Requirements for upgrading to version 9.3
See SecureAuth IdP version 9.3 appliance installation and upgrade information for prerequisites and important installation information.
Released on January 21, 2019
9.3.0 New features
|----||Behavioral Analysis Powered by Machine Learning – Analyze user behavior for suspicious activity. Boost identity protection by unmasking attackers masquerading as legitimate users and uncover hard to detect insider threats.||https://docs.secureauth.com/x/ULTQAg|
Support for Proof Key for Code Exchange (PKCE) Standard – The PKCE standard helps prevent man-in-the-middle attacks, or interception of authentication information, between users and systems.
Inline initialization Enhancement – Users can now be redirected to a self-service page to update their profile with missing data and then continue the authentication process. This helps preserve user experience while minimizing administrator and helpdesk involvement.
Windows SSO / IIS enhancement saves some web.config settings in the user interface.
Self-service Password Reset support available for eDirectory.
SP metadata upload feature available for application integrations created in the new user interface.
Application onboarding feature added in the new user interface.
Reusable Directory Integration Objects – Instead of completing directory integration work every time a new application or system is deployed, administrators can now build directory integrations once and reuse them. When changes need to be made, they are made once and propagated through the environment automatically. This enhancement saves significant administrative time and resources.
New Cloud-based Architecture – With the move to a cloud-based architecture, your administrators can get the most up-to-date settings, features, and enhancements without undergoing time-consuming upgrades.
Application Template Library – Application on-boarding has been streamlined and shortened with the creation of a library of application templates. Instead of building integrations for each application individually, administrators can now simply pick the applicable template from a pre-defined library. For templates not yet built, we can accelerate the process by auto-populating fields.
Customizable PIN Length – To increase security, administrators can now configure the length of PINs, making them longer and more difficult for attackers to guess. Instead of the default 4-digit PIN, administrators can choose a 4, 6, 8, or 10-digit PIN. The longer the pin, the less likely it will be compromised.
Create User support available for eDirectory.
Inverted User Risk Score – SecureAuth IdP can consume third party risk scores for use in evaluating authentication risk, but varying solutions present risk differently. With this release, SecureAuth IdP is able to change the risk score scale to accept scores that are presented in varying formats.
9.3.0 Resolved issues
Saving “helpdesk challenge” on the Self-service page correctly saves the users’ knowledge based answer when data is encrypted.
|IDP-3179||After decrypting the web.config, you no longer need to re-encrypt it before moving to another realm; the web.config file is automatically re-encrypted.|
SAML post-authentication pages no longer display an improper error.
SecureAuth IdP now properly accepts encrypted SAML assertions from third-party IdPs via SAML Consumer.
Various eDirectory issues have been resolved.
Timeout expiration notification now appears per configuration.
Authentication / SecureAuth IdP API endpoints now correctly accept username characters.
PUT endpoint no longer resets all throttle counts.
Inline Initialization now properly writes to the directory.
Update button no longer needs to be clicked twice to update PIN on Self-service page.
Non-integer valid hours is now respected for WS-Fed integrations.
Timeout no longer occurs during webservices directory integration.
Correct username is now sent in CyberArk lookup.
SecureAuth IdP can now handle IPv6 addresses.
Re-encrypting a bearer token no longer breaks user risk score analysis.
OpenLDAP and LDAPv2 errors no longer occur during login.
Web Admin UI now allows SAML Consumer provider edits.
Users are now able to set the time zone on OWA.
Help Desk page now properly confirms an existing PIN / Password before a change is made.
False errors no longer occur during a QR code enrollment with device limitation enforced.
Proxy settings are now respected when retrieving OIDC encryption keys.
Create User now saves GroupList in a SQL database.
OIDC redirect and session end now correctly occur.
Query string parameters are no longer cached during Adaptive Authentication redirection, breaking redirection.
Login for Windows now correctly validates HID token values.
SecureAuth IdP no longer shows a null reference when reading a user risk score.
Symantec endpoint error has been resolved so VIP tokens now work for Multi-Factor Authentication.
Redirect action with a token no longer fails in Adaptive Authentication redirection for SP-initiated SAML requests.
Incorrect error no longer appears for “profile missing” message.
OAuth 2.0 specifications updated to current standards so JWT functions correctly in Client Credential flow.
French Guinea / French Guiana phone country code are now accepted for Multi-Factor Authentication.
SSPR temporary passwords are no longer stored in plain text in debug logs.
SecureAuth IdP response correctly includes Boolean for an active token introspection request.
OIDC specifications updated to current standards so “expires_in” returns a numeric value.
Introspection endpoint no longer fails when an access token subject claim contains a client ID.
Encryption functionality is no longer static due to an inability to configure a realm.
Enhancements made so a user can be added to an eDirectory group via IdM API.
Help Desk page no longer displays an error for Symantec VIP hard token enrollments when using the 2016 Light Theme.
Adaptive Authentication country check action no longer fails closed and halts logins if SecureAuth Cloud fails to communicate.
2016 Light Theme mobile interface issues no longer appear on the Self-service page.
9.3.0 Known issues
|Ref ID||Description||Fix version|
|IDP-2418||Valid Persistent Token does not work with the 2013 theme in Safari on an iPad.||TBD|
|IDP-4058||Charts do not work when the "Log Instance ID" is changed from the default.||9.4|
Adaptive Authentication tab does not render if RBAC read-only is enabled for user.
|IDP-4817||If group restriction is added during app onboarding but then "Allow All Users" is selected, Summary shows user groups but all users are allowed.||9.4|
|IDP-4819||Infrequent issue occurs in which the "pencil" icon does not respond to a mouse click.||9.4|
Upgrading from 9.1 to 9.3 shows Threat Services disabled, even though the license supports it.
In this issue, the configuration remains the same in the web.config, but the Threat Services disabled message appears.
|Application API errors (minor, internal).||9.4|
|IDP-4896||Adaptive Authentication tab does not render if RBAC read-only is enabled for user.||9.4|
|IDP-4903||SP-init by Post template is saved as SP-init by Redirect.||9.4|
IdP metadata does not include a trailing slash in the URL.
In this issue, the SP-init by Post configuration is broken if a file is uploaded to the Service Provider without first being modified.