Documentation

 

 

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt

9.2.0 Hotfixes

The following is a list of hotfixes for SecureAuth IdP version 9.2.0.

Release No.Release DateRef IDIssue
9.2.0-3429-Jun-2020EE-1644

Security Fix – Implemented additional input validation to prevent double curly brackets ( {{ or }} ) in form input fields, including the UserID field.

CVSS Score: 2.0

This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance.

9.2.0-3303-Jun-2020EE-1680

Debug Log Cleanup – Debug logs required changes.

This hotfix is required for all 9.2 appliances.

EE-1683

Azure AD Email Lookup Failure – SecureAuth IdP was not able to effectively retrieve the email address from the Azure AD data store.

Install this hotfix if you have:

  • Azure AD integrated in the Data tab
  • Email 1 property mapped to an Azure AD attribute
EE-1707

Corrupted CyberArk Username – When using CyberArk for the directory credentials, the username would become corrupted during simultaneous connections.

Install this hotfix if you have:

  • CyberArk integration for the directory integration credentials on the Data tab
EE-1743

WS-Trust Blocking Update – Resolves issue where the WS-Trust Blocking service was not using the appropriate IP address for requests when using a load balancer.

Install this hotfix if you have:

  • WS-Trust Blocking service enabled
  • WS-Trust integrations
9.2.0-32


03-Mar-2020


EE-1373

IP Evaluation Update – Resolves issue where the IP Eval service was not using the appropriate IP address for WS-Trust requests when using a load balancer.

Install this hotfix if you have:

  • IP address evaluation enabled in Adaptive Auth in the Policy OR in the Adaptive Authentication tab
  • WS-Trust integrations
EE-1519

SameSite Cookie attribute support – Required for compatibility with Google Chrome 80.

This hotfix is required for all 9.2 appliances.

Ensure that the Microsoft .NET patch is applied prior to installing this hotfix. Read https://support.secureauth.com/hc/en-us/articles/360038330652 for more information.

EE-1524

Azure AD UPN Domain Check – Resolves issue with unnecessary uppercase and lowercase domain name check in username.

Install this hotfix if you have:

  • Azure AD integrated with SecureAuth IdP
EE-1583

OIDC Session Cleanup – Resolves issue in which sessions were not properly cleared in OIDC realms, making it impossible to log into multiple clients due to values being cached from the first session.

Install this hotfix if you have:

  • OIDC integrations
9.2.0-3112-Dec-2019EE-1217

Updates to Audit Logging for OIDC – Audit Logging updated for OIDC workflows to provide more clarity.

Install this hotfix if you have:

  • OIDC integrations
EE-1422

Adaptive Auth API Response Updates – Resolved issue when using the Authentication API for adaptive authentication calls; not all actions were available to enable the desired workflow.

Install this hotfix if you have:

  • Authentication API enabled in the API tab
  • Adaptive Authentication rules enabled and used via the API
EE-1491

Transformation Engine Group Handling – Resolves issue in which the Transformation Engine could not correctly filter groups by full and common name when used together.

Install this hotfix if you have:

  • Transformation Engine enabled and configured
9.2.0-30




30-Sep-2019




EE-1206

TRX Performance Issue – When there is latency reaching the SecureAuth TRX cloud endpoint, it no longer causes application latency, which would impact user login performance. 

This hotfix is required for all 9.2 appliances.

EE-1275

Authenticate App Enrollment Error – URL enrollments no longer fail on devices using iOS 12+ and when push notifications are not allowed for the application.

Install this hotfix if you have:

  • iOS devices using OS versions 12+
  • SecureAuth App Enrollment realm using URL enrollment (versus QR code enrollment)
EE-1315

Arbitrary File Upload Vulnerability - Resolves issue in which an authenticated privileged user could upload arbitrary file types.

CVSS Score: 8.4

This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance.

EE-1334

Inline Initialization Attribute Clearing – When using Conditional Access for Azure, the Active Directory attribute values that were added during the Inline Initialization self-service process are no longer being cleared.

Install this hotfix if you have:

  • Conditional Access setup
  • Inline Initialization enabled
EE-1357

mS-DS-ConsistencyGUID Support for Office 365 Integration – The mS-DS-ConsistencyGUID attribute is now supported by SecureAuth IdP to be used as the ImmutableID value for integrations with Office 365.

Install this hotfix if you have:

  • Integration with Office 365
  • Issues using objectGUID as the ImmutableID
EE-1363

Support for AssertionConsumerServiceIndex (SAML) – SecureAuth IdP now supports AssertionConsumerServiceIndex for SAML integrations.

Install this hotfix if you have:

  • SAML integrations that require AssertionConsumerServiceIndex instead of AssertionConsumerServiceURL, for example: Cisco Jabber
UI Text Box
sizemedium
typeinfo

For instructions about applying the hotfix for this feature, see SAML integrations using AssertionConsumerServiceIndex hotfix

9.2.0-2928-Jul-2019EE-1298

Authentication API Updates for User Risk – When using the Authentication API for adaptive authentication, the User Risk feature is now effectively accessed during analysis.

Install this hotfix if you have:

  • Authentication API enabled in the API tab
  • AND (same realm) User Risk enabled in the Adaptive Authentication tab
9.2.0-2827-Jun-2019EE-1220

New userAccountControl Values – SecureAuth IdP now has the most up-to-date userAccountControl values to ensure that certain account statuses are handled appropriately in transactions between LDAP providers and SecureAuth IdP.

Install this hotfix if you have:

  • LDAP directory integrations such as Active Directory (AD) and so on
  • Help Desk functionality to manage LDAP user accounts by means of SecureAuth IdP
EE-1223

Enhance Device Recognition Logging – Device Recognition logging was enhanced to make the results of the analysis clearer.

Install this hotfix if you have:

  • Realms that use Device / Browser Fingerprinting as the Client Side Control (Workflow configuration)
EE-1250

Reporting Page Time Picker – On the Reporting Page, the time picker functionality now works correctly for realms using the 2016 Light Theme.

Install this hotfix if you have:

  • Reporting Page(s) using the 2016 Light Theme
EE-1254

Windows SSO Adaptive Auth Redirect – Realms with Windows SSO for pre-authentication now effectively redirect users per Adaptive Authentication rules.

Install this hotfix if you have:

  • Realms using Windows SSO as a Begin Site
  • AND (same realm) using Adaptive Authentication redirect rules
9.2.0-2705-Jun-2019EE-1199

Third-party JavaScript Libraries Vulnerability – jQuery, Bootstrap, and AngularJS have been upgraded due to a flaw in these libraries that may result in XSS.

CVSS Score: 5.2

This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance.

EE-1203

Incomplete Revocation of App Enrollments – User device enrollments that are revoked on the self-service page are correctly removed when the user immediately re-registers the same device. 

Install this hotfix if you have:

  • Users who employ SecureAuth Authenticate mobile app for multi-factor authentication (MFA)
  • Self-service Account Update realm(s) that include OATH Token revocation
  • Multi-Factor App Enrollment realm(s)
EE-1210

QR Code Missing Secret – Upon successful login to a QR code app enrollment realm, users are now presented with a correct QR Code when a page is refreshed. 

Install this hotfix if you have:

  • Multi-Factor App Enrollment – QR Code realm(s)
  • Users who employ SecureAuth Authenticate mobile app for MFA
EE-1223

Enhance Device Recognition Logging – Device Recognition logging was enhanced to make the results of the analysis clearer.

Install this hotfix if you have:

  • Realms that use Device / Browser Fingerprinting as the Client Side Control (Workflow configuration)
9.2.0-2510-May-2019EE-1082Authentication API Parity – The Yubico OTP option is now available to use via the API and also supported through browser workflow.
EE-1181Novell eDirectory Password Reset Parity – Self-service password reset is now supported for eDirectory integrated realms.
EE-1193JWT Missing Claim – In OAuth 2.0 Client Credential Flow, the ‘sub’ (subject) claim is no longer missing in the JWT.
9.2.0-24


30-Apr-2019 


EE-1128Mobile App PIN Settings – The PIN settings configured for SecureAuth Authenticate are now respected per the configuration or the support.
EE-1120URL Encoding Updates – Updates made to URL encoding to ensure security.
EE-1131Device Fingerprint Space Issue – The Device Fingerprint cookie name parses correctly if a space is present in the generated cookie name.
EE-1157Transformation Debug Logging – Transformation Engine logging is no longer automatically enabled when Debug logging is enabled, which prevents the potential exposure of sensitive information in the logs.
9.2.0-2314-Mar-2019EE-1001Phone Number Validation – Invalid phone number formats can now be used in API calls.
EE-1068Logging Updates – Updates made to SecureAuth IdP logs ensure security.
EE-1088SecureAuth IdP Requirements for Login for Windows – Changes made to accommodate AD user check issues addressed in Login for Windows v1.0.4.
9.2.0-2112-Feb-2019


EE-867Help Desk Validation Dates Issue – Date values for Certificate Validation Date and Mobile Validation Date fields are no longer missing from the Help Desk page.
EE-1025Help Desk “Update” User Account – Incorrect profile data is no longer automatically saved since the Update button is now properly disabled.
EE-1027URL Encoding Update – Updates made to URL encoding to ensure security.
EE-1029Google Social ID Login – Social ID login feature was updated due to modifications made by Google API.
9.2.0-2021-Dec-2018EE-997OATH Token JSON Encryption Issue – Data is now correctly read when JSON encryption is selected as the OATH token storage method.
EE-1000Multi-Data Store Timeout – Data tab on a realm configured for multi-data stores now loads faster without timeouts.
9.2.0-19

15-Nov-2018

EE-867Cert and Mobile Validation Dates – Cert Validation Date and Mobile Validation Date values now correctly populate the Help Desk page.
EE-937Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query, causing the realm to break and the workflow to halt.
9.2.0-19 hotfix – machine learning

Non-issue changes:

  • Installation of FileBeat, MetricBeat, and Cloud Transport Service components which gather information about appliance statistics, software configuration, and end-user authentication events, which are submitted to SecureAuth Cloud.
  • Web.config enhancements to enable the configuration of advanced adaptive capabilities powered by machine learning. Learn more: https://docs.secureauth.com/x/Z5XQAg
9.2.0-1810-Oct-2018EE-678SAML Consumer UI – When adding a provider for SAML consumption, SecureAuth IdP Web Admin UI no longer disables editing provider information.
EE-917Unable to Save KBQ / KBA Value – When saving the "helpdesk challenge" on the Self-service Account Update page, the user's knowledge based answer is now saved when data is encrypted.
9.2.0-1707-Sep-2018EE-899Debug Logging Issue – Self-service Password Reset page now logs correctly on all configurations.
EE-895Symantec VIP Credentials Display – Symantec VIP Credentials table now displays all user information on the Help Desk and Self-service pages.
EE-903Country Check Cloud Services – When Cloud Services are down, users are no longer stopped during login when SecureAuth IdP performs a country check.
9.2.0-1318-Jul-2018EE-862Country Code Support Issue – Certain country codes were not being supported for phone call and / or SMS TOTP delivery.
9.2.0-1003-Jul-2018

EE-839

Adaptive Authentication IPv6 Processing – Adaptive Authentication policies returned invalid data for users with IPv6 addresses.
9.2.0-911-Jun-2018EE-785Adaptive Authentication Redirection – Redirecting the user via an Adaptive Authentication policy with a static query string parameter resulted in a query string with an invalid format.
9.2.0-805-Jun-2018EE-743User Risk Analysis Response – When retrieving a user risk score from certain third-party providers, SecureAuth IdP was not reading a valid score due to a null reference.
9.2.0-723-May-2018EE-769

Windows SSO Enhancement – Some IIS settings necessary for Windows SSO / authentication must be manually entered in the web.config, but SecureAuth IdP would remove all these settings if a change was subsequently made on the Workflow tab.

EE-791Adaptive Authentication Redirect Caching – SecureAuth IdP was caching query string parameters from previous Adaptive Authentication redirection URLs, causing redirection failures.
9.2.0-524-Apr-2018EE-703

Novell eDirectory Lookup – During login, a user’s profile was not being accessed successfully.

EE-721

CyberArk Vault Credential Lookup – In multi-domain environments, SecureAuth IdP was not able to retrieve credentials successfully.

9.2.0-424-Apr-2018EE-709SA Cloud Timeout and Fail Open – Due to extended timeouts and no fail open functionality, users were unable to log in when SA Cloud services are down.
9.2.0-321-Mar-2018EE-604User Risk Score Bearer Token Authorization – The format for the OAuth2 Bearer Token used when importing a User Risk Score was causing an error, resulting in the inability to import the risk score.
9.2.0-2

10-Mar-2018

EE-587Account Management Updates – Users could access Help Desk pages from the Portal despite not being a member of the designated group set up on the administrative page.
EE-619Interface / Customization Communication – Customizations referencing a certain interface were no longer able to communicate with it.
EE-616PIN Not Saved – When updating the PIN field in the self-service realm, the PIN was not successfully saved, causing errors when attempting to use the PIN in subsequent login attempts.
Info

Affected SecureAuth IdP Version(s): 9.2

Support Information: Contact SecureAuth Support (support.secureauth.com, support@secureauth.com, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.2.x appliance.