Documentation

On this page

SecureAuth IdP Release Notes provide information on the features and improvements in each release. This page includes Release Notes for major releases and minor (bug fix) releases.

9.0.2 Release Notes

Released on December 19, 2016

Version 9.0.2 New Features

FeatureDescriptionReferences
Carrier network whitelisting / blacklisting

Allow end-users to control which carriers and countries can be sent SMS or TTS

https://docs.secureauth.com/x/xwSfAg
Ported phone number status and controlAllow end-users to mitigate risk on ported mobile deviceshttps://docs.secureauth.com/x/xwSfAg
Block SMS / TTS phone classes for OTPIncrease assurance to real end-users by blocking SMS or TTS delivery to risky phone types https://docs.secureauth.com/x/xwSfAg
Second Factor ThrottlingAllow end-users to protect against brute force and DOS attackshttps://docs.secureauth.com/x/xAmfAg
Send Ad Hoc OTP SupportB2C use cases in which SMS is sent to a phone number and not saved in the data storehttps://docs.secureauth.com/x/sgljAg
Improve DFP scoring logicMore accurate DFP (device recognition), adapting to changes in browser technology 
Second Factor persistenceUser second factor selection is persisted 

9.0.2 Resolved Issues

Ref IDIssueDescription
IDP-737Push or OATH not displayed as second factors for split user profileProfile provider is not using the specified search attribute and therefore cannot decrypt Push or OATH tokens
IDP-755PIN default configuration not setPIN setting should default to encrypt
IDP-916CSRF VulnerabilityCSRF Vulnerability appears in an IDM page
IDP-1079QR Code enrollment with IE browser throws an errorQR Code enrollment using Authenticate App produces invalid passcode error in IE, but device is registered despite error
IDP-1107Unable to login with AD-LDS data sourceOn some Web Admin configurations, the end-user is unable to logon when the data source is set to AD-LDS
IDP-1127User Creation fails to add user to group

When adding user via User Creation page and specifying a group, user – but not group assignment – is added to directory

9.0.2 Known Issues

Ref IDIssueDescription
IDP-17HTML appended to logging text fileWhen downloading a text log, superfluous HTML is added to the end of the log
IDP-85Appliance performance is impacted by a down Syslog ServerAppliance performance is impacted when a Syslog server (on the same subnet) is completely offline (not just the service down)
IDP-127DFP fails with Windows FIPS mode enabledDFP fails in Windows with the FIPS mode enabled
IDP-218"Open in Browser" button is missingOpen in browser button is missing in the Web Admin when viewing a custom group
IDP-251Help Desk "Clear KBA" checkbox stays checked2016 Theme: Help Desk checkbox for clearing KBA / KBQ remains checked after retrieving a new user
IDP-256First time password entrance reported as "invalid"

When encrypted password (Java only) is set with Java certs in private mode, first time password is entered, system reports it as "invalid"

IDP-264Localization support in Help DeskIn the Help Desk section, many fields do not support localized language support
IDP-416Validate phone error message does not displayWith the 2016 Theme applied, the error message does not appear when using a regular expression to validate a phone
2444Wait indicator continues when creating a new realmWait indicator (spinner) remains on the screen after the process is completed
2671Default verbiage usageCustom English verbiage is not used when the end-user is using a language unsupported by SecureAuth IdP
2672Inline Password: Password Complexity instructions' visibility

With the 2016 Theme applied, Inline Password Password Complexity instructions do not display if requirements are not met – appears only for a workflow with Username and Password on the same page

2673Password must be entered twiceFor an inline password change, if Username and Password are on the same page, end-user must enter password twice
2707Submit button malfunctions on an Android mobile browserWith the 2016 Theme applied, the Submit button does not work on an Android mobile browser for specific Android devices
2721eDirectory Profile field data lossOn the Web Admin, data is lost when the admin tries to save a page before the page is finished loading
2808Help Desk – "Locked" status inaccuracyOn the Help Desk page, the Lock status is inaccurate when using an ASP.NET datastore
2840Cache+A10:A16 field not savedTime-based Passcodes (OATH) Cache Lockout Duration field does not retain a new value

9.0.1 Release Notes

Released on August 24, 2016

Version 9.0.1 New Features

FeatureDescriptionReferences
Role-based Access Control (RBAC)Enables admins to provide delegated access to specific users based on LDAP directory groups.https://docs.secureauth.com/x/lwiLAg
Screen Reader Tags to User Facing PagesAdded to improve accessibility for all elements of user facing pages. 
CyberArk Password Vault Directory IntegrationProvides the support of CyberArk AIM privileged account vaulting for administrative accounts used in Web Admin.https://docs.secureauth.com/x/WwNjAg
SailPoint Adaptive Authentication Engine IntegrationEnables Adaptive Authentication function leveraging risk scoring mechanism from SailPoint appliances (take action based on score).https://docs.secureauth.com/x/7QiLAg
Exabeam Adaptive Authentication Engine IntegrationEnables Adaptive Authentication function leveraging risk scoring mechanism from Exabeam appliances (take action based on score).https://docs.secureauth.com/x/5giLAg
Label Update in Web AdminRenamed labels to more easily understand functionality.https://docs.secureauth.com/x/nQiLAg
Organization Taxonomy Update in Web AdminReorganized menu structure of certain locations in the Web Admin.https://docs.secureauth.com/x/nQiLAg
QR Code Registration OATH Seed and Token Mode SupportEnhanced support for both TOTP seed modes with QR registration.https://docs.secureauth.com/x/E4JsAg
SecureAuth IdP Setup Utility (SISU) EnhancementsAdded ability to select which SecureAuth IdP version to download.https://docs.secureauth.com/x/hApjAg
WS-Federation Version and SHA TogglesEnables admins to manually set WS-Federation settings. 
TLS 1.0 Default DisablementDisables TLS 1.0 at the appliance level to increase security. 
Removal of Deprecated Post Authentication PagesDeprecated Post Authentication pages are no longer available to select in realms. 

9.0.1 Resolved Issues

Ref IDIssueDescription
1805PIN field repopulation after cleared by userPIN field re-populates after being cleared by the user, but content for that field in the data store is deleted.
1905Login "Submit" button is disabled2016 Theme: When Java detection is set to False, the "Submit" button becomes disabled.
1954Template Wizard hangs when test link is clickedA realm configured using the template wizard hangs when the test link is clicked.
1959"Back" button error on Update or Decrypt web.config pagesUser receives a server error message when the "Back" button is clicked from updatewebconfig.aspx or decryptwebconfig.aspx page.
2258Adaptive Authentication: unable to save "Disable" Failure ActionUnable to save "Disable" as failure action depending on the order of the Adaptive Authentication factors.
1939Password Unlock page does not display correct password statusPasswordReset.aspx: Unlock account status always 'Normal' (can't tell if account is locked).
1943Audit logging to Database failureAudit log entries failed to write to database target.
1966API Web Admin page does not save when copying from another realmChanges to API configuration were not saved to additional realms.
1967Wrong menu tab highlighted on the web.config Editor pageMenu items selected in web admin were not always highlighted correctly on the menu bar.
2038App links not working on QR code screenIn mobile app QR registration page, links to mobile stores did not work.
2089Missing Resx key in code for QR pageResx "configurable text" missing in mobile app QR registration page.
2268JWT signature incorrect sizeThe signature generated inside the JWT of the OpenID Connect assertion is 128 byte, not 256 byte.
2418"Submit" button malfunction with Java Detection set to "False"When Client Side Control is set to Java and Java Detection is set to False, the "Submit " button does not function.
2471Password requirements improperly displayedPassword requirements do not display properly when in in-line password change on 2016 theme.
2520"Allowed Groups" in profile provider not savedWhen selecting SQL Server, "Allowed Groups" value does not save.
2785Create Realm from Template AWS failureCreate new realm from AWS template fails with error: Conversion from type 'Guid' to type 'String' is not valid.

9.0.1 Known Issues

Ref IDIssueDescription
811HTML appended to logging text fileWhen downloading a text log, superfluous HTML is added to the end of the log.
1273DFP fails with Windows FIPS mode enabledDFP fails in Windows with the FIPS mode enabled.
1283Appliance performance impacted by down Syslog ServerAppliance performance is impacted when a Syslog server (on the same subnet) is completely offline (not just the service down).
2106First time password entrance reported as "invalid"When encrypt password (java only) is set, and java certs in private mode, the first time a password is entered, the system reports it as "invalid".
2109Validate phone error message not displayed2016 Theme: error message does not appear using regular expression to validate phone.
2120"Open in Browser" button missingOpen in browser button missing in web admin when viewing custom group.
2145Help Desk "Clear KBA" checkbox stays checked2016 Theme: Help desk checkbox for clearing KBA/KBQ remains checked after getting a new user.
2253Localization support in Help DeskIn Help Desk many fields do not support localized language support.
2444Wait indicator continues when creating new realmWait indicator (spinner) remains on screen after process has competed.
2671Default verbiage usageCustom English verbiage is not used when a user using a language not supported by IdP.
2672Inline Password: Password Complexity instructions' visibility2016 Theme: Inline Password Password Complexity instructions do not display upon not meeting requirements (only for Username & PW same page workflow option).
2673Password must be entered twiceUsername and password are on same page with inline password change, user must enter password two times.
2707"Submit" button malfunction on Android mobile browser2016 Theme: "Submit" button does not work when using Android mobile browser with specific Android devices.
2721eDirectory Profile field data lossIn Web Admin, user saving page before page finishes loading causes loss of data.
2784Create Realm from Template SuccessFactor failureCreate realm from Template-SuccessFactors results in error: "Site has not been created, please check the sslsn in the web.config of the templates folder."
2808Help Desk – "Locked" status inaccuracyLock status is inaccurate in Helpdesk when using ASP.net datastore.
2840"Cache Lockout Duration" field not savedTime-based Passcodes (OATH) Cache Lockout Duration field does not retain new value.

9.0.0 Release Notes

Released on April 29, 2016

 

Version 9.0.0 New Features

Feature
Description
References
Behavioral Biometrics APIBehavioral Biometrics detects and monitors keystroke dynamics and cursor movements to build a user-specific profile. Characteristics in the user profile can be used for identification when validating credentials that may have been compromised: for example, if a bad actor attempts to access an app on a valid user's unattended desktop. This technology can be added to existing in-house applications, along with other adaptive technologies such as SecureAuth Device Recognition (Device Fingerprinting), to provide end-users strong authentication with little or no impact to the end-user.https://docs.secureauth.com/x/_IBsAg
Identity Management APIThe new IdM API exposes the power of SecureAuth IdP IdM capabilities, providing tools for password reset, user creation, and user profile updates in an API. https://docs.secureauth.com/x/qYBsAg
QR Code SecureAuth Authenticate Mobile App registration supportQR Code lets end-users register the SecureAuth Authenticate mobile app by scanning a QR code versus entering a URL on a mobile phone and registering the embedded browser. Using QR Code simplifies the end-user onboarding process and streamlines the end-user experience. This feature requires the use of SecureAuth Authenticate 4.3 for iOS and Android.https://docs.secureauth.com/x/E4JsAg
QR Code OTP support for Google AuthenticatorQR Code provides a new registration method to enable customers using Google Authenticator and other TOTP apps to now use Google Authenticator instead of the SecureAuth Authenticate application for time-based one-time passcodes. Note: Google Authenticator does not support Push Notification passcodes or Push-to-Accept (Mobile Login Requests).https://docs.secureauth.com/x/E4JsAg
SIEM integration (CEF and LEEF support)Valuable data generated by SecureAuth IdP can now be fed to an existing IBM and HP SIEM, since support has been added for CEF and LEEF logging standards. CEF is the HP standard commonly used with the HP ArcSight product. LEEF is the IBM standard commonly used with the IBM QRadar product. https://docs.secureauth.com/x/NApjAg
LDAP performance improvementsThe Open LDAP provider has been optimized, resulting in improved performance particularly when used with virtual directory servers. 
Password Reset enhancementsAdditional features and capabilities have been added to the Password Reset functionality, providing the administrator extra options and configurability.https://docs.secureauth.com/x/KApjAg
Admin console changes to improve security and usabilityThe launch screen has been consolidated with new "Tools" menu item added and the "Show Password" option removed.https://docs.secureauth.com/x/iApjAg
OpenID Connect support enhancementsOpenID Connect now supports JSON Web Token encryption.https://docs.secureauth.com/x/MQpjAg
OAuth 2.0 support enhancements

OAuth 2.0 now supports flows for:

  • Token Introspection: Lets downstream resource servers ensure an access token is still valid and has not been revoked.
  • Token Revocation: Lets an app owner programmatically revoke an access token before its lifetime has expired.
https://docs.secureauth.com/x/MQpjAg
OTP security enhancementsTo improve security, each failed OTP attempt now results in an increased delay for each retry. 
New Logout pageThe new Logout page (logout.aspx) can be used in place of the existing Restart page (restart.aspx) for SAML (SP configured – SAML Logout URL). This new page will avoid looping back to authentication when the end-user logs out of the SAML application. 
Additional browser recognitionAdditional browser version identification has been included for Device / Browser Fingerprinting. 

9.0.0 Resolved Issues

Ref ID

Issue

Description

1245        TOTP entry fails if spaces  are includedChecked for spaces and sanitized TOTP input
1289An expired license prevents web.admin accessLicense expiration prevented access to web.admin
1292License expiration message is not clearChanged license expiration message to be more descriptive
1309Password expiration reset fails if the wrong password is enteredExpired password reset transaction failed if user entered incorrect password; unable to correct password
1366Windows Phone: registration failsWindows Phone: Unable to get TOTP seed
1508Session timeout impacts workflowAfter a session timeout, the workflow may alter the inclusion of additional authentication criteria
1521OTP email template reply message has changedChanged the "from" address from @secureauth.com to @customer_domain
1542Permission displays the revoked permission scopeWhen Revoking an OpenID Connect permission, clicking Save twice displayed the revoked permission scope
1560User ID status value is not updatedOn the Helpdesk page, the User ID status value was not being updated
1564Some values on the helpdesk page are not resetReset Fingerprints, reset Push Devices, reset OTP Devices – if the Update button was hit repeatedly, values that were removed would reappear
1573DFP debug fails with 2016 ThemeDevice Fingerprint debug failed when using the 2016 Theme
1584Maximum Invalid Password Attempts are not savedMaximum Invalid Password Attempts were not being saved
1656Mobile Device Recognition failsThe API Settings checkbox on the Registration Methods tab needed to be Enabled
1672Transparent SSO fails with Mobile DFPMobile DFP: Transparent SSO does not work when FP mode = Mobile App
1696Helpdesk OTP phone number label is incorrectHelpdesk OTP phone number label displayed the incorrect phone number selection
1708SAML Consumer: SAML conditions are being ignoredA time-based SAML attribute was not being respected
1714OAuth 2.0 social login requests fail when a proxy is usedOAuth 2.0 logons behind a proxy failed
1735ODBC settings are not savedODBC settings were not saved
1736Reports on long queries are timed outReports that take longer than ten minutes to run timed out
1760SHA256 signed assertions are not generatedSAM SHA256 signed assertions cannot generate a SHA256 signed assertion
1765Proxy server mask is not being displayedProxy server mask was not being displayed
1766Web.admin Windows proxy option support is deprecatedSupport for using the default Windows proxy server was removed
1769Invalid samAccountName formats are not handled by APIInvalid samAccountName formats were not handled by the API and there no status was returned
1780Country check failsInternal IP address was being evaluated
1810Password Strength indicator does not progress2016 Theme: PasswordReset.aspx – Password strength does not register until the confirm password is initiated by the first letter
1813Performing a Save to multiple realms can cause corrupted dataOn slow-performing servers, saving content to multiple realms in the web.admin can corrupt data
1828No validation message appears for configured PIN reset Min and Max in Helpdesk2016 Theme: ManageAccounts.aspx – No validation message appeared for a configured PIN reset Min and Max on the Helpdesk page
1835Confirm password entry jumps to the previous lineData entry made in the confirm password textbox jumped to the previous line
1859Default OTP value has changed, and minimum OTP value has changedDefault OTP value is now set to 6, and minimum OTP value has increased from 2 to 4 – existing customers using less than 4 will have the OTP value set to 4
1865Confirmation is missing for PasswordReset.aspx unlock button2016 Theme: PasswordReset.aspx unlock button confirmation did not exist
1873Yubikey provisioning failsWhen provisioning Yubikey, the registration would fail
1880No TRX log entries appear in the audit logTRX log entries in the audit log were disabled when TRX cloud logging was disabled
1902TRX logs missing for WS-Trust and OpenID ConnectTRX logs were missing for WS-Trust and OpenID Connect
1916UBC is deprecatedUBC as a second authentication method has been deprecated

9.0.0 Known Issues

Ref IDIssueDescription
811HTML is appended to a logging text fileWhen downloading a text log, superfluous HTML is added to the end of the log
1273DFP fails with Windows FIPS mode enabledDFP fails in Windows with the FIPS mode enabled
1283Appliance performance is impacted by a down Syslog server Appliance performance is impacted when a Syslog server (on the same subnet) is completely offline (not just the service down)
1512IdP Configurator fails to launchIdP Configurator on webadminstart.aspx does not launch
1805PIN field re-populates after being cleared by userPIN field re-populates after being cleared by the user, but content for that field in the data store is deleted
1905Login "Submit" button is disabled2016 Theme: When Java detection is set to False, the "Submit" button becomes disabled
1954Template wizard hangs when test link is clickedA realm configured using the template wizard hangs when the test link is clicked
1959Error using Back button on Update or Decrypt Web.Config pagesUser receives a server error message when the Back button is clicked from updatewebconfig.aspx or decryptwebconfig.aspx page

  • No labels