Documentation

Requirements for upgrading to version 9.3

See SecureAuth IdP version 9.3 appliance installation and upgrade information for prerequisites and important installation information.

 

Released on January 21, 2019

 

9.3.0 New features

Ref ID

Feature

References
----Behavioral Analysis Powered by Machine Learning – Analyze user behavior for suspicious activity. Boost identity protection by unmasking attackers masquerading as legitimate users and uncover hard to detect insider threats.https://docs.secureauth.com/x/ULTQAg

IDP-934

Support for Proof Key for Code Exchange (PKCE) Standard – The PKCE standard helps prevent man-in-the-middle attacks, or interception of authentication information, between users and systems.

https://docs.secureauth.com/x/s7PQAg

IDP-1132

Inline initialization Enhancement – Users can now be redirected to a self-service page to update their profile with missing data and then continue the authentication process. This helps preserve user experience while minimizing administrator and helpdesk involvement.

https://docs.secureauth.com/x/l7fQAg

IDP-3049

Windows SSO / IIS enhancement saves some web.config settings in the user interface.

https://docs.secureauth.com/x/ScXQAg

IDP-3191

Self-service Password Reset support available for eDirectory.

 

IDP-3245

SP metadata upload feature available for application integrations created in the new user interface.

https://docs.secureauth.com/x/S67QAg

IDP-3291

Application onboarding feature added in the new user interface.

https://docs.secureauth.com/x/P67QAg

IDP-3292

Reusable Directory Integration Objects – Instead of completing directory integration work every time a new application or system is deployed, administrators can now build directory integrations once and reuse them. When changes need to be made, they are made once and propagated through the environment automatically. This enhancement saves significant administrative time and resources.

https://docs.secureauth.com/x/_ozQAg

IDP-3451

New Cloud-based Architecture – With the move to a cloud-based architecture, your administrators can get the most up-to-date settings, features, and enhancements without undergoing time-consuming upgrades.

 

IDP-3594

Application Template Library – Application on-boarding has been streamlined and shortened with the creation of a library of application templates. Instead of building integrations for each application individually, administrators can now simply pick the applicable template from a pre-defined library. For templates not yet built, we can accelerate the process by auto-populating fields.

https://docs.secureauth.com/x/P67QAg

IDP-3768

Customizable PIN Length – To increase security, administrators can now configure the length of PINs, making them longer and more difficult for attackers to guess. Instead of the default 4-digit PIN, administrators can choose a 4, 6, 8, or 10-digit PIN. The longer the pin, the less likely it will be compromised.

https://docs.secureauth.com/x/spfQAg

https://docs.secureauth.com/x/sJfQAg

IDP-3949

Create User support available for eDirectory.

 

IDP-4130

Inverted User Risk Score – SecureAuth IdP can consume third party risk scores for use in evaluating authentication risk, but varying solutions present risk differently. With this release, SecureAuth IdP is able to change the risk score scale to accept scores that are presented in varying formats.

https://docs.secureauth.com/x/abPQAg

 

9.3.0 Resolved issues

Ref ID

Issue

IDP-1620

Saving “helpdesk challenge” on the Self-service page correctly saves the users’ knowledge based answer when data is encrypted.

IDP-3179After decrypting the web.config, you no longer need to re-encrypt it before moving to another realm; the web.config file is automatically re-encrypted.

IDP-3231

SAML post-authentication pages no longer display an improper error.

IDP-3244

SecureAuth IdP now properly accepts encrypted SAML assertions from third-party IdPs via SAML Consumer.

IDP-3336

Various eDirectory issues have been resolved.

IDP-3419

Timeout expiration notification now appears per configuration.

IDP-3429

Authentication / SecureAuth IdP API endpoints now correctly accept username characters.

IDP-3437

PUT endpoint no longer resets all throttle counts.

IDP-3441

Inline Initialization now properly writes to the directory.

IDP-3442

Update button no longer needs to be clicked twice to update PIN on Self-service page.

IDP-3443

Non-integer valid hours is now respected for WS-Fed integrations.

IDP-3444

Timeout no longer occurs during webservices directory integration.

IDP-3532

Correct username is now sent in CyberArk lookup.

IDP-3583

SecureAuth IdP can now handle IPv6 addresses.

IDP-3595

Re-encrypting a bearer token no longer breaks user risk score analysis.

IDP-3646

OpenLDAP and LDAPv2 errors no longer occur during login.

IDP-3676

Web Admin UI now allows SAML Consumer provider edits.

IDP-3761

Users are now able to set the time zone on OWA.

IDP-3857

Help Desk page now properly confirms an existing PIN / Password before a change is made.

IDP-3866

False errors no longer occur during a QR code enrollment with device limitation enforced.

IDP-3950

Proxy settings are now respected when retrieving OIDC encryption keys.

IDP-3951

Create User now saves GroupList in a SQL database.

IDP-4027

OIDC redirect and session end now correctly occur.

IDP-4045

Query string parameters are no longer cached during Adaptive Authentication redirection, breaking redirection.

IDP-4133

Login for Windows now correctly validates HID token values.

IDP-4134

SecureAuth IdP no longer shows a null reference when reading a user risk score.

IDP-4141

Symantec endpoint error has been resolved so VIP tokens now work for Multi-Factor Authentication.

IDP-4200

Redirect action with a token no longer fails in Adaptive Authentication redirection for SP-initiated SAML requests.

IDP-4206

Incorrect error no longer appears for “profile missing” message.

IDP-4340

OAuth 2.0 specifications updated to current standards so JWT functions correctly in Client Credential flow.

IDP-4362

French Guinea / French Guiana phone country code are now accepted for Multi-Factor Authentication.

IDP-4372

SSPR temporary passwords are no longer stored in plain text in debug logs.

IDP-4396

SecureAuth IdP response correctly includes Boolean for an active token introspection request.

IDP-4415

OIDC specifications updated to current standards so “expires_in” returns a numeric value.

IDP-4416

Introspection endpoint no longer fails when an access token subject claim contains a client ID.

IDP-4417

Encryption functionality is no longer static due to an inability to configure a realm.

IDP-4573

Enhancements made so a user can be added to an eDirectory group via IdM API.

IDP-4580

Help Desk page no longer displays an error for Symantec VIP hard token enrollments when using the 2016 Light Theme.

IDP-4581

Adaptive Authentication country check action no longer fails closed and halts logins if SecureAuth Cloud fails to communicate.

IDP-4683

2016 Light Theme mobile interface issues no longer appear on the Self-service page.

9.3.0 Known issues

Ref IDDescriptionFix version
IDP-2418Valid Persistent Token does not work with the 2013 theme in Safari on an iPad.TBD
IDP-4058Charts do not work when the "Log Instance ID" is changed from the default.9.4
IDP-4816

Adaptive Authentication tab does not render if RBAC read-only is enabled for user.

9.4
IDP-4817If group restriction is added during app onboarding but then "Allow All Users" is selected, Summary shows user groups but all users are allowed.9.4
IDP-4819Infrequent issue occurs in which the "pencil" icon does not respond to a mouse click.9.4
IDP-4858

Upgrading from 9.1 to 9.3 shows Threat Services disabled, even though the license supports it.

In this issue, the configuration remains the same in the web.config, but the Threat Services disabled message appears.

9.4

IDP-4886,
IDP-4887,
IDP-4888

Application API errors (minor, internal).9.4
IDP-4896Adaptive Authentication tab does not render if RBAC read-only is enabled for user.9.4
IDP-4903SP-init by Post template is saved as SP-init by Redirect.9.4
IDP-4904

IdP metadata does not include a trailing slash in the URL.

In this issue, the SP-init by Post configuration is broken if a file is uploaded to the Service Provider without first being modified.

9.4

  • No labels