dashboard. Some updates include:
Data organization: The dashboard now categorizes data into the following four tabs to optimize analysis:
Login Data – Explore data related to logins by system, applications, or users.
User Profile Data – Explore cloud profile data associated with each user name.
Authentication Types – Explore data on enrolled mobile and authenticator devices, and view push notifications blocked by users.
Deployment Data – View product versions for services deployed with your Identity Platform tenant.
Quicker data refresh: Dashboard data now refreshes every 3 hours for quicker visibility to key metrics such as user logins.
To learn more, see Dashboard insights.
- Password Policy updates
Some password policy updates include:
Password Policy change. Before, the password policy was linked to the application in the Application Manager. We changed where password policies are linked, which is now in the authentication policy. It's on the Login Workflow tab. The password policy is no longer restricted to the Password Reset page at the application level. You can now set a password policy for all applications attached to the authentication policy. This includes Account Management pages and SAML applications.
Real-time password rules. Users can now see the password rules in real-time when they change their password in the application.
Inline password change. Setting now available in the New Experience for authentication policies. It's on the Login Workflow tab. The setting allows users to change their password inline without leaving the page.
To learn more about setting up password rules, see How to configure and display password rules for users.
- SAML Logout
Provides seamless termination of user sessions in the Identity Platform (IdP) when they log out of a service provider (SP).
To learn more, see How to configure SAML Logout.
- Single Logout (SLO)
Provides seamless termination of connected SPs within the corporate SSO ecosystem when the user logs out of an SP.
To learn more, see How to configure Single Logout (SLO).
- SecureAuth Risk Engine updates
We've integrated a machine-learning based Assurance Provider to analyze login patterns of users. It generates a Level of Assurance (LOA) confidence score for each user. The LOA score helps decide whether to increase or decrease user friction at the time of login.
To learn more about configuring and using LOA, see SecureAuth Level of Assurance (LOA) Provider settings.
- Send FIDO2 confirmation email
Send a confirmation email to the user when they enroll or remove a FIDO2 authenticator in their profile.
To learn more about configuring this setting, see How to send a confirmation email about a FIDO2 device.
- Send password change notification
Send a notification to the mobile app to let the user know about a password change.
To learn more about configuring this setting, see How to send a notification about a password change.
- SSO Portal page improvements
Customize the look and feel of your organization's SSO Portal. You can edit the default portal theme, or create custom themes, and set how application tiles appear. Apply your theme when you configure an SSO Portal page in the Internal Application Manager.
For more information, see Modern Themes and SSO Portal configuration.
- Windows SSO as an adaptive rule
Windows SSO as an MFA method has moved to the Authentication Rules tab in the authentication policy. You can use Run Windows SSO as a condition in an authentication rule for Country, IP Range, or Threat Service.
Other improvements and fixes
- Copy data store
We've added the ability to copy a data store. This makes it easier to clone a data store and change attributes for other applications.
- Deprecate Create New From Template
In the Advanced Settings (formerly Classic Experience), we've deprecated the Create New From Template feature.
- Extend realm limit
Added improvement to extend the realm limit beyond 999.
- FIDO2 device card view
New admin setting to set how users will view their devices on the FIDO2 Enrollment page. Admins can choose the card view or table view for their users.
- FIDO2 device restriction options
More options to restrict how many FIDO2 devices a user can enroll. Available settings are No limit, or 1 through 10.
- Microsoft Conditional Access Custom Controls
Added out of the box integration with Microsoft Conditional Access and the Identity Platform.
- Mobile services updates
We've added some configurations that relate to mobile services features.
Override company display name – In the application configurations, you can override the default company name that is set in the Multi-Factor Methods > Authentication Apps settings. This setting is in the Application Manager and Internal Application Manager.
Enable blocking of push notifications – New admin setting allowing users to block unknown login requests. This setting is in the Multi-Factor Methods > Authenticate Apps configuration.
To learn more, see How to block and unblock login requests in Authenticate.
Prevent third-party app scan of QR code – You can prevent users from using third-party apps to scan the QR code on the QR enrollment page. This setting is in the Internal Application Manager for QR enrollment page configuration.
Only allow enrollment from MDM devices – You can only allow QR and URL enrollment from mobile device management (MDM) devices. This setting is in the Internal Application Manager for QR or URL enrollment page configuration.
- New OTP Validation field for Login for Endpoints
We've added a new OTP Validation field in the data store properties. For end user authentication in Login for Endpoints, you will need to map to this field instead of an Aux ID.
- SAML post-auth message
During a SAML post-auth login workflow, it displays a message to users to be patient. To customize this message, see How to modify SAML post-auth message.
- SecureAuth Connector Installer UI updates
When generating the Connector configuration files, we added the ability to confirm or change the email address where you receive the passcode.
- Split profiles
In the New Experience, we've improved the ability for applications to pull Membership information and Profile information from different data stores.
- Theme
Changed the default theme to SA IdP on the Overview tab in the Advanced Settings. This is the theme for the pre-authentication login page that displays MFA options.