Table of Contents

Other Resources

Requirements for upgrading to version 9.3

See SecureAuth IdP version 9.3 appliance installation and upgrade information for prerequisites and important installation information.


Released on January 21, 2019


9.3.0 New features

Ref ID


----Behavioral Analysis Powered by Machine Learning – Analyze user behavior for suspicious activity. Boost identity protection by unmasking attackers masquerading as legitimate users and uncover hard to detect insider threats.


Support for Proof Key for Code Exchange (PKCE) Standard – The PKCE standard helps prevent man-in-the-middle attacks, or interception of authentication information, between users and systems.


Inline initialization Enhancement – Users can now be redirected to a self-service page to update their profile with missing data and then continue the authentication process. This helps preserve user experience while minimizing administrator and helpdesk involvement.


Windows SSO / IIS enhancement saves some web.config settings in the user interface.


Self-service Password Reset support available for eDirectory.



SP metadata upload feature available for application integrations created in the new user interface.


Application onboarding feature added in the new user interface.


Reusable Directory Integration Objects – Instead of completing directory integration work every time a new application or system is deployed, administrators can now build directory integrations once and reuse them. When changes need to be made, they are made once and propagated through the environment automatically. This enhancement saves significant administrative time and resources.


New Cloud-based Architecture – With the move to a cloud-based architecture, your administrators can get the most up-to-date settings, features, and enhancements without undergoing time-consuming upgrades.



Application Template Library – Application on-boarding has been streamlined and shortened with the creation of a library of application templates. Instead of building integrations for each application individually, administrators can now simply pick the applicable template from a pre-defined library. For templates not yet built, we can accelerate the process by auto-populating fields.


Customizable PIN Length – To increase security, administrators can now configure the length of PINs, making them longer and more difficult for attackers to guess. Instead of the default 4-digit PIN, administrators can choose a 4, 6, 8, or 10-digit PIN. The longer the pin, the less likely it will be compromised.


Create User support available for eDirectory.



Inverted User Risk Score – SecureAuth IdP can consume third party risk scores for use in evaluating authentication risk, but varying solutions present risk differently. With this release, SecureAuth IdP is able to change the risk score scale to accept scores that are presented in varying formats.


9.3.0 Resolved issues

Ref ID



Saving “helpdesk challenge” on the Self-service page correctly saves the users’ knowledge based answer when data is encrypted.

IDP-3179After decrypting the web.config, you no longer need to re-encrypt it before moving to another realm; the web.config file is automatically re-encrypted.


SAML post-authentication pages no longer display an improper error.


SecureAuth IdP now properly accepts encrypted SAML assertions from third-party IdPs via SAML Consumer.


Various eDirectory issues have been resolved.


Timeout expiration notification now appears per configuration.


Authentication / SecureAuth IdP API endpoints now correctly accept username characters.


PUT endpoint no longer resets all throttle counts.


Inline Initialization now properly writes to the directory.


Update button no longer needs to be clicked twice to update PIN on Self-service page.


Non-integer valid hours is now respected for WS-Fed integrations.


Timeout no longer occurs during webservices directory integration.


Correct username is now sent in CyberArk lookup.


SecureAuth IdP can now handle IPv6 addresses.


Re-encrypting a bearer token no longer breaks user risk score analysis.


OpenLDAP and LDAPv2 errors no longer occur during login.


Web Admin UI now allows SAML Consumer provider edits.


Users are now able to set the time zone on OWA.


Help Desk page now properly confirms an existing PIN / Password before a change is made.


False errors no longer occur during a QR code enrollment with device limitation enforced.


Proxy settings are now respected when retrieving OIDC encryption keys.


Create User now saves GroupList in a SQL database.


OIDC redirect and session end now correctly occur.


Query string parameters are no longer cached during Adaptive Authentication redirection, breaking redirection.


Login for Windows now correctly validates HID token values.


SecureAuth IdP no longer shows a null reference when reading a user risk score.


Symantec endpoint error has been resolved so VIP tokens now work for Multi-Factor Authentication.


Redirect action with a token no longer fails in Adaptive Authentication redirection for SP-initiated SAML requests.


Incorrect error no longer appears for “profile missing” message.


OAuth 2.0 specifications updated to current standards so JWT functions correctly in Client Credential flow.


French Guinea / French Guiana phone country code are now accepted for Multi-Factor Authentication.


SSPR temporary passwords are no longer stored in plain text in debug logs.


SecureAuth IdP response correctly includes Boolean for an active token introspection request.


OIDC specifications updated to current standards so “expires_in” returns a numeric value.


Introspection endpoint no longer fails when an access token subject claim contains a client ID.


Encryption functionality is no longer static due to an inability to configure a realm.


Enhancements made so a user can be added to an eDirectory group via IdM API.


Help Desk page no longer displays an error for Symantec VIP hard token enrollments when using the 2016 Light Theme.


Adaptive Authentication country check action no longer fails closed and halts logins if SecureAuth Cloud fails to communicate.


2016 Light Theme mobile interface issues no longer appear on the Self-service page.

9.3.0 Known issues

Ref IDDescriptionFix version
IDP-2418Valid Persistent Token does not work with the 2013 theme in Safari on an iPad.TBD
IDP-4058Charts do not work when the "Log Instance ID" is changed from the default.9.4

Adaptive Authentication tab does not render if RBAC read-only is enabled for user.

IDP-4817If group restriction is added during app onboarding but then "Allow All Users" is selected, Summary shows user groups but all users are allowed.9.4
IDP-4819Infrequent issue occurs in which the "pencil" icon does not respond to a mouse click.9.4

Upgrading from 9.1 to 9.3 shows Threat Services disabled, even though the license supports it.

In this issue, the configuration remains the same in the web.config, but the Threat Services disabled message appears.



Application API errors (minor, internal).9.4
IDP-4896Adaptive Authentication tab does not render if RBAC read-only is enabled for user.9.4
IDP-4903SP-init by Post template is saved as SP-init by Redirect.9.4

IdP metadata does not include a trailing slash in the URL.

In this issue, the SP-init by Post configuration is broken if a file is uploaded to the Service Provider without first being modified.


9.3.0 Latest hotfix

The latest hotfix release is comprehensive and resolves all issues addressed by the hotfixes in this table:

Release No.Release DateRef IDIssue
9.3.0-521-May-2019EE-1186App Enrollment Maintenance – App enrollment for users made on previous versions of SecureAuth IdP work correctly after the upgrade. 


EE-1073Password Reset LDAP Issue – Administrative Password Reset with History Check functionality now working with LDAP containing protocol requirements.
EE-1082Authentication API Parity – The Yubico OTP option is now available to use via the API and also supported through browser workflow.
EE-1149Passcode Registration Screen – When using the Default theme, the SecureAuth Passcode registration screen now works correctly.
EE-1167Incorrect SMS MFA Option – When users select the SMS OTP option, they no longer randomly receive an incorrect Link to Accept message.
EE-1182Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query, causing the realm to break and the workflow to halt.
9.3.0-312-Apr-2019EE-1075Data Parsing in SAML Attribute – Data is now correctly parsed when sent in a SAML attribute.
EE-1124OIDC Claim Issue – Sub claim is now present when updates are made to library. 
EE-1089Application API Proxy Support – Calls made through the Application API correctly honors proxy settings.
EE-1120URL Encoding Updates – Updates to URL encoding to ensure security.
EE-1131Device Fingerprint Space Issue – The Device Fingerprint cookie name now parses correctly if a space is present in the generated cookie name.
EE-1067Logging Updates – Updates to SecureAuth IdP logs to ensure security.
9.3.0-214-Mar-2019EE-1049Auto-encrypt Tools Issue – Issue resolved in which auto-encrypting the web.config caused SecureAuth tools to work ineffectively.
EE-1088SecureAuth IdP Requirements for Login for Windows – Changes made to accommodate AD user check issues addressed in Login for Windows v1.0.4.

Google Social ID Login – Modifications made to support Google API updates for Social ID login.


Auto-encrypt Tools Issue – Issue resolved in which auto-encrypting the web.config caused SecureAuth tools to not function effectively.

EE-1056Web Admin UI Updates – Updates made to the Adaptive Authentication UI reflect supported features.
EE-1067Logging Updates – Enhancements made to logging ensure greater security.

Affected SecureAuth IdP Version(s): 9.3

Support Information: Contact SecureAuth Support (,, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.3.x appliance.

  • No labels