Cumulative changes: 24.04 through 26.0.0
Organizations upgrading from SecureAuth® Identity Platform release 24.04 to 26.0.0 will find substantial improvements in authentication flexibility, security monitoring, and deployment options. This document includes features introduced in patch releases 24.4.1 through 24.5.0.
The following table maps features from Identity Platform release 24.04 to new and enhanced capabilities in release 26.0.0. If you're upgrading from a patch release (such as 24.4.6), many of these features may already be available in your environment.
For complete list of all updates, see Release Updates 24.04 and Release Updates 26.0.0.
24.04 (base) | 26.0.0 (cumulative) | Differences |
|---|---|---|
--- | Air-gapped deployment: Support for isolated network environments running SecureAuth IdP. | New deployment option for networks without internet connectivity. Supports Windows Server 2022, FIDO2/Passkey authentication, help desk verification, and YubiKey HOTP. |
--- | API data store support: Authenticate users through API-based data stores. | SecureAuth IdP now supports API-based authentication and profile data access, enabling upgrades without additional customization for organizations using API authentication. |
--- | Identity Pools: Manage temporary or dynamic users without enterprise data stores. | Create cloud-based user directories for contractors or temporary access. Includes group management and direct application linking. |
--- | LOA risk engine dashboard: View and analyze Level of Assurance scores across your organization. | Dashboard displays LOA scores, authentication trends, and geographic login patterns. Administrators can monitor risk scoring and fine-tune LOA rules without searching audit logs. |
LOA confidence scoring: 0-4 scale for confidence levels | LOA confidence scoring: 0-100% scale with customizable ranges. | More granular scoring with configurable thresholds. Default ranges: Low (0-39), Medium (40-79), High (80-100). |
User Account page: Basic profile management | User Account page: Enhanced with device management, phone/email verification, and session history | Expanded capabilities include authentication device registration, customizable field labels, and language support. Profile fields set as "Visible (read-only)" only display when populated. |
SSO Portal Themes: Theme configuration for SSO Portal only. | Modern Themes: Expanded theming for multiple Identity Management pages | Renamed from "SSO Portal Themes." Now supports User Account page, SSO Portal, and other IdM pages with modern layouts. |
Session timeout: Basic timeout configuration. | Session timeout: Enhanced with session expired warnings. | Users receive warnings before session expiration on Modern Theme pages. Option to wait or automatically restart login process. |
SAML attributes: Standard attribute set. | SAML attributes: Expanded to include Browser Session ID, Client IP Address, and Authentication Method. | New attributes available in Advanced Settings and New Experience SAML integrations. Also available in OpenID Connect ID Token Claims configuration. |
SAML metadata: Manual file management. | SAML metadata: Enhanced with URL import/export and global domain settings. | New capabilities include global domain specification for all SAML applications, import/export Service Provider metadata through URL, and update metadata by importing new files. |
Microsoft Conditional Access: Custom Controls only. | Microsoft Conditional Access: Added External Authentication Methods (EAM) support. | Support for external authentication methods in Conditional Access with Microsoft Entra ID, including certificate-based Windows authentication. See Microsoft Conditional Access External Authentication Method (EAM) integration guide |
--- | OIDC Manager: OpenID Connect and OAuth management in New Experience. | Early Access feature for managing OIDC and OAuth applications in New Experience interface. See OIDC Manager |
FIDO2 device management: Basic enrollment controls. | FIDO2 device management: Approve devices by AAGUID and validate with FIDO Alliance. | Administrators can approve FIDO Alliance-verified devices using their AAGUID. End users can view approved devices on FIDO enrollment page. |
MFA initialization: Redirect to separate enrollment pages. | Inline MFA initialization: Register additional MFA methods during login. | Users can set up mobile Push/TOTP, FIDO2, Yubikey, and HID devices directly in the login flow when methods are required but not enrolled. |
Login options: Username and MFA methods. | QR code-only login: Option to hide username field and show only QR code. | New configuration option speeds up authentication and reduces phishing risks using session-based QR codes. Configure in authentication policy on Login Workflow tab. |
Transparent SSO: Basic SSO functionality. | Transparent SSO: Enhanced with continuous authentication support. | Added logic to PostAuth pages for continuous authentication. Re-evaluates adaptive policies and group restrictions after login, preventing bypass of restrictions with valid cookie. |
Dashboard - User Profile Data: Basic login tracking. | Dashboard - Access History: Detailed view of user login activity. | Administrators can click Access History column numbers to view detailed login records including timestamps and access patterns. Available in cloud deployments only. |
Login for Windows: Standard configuration. | Login for Windows: Added Ctrl+Alt+Delete password change option. | Users can update passwords through self-service or must authenticate before password changes. Improved login performance and standardized interface. |
Help Desk - Password Reset: Manual password creation. | Help Desk - Generate Password: System-generated secure passwords. | New "Generate Password" button creates secure system-generated passwords, ensuring complexity requirements are met. |
Policy configuration - Users and groups: Exact name matching. | Policy configuration - Users and groups: Wildcard support for names. | Wildcards now supported in Advanced Settings (Adaptive Authentication > User/Group Restriction) and New Experience (Authentication Policies > Users and groups). |
Application URLs: Standard URLs only. | Custom Application URL: Create unique URL aliases for applications. | Create user-friendly URL paths for application logins in New Experience. |
Authentication apps - TOTP: Standard TOTP validation. | Authentication apps - TOTP: Prevent re-use of TOTP codes. | New security setting prevents unauthorized use of previously generated TOTP codes. |
Regular expressions: Limited set for password deny lists. | Regular expressions: Expanded options with custom expressions. | Extended list of available regular expressions for password deny lists. Administrators can add custom expressions. |
User Account page: Standard English only. | User Account page: Customizable field labels with language support. | Configure translations in supported languages including English, Spanish, French (Canadian), and Japanese. Customize field labels to match organizational terminology. |
TOTP configuration: Global settings only. | Offline TOTP: Individual setting overrides for air-gapped environments. | Configure specific TOTP settings for systems without internet connectivity. Works with SecureAuth Authenticate App, Desktop App, and standard TOTP applications. |
Password throttling: Standard configuration. | Password throttling: Enhanced for air-gapped deployments. | Improved brute-force password attack blocking without requiring connectivity. |
Risk Engine configuration: Manual updates only. | Risk Engine: Added "Refresh LOA Configuration" option. | New link in LOA provider settings to re-sync configuration with Risk Engine. Use only when instructed by SecureAuth Support. |
Authentication waiting page: Always visible during SAML post-auth. | Authentication waiting page: Toggle to show or hide during authentication. | New configuration setting allows choosing whether to display waiting page during authentication process. |
SCIM provisioning: Always includes password in payload. | SCIM provisioning: Option to exclude password from payload. | New option excludes user password from SCIM provider payload during provisioning. Some SCIM providers require passwords and may fail without it. |
Localization: Limited language support. | Localization: Added French-Canadian language support. | Expanded language support includes French-Canadian. |
LOA conditional rules: Require full configuration. | LOA conditional rules: Added "Continue to next rule" option. | New conditional rule for authentication policies supports Risk Engine learning phase. |
Audit logs - LOA: No specific LOA event tracking. | Audit logs - LOA: New Event ID for LOA scores and confidence levels. | Dedicated event ID tracks SecureAuth LOA score and Confidence Level for each user authentication attempt. |
Product branding: SecureAuth Identity Platform branding. | Product branding: Updated SecureAuth branding and visual design. | Platform updated with new SecureAuth branding while maintaining familiar layout. |
Data store testing: Basic connection testing. | Data store testing: Fixed false negative issues with Test Credentials. | Resolved issue in cloud deployments where Test Credentials button sometimes returned false negatives for valid connections. |
Split Profile data stores: Basic configuration. | Split Profile data stores: Improved error handling and creation. | Fixed issues preventing data store selection during creation and errors when editing existing configurations. |