Documentation

Table of Contents


Other Resources


Requirements for upgrading to version 9.3

See SecureAuth IdP version 9.3 appliance installation and upgrade information for prerequisites and important installation information.

 

Released on January 21, 2019

 

9.3.0 New features

Ref ID

Feature

References
----Behavioral Analysis Powered by Machine Learning – Analyze user behavior for suspicious activity. Boost identity protection by unmasking attackers masquerading as legitimate users and uncover hard to detect insider threats.https://docs.secureauth.com/x/ULTQAg

IDP-934

Support for Proof Key for Code Exchange (PKCE) Standard – The PKCE standard helps prevent man-in-the-middle attacks, or interception of authentication information, between users and systems.

https://docs.secureauth.com/x/s7PQAg

IDP-1132

Inline initialization Enhancement – Users can now be redirected to a self-service page to update their profile with missing data and then continue the authentication process. This helps preserve user experience while minimizing administrator and helpdesk involvement.

https://docs.secureauth.com/x/l7fQAg

IDP-3049

Windows SSO / IIS enhancement saves some web.config settings in the user interface.

https://docs.secureauth.com/x/ScXQAg

IDP-3191

Self-service Password Reset support available for eDirectory.

 

IDP-3245

SP metadata upload feature available for application integrations created in the new user interface.

https://docs.secureauth.com/x/S67QAg

IDP-3291

Application onboarding feature added in the new user interface.

https://docs.secureauth.com/x/P67QAg

IDP-3292

Reusable Directory Integration Objects – Instead of completing directory integration work every time a new application or system is deployed, administrators can now build directory integrations once and reuse them. When changes need to be made, they are made once and propagated through the environment automatically. This enhancement saves significant administrative time and resources.

https://docs.secureauth.com/x/_ozQAg

IDP-3451

New Cloud-based Architecture – With the move to a cloud-based architecture, your administrators can get the most up-to-date settings, features, and enhancements without undergoing time-consuming upgrades.

 

IDP-3594

Application Template Library – Application on-boarding has been streamlined and shortened with the creation of a library of application templates. Instead of building integrations for each application individually, administrators can now simply pick the applicable template from a pre-defined library. For templates not yet built, we can accelerate the process by auto-populating fields.

https://docs.secureauth.com/x/LvPQAg

IDP-3768

Customizable PIN Length – To increase security, administrators can now configure the length of PINs, making them longer and more difficult for attackers to guess. Instead of the default 4-digit PIN, administrators can choose a 4, 6, 8, or 10-digit PIN. The longer the pin, the less likely it will be compromised.

https://docs.secureauth.com/x/spfQAg

https://docs.secureauth.com/x/sJfQAg

IDP-3949

Create User support available for eDirectory.

 

IDP-4130

Inverted User Risk Score – SecureAuth IdP can consume third party risk scores for use in evaluating authentication risk, but varying solutions present risk differently. With this release, SecureAuth IdP is able to change the risk score scale to accept scores that are presented in varying formats.

https://docs.secureauth.com/x/abPQAg

 

9.3.0 Resolved issues

Ref ID

Issue

IDP-1620

Saving “helpdesk challenge” on the Self-service page correctly saves the users’ knowledge based answer when data is encrypted.

IDP-3179After decrypting the web.config, you no longer need to re-encrypt it before moving to another realm; the web.config file is automatically re-encrypted.

IDP-3231

SAML post-authentication pages no longer display an improper error.

IDP-3244

SecureAuth IdP now properly accepts encrypted SAML assertions from third-party IdPs via SAML Consumer.

IDP-3336

Various eDirectory issues have been resolved.

IDP-3419

Timeout expiration notification now appears per configuration.

IDP-3429

Authentication / SecureAuth IdP API endpoints now correctly accept username characters.

IDP-3437

PUT endpoint no longer resets all throttle counts.

IDP-3441

Inline Initialization now properly writes to the directory.

IDP-3442

Update button no longer needs to be clicked twice to update PIN on Self-service page.

IDP-3443

Non-integer valid hours is now respected for WS-Fed integrations.

IDP-3444

Timeout no longer occurs during webservices directory integration.

IDP-3532

Correct username is now sent in CyberArk lookup.

IDP-3583

SecureAuth IdP can now handle IPv6 addresses.

IDP-3595

Re-encrypting a bearer token no longer breaks user risk score analysis.

IDP-3646

OpenLDAP and LDAPv2 errors no longer occur during login.

IDP-3676

Web Admin UI now allows SAML Consumer provider edits.

IDP-3761

Users are now able to set the time zone on OWA.

IDP-3857

Help Desk page now properly confirms an existing PIN / Password before a change is made.

IDP-3866

False errors no longer occur during a QR code enrollment with device limitation enforced.

IDP-3950

Proxy settings are now respected when retrieving OIDC encryption keys.

IDP-3951

Create User now saves GroupList in a SQL database.

IDP-4027

OIDC redirect and session end now correctly occur.

IDP-4045

Query string parameters are no longer cached during Adaptive Authentication redirection, breaking redirection.

IDP-4133

Login for Windows now correctly validates HID token values.

IDP-4134

SecureAuth IdP no longer shows a null reference when reading a user risk score.

IDP-4141

Symantec endpoint error has been resolved so VIP tokens now work for Multi-Factor Authentication.

IDP-4200

Redirect action with a token no longer fails in Adaptive Authentication redirection for SP-initiated SAML requests.

IDP-4206

Incorrect error no longer appears for “profile missing” message.

IDP-4340

OAuth 2.0 specifications updated to current standards so JWT functions correctly in Client Credential flow.

IDP-4362

French Guinea / French Guiana phone country code are now accepted for Multi-Factor Authentication.

IDP-4372

SSPR temporary passwords are no longer stored in plain text in debug logs.

IDP-4396

SecureAuth IdP response correctly includes Boolean for an active token introspection request.

IDP-4415

OIDC specifications updated to current standards so “expires_in” returns a numeric value.

IDP-4416

Introspection endpoint no longer fails when an access token subject claim contains a client ID.

IDP-4417

Encryption functionality is no longer static due to an inability to configure a realm.

IDP-4573

Enhancements made so a user can be added to an eDirectory group via IdM API.

IDP-4580

Help Desk page no longer displays an error for Symantec VIP hard token enrollments when using the 2016 Light Theme.

IDP-4581

Adaptive Authentication country check action no longer fails closed and halts logins if SecureAuth Cloud fails to communicate.

IDP-4683

2016 Light Theme mobile interface issues no longer appear on the Self-service page.

9.3.0 Known issues

Ref IDDescriptionFix version
IDP-2418Valid Persistent Token does not work with the 2013 theme in Safari on an iPad.TBD
IDP-4058Charts do not work when the "Log Instance ID" is changed from the default.9.4
IDP-4816

Adaptive Authentication tab does not render if RBAC read-only is enabled for user.

9.4
IDP-4817If group restriction is added during app onboarding but then "Allow All Users" is selected, Summary shows user groups but all users are allowed.9.4
IDP-4819Infrequent issue occurs in which the "pencil" icon does not respond to a mouse click.9.4
IDP-4858

Upgrading from 9.1 to 9.3 shows Threat Services disabled, even though the license supports it.

In this issue, the configuration remains the same in the web.config, but the Threat Services disabled message appears.

9.4

IDP-4886,
IDP-4887,
IDP-4888

Application API errors (minor, internal).9.4
IDP-4896Adaptive Authentication tab does not render if RBAC read-only is enabled for user.9.4
IDP-4903SP-init by Post template is saved as SP-init by Redirect.9.4
IDP-4904

IdP metadata does not include a trailing slash in the URL.

In this issue, the SP-init by Post configuration is broken if a file is uploaded to the Service Provider without first being modified.

9.4


9.3.0 Latest hotfix

The latest hotfix release is comprehensive and resolves all issues addressed by the hotfixes in this table:

Release No.Release DateRef IDIssue
9.3.0-521-May-2019EE-1186App Enrollment Maintenance – App enrollment for users made on previous versions of SecureAuth IdP work correctly after the upgrade. 
9.3.0-4



10-May-2019



EE-1073Password Reset LDAP Issue – Administrative Password Reset with History Check functionality now working with LDAP containing protocol requirements.
EE-1082Authentication API Parity – The Yubico OTP option is now available to use via the API and also supported through browser workflow.
EE-1149Passcode Registration Screen – When using the Default theme, the SecureAuth Passcode registration screen now works correctly.
EE-1167Incorrect SMS MFA Option – When users select the SMS OTP option, they no longer randomly receive an incorrect Link to Accept message.
EE-1182Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query, causing the realm to break and the workflow to halt.
9.3.0-312-Apr-2019EE-1075Data Parsing in SAML Attribute – Data is now correctly parsed when sent in a SAML attribute.
EE-1124OIDC Claim Issue – Sub claim is now present when updates are made to library. 
EE-1089Application API Proxy Support – Calls made through the Application API correctly honors proxy settings.
EE-1120URL Encoding Updates – Updates to URL encoding to ensure security.
EE-1131Device Fingerprint Space Issue – The Device Fingerprint cookie name now parses correctly if a space is present in the generated cookie name.
EE-1067Logging Updates – Updates to SecureAuth IdP logs to ensure security.
9.3.0-214-Mar-2019EE-1049Auto-encrypt Tools Issue – Issue resolved in which auto-encrypting the web.config caused SecureAuth tools to work ineffectively.
EE-1088SecureAuth IdP Requirements for Login for Windows – Changes made to accommodate AD user check issues addressed in Login for Windows v1.0.4.
9.3.0-120-Feb-2019EE-1030

Google Social ID Login – Modifications made to support Google API updates for Social ID login.

EE-1049

Auto-encrypt Tools Issue – Issue resolved in which auto-encrypting the web.config caused SecureAuth tools to not function effectively.

EE-1056Web Admin UI Updates – Updates made to the Adaptive Authentication UI reflect supported features.
EE-1067Logging Updates – Enhancements made to logging ensure greater security.

Affected SecureAuth IdP Version(s): 9.3

Support Information: Contact SecureAuth Support (support.secureauth.com, support@secureauth.com, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.3.x appliance.

  • No labels