Skip to main content

Release Updates

Product updates to SecureAuth® Identity Platform base release 26.0.0.

Release 26.2.0

Release date: June 30, 2026

What's new

FIDO2 Enrollment app relocation to Internal Application Manager

FIDO2 enrollment application management has moved from the Multi-Factor Methods FIDO2 (WebAuthn) drawer to the Internal Application Manager, where it appears as a new internal application type under the Identity Management (IdM) category. Administrators can now create multiple FIDO2 Enrollment applications with distinct data stores, groups, authentication policies, and email notification settings. Existing FIDO2 Enrollment apps appear in the Internal Application Manager list after upgrade.

See FIDO2 enrollment page configuration.

Unenroll devices from the Dashboard

The Enrolled Mobile Devices and Enrolled Authenticator Devices detail views on the Dashboard Authentication Types tab were previously read-only. Administrators can now select one or more devices and unenroll them in a single operation. A confirmation message appears before the operation completes. The Enrolled Mobile Devices view in the Dashboard application includes the same action.

Unenrolling a device is permanent. Users must re-enroll an unenrolled device before they can use it to authenticate again.

See Dashboard: Authentication Types overview.

YubiKey Enterprise Attestation

YubiKey Enterprise Attestation lets you allow only the specific YubiKeys your organization bought, instead of any YubiKey of the same model. You keep a list of approved serial numbers, choose how strictly the platform checks serials when users enroll a key and when they sign in, and remove a serial to revoke the credentials registered with that key.

Enterprise Attestation is a FIDO2 standard feature. This release is certified with Yubico YubiKeys.

See Approved YubiKey Inventory and Configure YubiKey Enterprise Attestation.

Level of Assurance (LOA) condition for password suppression

You can now use Level of Assurance (LOA) as a condition for password suppression on the Login Workflow tab. When you enable Allow password suppression on the Username | MFA Method | Password or (Valid Persistent Token) | MFA Method | Password workflow, LOA appears in the Add condition list. The condition suppresses the password step when the confidence level of the user identity meets the level you set: Low, Medium, or High.

See Policy configuration - Login workflow.

Windows Server 2025 support for hybrid deployments

Windows Server 2025 is now supported for new installations and upgrades of Identity Platform 26.0.0.Windows Server 2022 remains supported.

See Supported Windows servers for product deployments.

Improvements

Configure Unique User ID for data stores and Split Profiles

You can now view and edit the Unique User ID property mapping in the data store properties UI for Active Directory, AD LDS, LDAP, OpenLDAP, NetIQ eDirectory, and Microsoft Entra ID data stores. In a Split Profile, you can choose which member data store provides the Unique User ID. Choose the source that is the most stable identifier for your environment. For Microsoft Entra ID, you can choose between Id and onPremiseImmutableId.

See Unique User ID mapping.

Expanded AuxID support in data store configuration

The data store properties now include Aux ID 1 through 25. You can map Aux IDs 11 through 25 to data store fields, the same as Aux IDs 1 through 10. After you map an Aux ID, you can use it in downstream configurations, such as SAML applications.

See List of stored profile field properties.

Help Desk user verification enhancements (Symbol to Accept and granular SMS controls)

The Account Management (Help Desk) page User Verification feature now supports Symbol to Accept and adds independent controls for SMS one-time passcode and SMS login request. With Symbol to Accept, the help desk agent and the end user see the same symbol, and the user taps the matching symbol in the SecureAuth Authenticate app to confirm their identity. This adds an option to the earlier push-to-accept flow, where a user could approve a request without confirming its context. SMS OTP and SMS login request are now separate options that you enable or disable independently, and each appears to the help desk agent only when you enable it.

See Help Desk user verification configuration and Help Desk user verification process.

Fixes

  • Generic LDAP data store now saves the SSL connection mode. Fixed an issue that saved the connection mode as Secure when you selected SSL while creating a Generic LDAP data store in the New Experience admin UI.

  • Email settings now display and persist in remote admin sessions. Fixed an issue that hid the SMTP server address and credentials, and cleared them on save, when you opened a realm from a computer other than the IdP server.

  • OIDC consent screen Approve and Deny now respond correctly. Fixed an issue where selecting Approve or Deny returned a server error instead of completing the authorization or access_denied response.

  • SAML SSO now works with embedded browsers that omit a language header. Fixed an issue that caused SAML assertion pages to return an error when a request did not include a language preference, as with some embedded browsers such as Tableau. The pages now default to English.

  • Removed the legacy NovellSSO.aspx page. Removed the unused page, which worked only with a legacy Novell ActiveX control in older Internet Explorer versions. This change does not affect NetIQ eDirectory, formerly Novell data store configurations.

Release 26.1.0

Release date: March 31, 2026

What's new

Dashboard as a standalone application

Administrators can now publish the Identity Platform Dashboard as a standalone internal application. Users such as  SOC analysts, auditors, and help desk agents can log in to the Dashboard directly and view reports on logins, user  profiles, authentications, and deployments without access to the SA Idp admin console. Administrators control which reports  are visible and can scope access by data store, policy, and user group.

For more information, see Dashboard application.

Session Validation rule for authentication policies

A new Session Validation rule type is available on the Authentication Rules tab in policies. This rule checks  whether a user has a valid session from another realm, allowing you to skip re-authentication when appropriate.

Use this to disable Zero Trust continuous authentication in environments where repeated MFA prompts create  unnecessary friction. For example, when Transparent SSO enforces continuous authentication, users are prompted for a  second factor on every login. With the Session Validation rule, you can configure the policy to skip MFA when a valid  session already exists.

For more information, see Policy configuration - Authentication rules.

Native OpenLDAP data store support

You can now add an OpenLDAP data store in the New Experience. This dedicated connection type provides native support for OpenLDAP directories, including password reset and other identity operations that did not work reliably through the Generic LDAP connection type

OpenLDAP data store support is available for hybrid deployments only.

For more information, see Add OpenLDAP data store.

Service disruption handling in authentication rules

The Policy configuration - Authentication rules tab in policy configuration now includes a Service Disruption Handling section for managing IPv6 connectivity issues and service unavailability. Previously available only as global realm-level settings in the classic experience, these options are now part of the new experience policy configuration. Administrators can select from the following actions for each scenario: no action, continue adaptive authentication, refuse authentication request, skip to post-authentication, or require two-factor authentication.Policy configuration - Authentication rules

Improvements & fixes

Automated PostgreSQL setup for air-gapped deployments

The air-gapped installer now installs and configures PostgreSQL automatically as part of the deployment process. You no longer need to set up PostgreSQL on a separate server or prepare database connection strings. See Air-gapped deployment overview.

SecureAuth Connector 2.2.1

The SecureAuth Connector installer now includes a cache configuration step. During installation or upgrade, you can select a caching mode for the connector service:

  • No Caching. The connector retrieves user data directly from the data store on every authentication request.

  • In Memory. The connector stores user data in memory for 30 minutes, resetting the timeout each time the same user authenticates. The connector only queries the data store for save operations like lock, unlock, or property updates. This is the default.

  • Redis. Same behavior as In Memory, but stores the cache in a Redis instance. You provide a connection string during installation, and the installer validates the connection.

Caching reduces the number of queries to Active Directory and other data stores during authentication, which helps with performance under high authentication loads.

For installation instructions, see SecureAuth Connector installation. For upgrade instructions, see SecureAuth Connector update.

Reduced SecureStorage dependency for on-premises deployments

On-premises deployments no longer require SecureStorage for data store configuration. The Identity Platform stores data store settings directly, reducing infrastructure complexity. Existing encrypted passwords are decrypted automatically during initialization, so no manual migration is required.

Username and password authentication with Entra ID

You can now use username and password login workflows with Microsoft Entra ID data stores that are federated to Microsoft applications like Office 365. A new Validate user password check box in the Entra ID data store connection settings sends user credentials directly to Microsoft for verification, instead of redirecting the user to the Microsoft sign-in page. This option uses the connection credentials already configured in the data store. For more information, see Add Microsoft Entra ID data store.

Open application behavior setting for SSO Portal

You can now control how applications open from the SSO Portal page. A new Open application behavior setting on the SSO Portal Page configuration page provides two options: New tab (default), which opens the application in a new browser tab, and Same tab, which opens the application in the current tab. Previously, applications always opened in a new tab with no way to change this behavior. See SSO Portal configuration.

Release 26.0.2

Release date: February 27, 2026

Changes

  • Fixed an issue in cloud deployments where the broker GetDataStores request timed out during login, causing authentication errors for users. This resolves a recurrence of the issue previously addressed in release 24.4.3.

  • Added a feature flag to disable continuous authentication during Transparent SSO (TSSO) flows. Previously, upgrades enabled this behavior by default, which changed authentication prompts in existing customer environments without requiring a policy reconfiguration.

Release 26.0.1

Release date: February 20, 2026

Fixes

  • Resolved issue where SP-initiated SAML POST binding failed with a "Cannot find the requested object" error when the AuthnRequest signature contained a KeyValue element instead of an X509 certificate in the KeyInfo block.

  • Fixed issue in Modern Theme where the browser tab title changed to the page URL after signing in to a realm instead of displaying the configured document title.

Release 26.0.0

Release date: January 30, 2026

Updates

Air-gapped deployment support

Continues to support air-gapped deployments for strict network isolation introduced in release 24.5.0. For implementation details, see Air-gapped deployment overview.

Authenticate OTP verification in Help Desk

Help Desk users can verify end user identity using codes from the SecureAuth Authenticate app. This option is available only in Help Desk pages using the SA IdP theme. See Help Desk user verification process.Help Desk user verification process

Additional account management settings

Administrators can now show or hide the following settings on the Account Management and User Portal pages, allowing help desk staff and end users to view or clear them as needed:

Help Desk page
  • Password Throttling

  • MFA Throttling

  • Cookie Keys

  • OTP Validation

  • OIDC Consent

User Portal / Self-Service page
  • Cookie Keys

  • OTP Validation

  • OIDC Consent

Support for specific Distinguished Name (DN)

Added support for creating LDAP users under a specific Distinguished Name (DN) for Active Directory data stores.

Fixes

  • Improved risk engine timeout handling to prevent authentication delays during database latency issues.

  • Fixed issue on the Account Management page where Reset buttons appeared for authentication methods set to "Show Disabled". The Show Disabled setting now prevents the Reset action from appearing in the UI.

  • Resolved issue where group restrictions configured in the New Experience failed to validate membership when using OpenLDAP or Tivoli data stores.

  • Resolved task cancellation errors that caused data store and profile property retrieval failures during broker timeouts.

  • Resolved data store search issue where users with identical usernames across different domains were looked up in the wrong data store during authentication.

  • Fixed issue in Policy configuration on the Login Workflow tab where the Save Changes button did not activate when enabling username or password suppression on existing conditional username rules.

  • Resolved PIN display issue on the User Account page where encrypted PIN values triggered an "Invalid format" error message after logout and login.

  • Resolved issue where TOTP failover to on-premises authentication did not occur when cloud services returned 404 Not Found errors.

  • Resolved issue in Advanced Settings where custom application URLs did not display correctly when copying existing realms or creating new realms, causing the "view in browser" option to fail.