On this page

SecureAuth IdP Release Notes provide information on the features and improvements in each release. This page includes Release Notes for major releases and minor (bug fix) releases.

9.2.0 Release Notes

Released on February 1, 2018

Version 9.2.0 New Features

Adaptive Authentication Support for Multiple Third-party User Risk Score Providers

SecureAuth IdP now supports multiple third-party risk score providers for Adaptive Authentication user risk analysis. User risk score providers are integrated through the Web Admin user interface.
Third-party Library Components Upgraded System-wide

Upgrades to SecureAuth IdP third-party library components support the health of the entire application through security obtained from the latest software releases.
YubiKey HOTP Supported as a Multi-Factor Authentication Method

SecureAuth's new Multi-Factor Authentication method uses a YubiKey HOTP device for a secure and hassle-free login access to a Help Desk page. The YubiKey device must first be configured to provide HMAC-based One-Time Password (OATH-HOTP) authentication before it can be used with a SecureAuth IdP realm.

Login for Endpoints Supports Secure, Passwordless Logins on Mac or Windows Machines

The new Login for Endpoints product gives end-users a secure login experience on a Mac or Windows workstation, or on a remote Windows server, using a SecureAuth Multi-Factor Authentication method. This product, with FIPS 140-2 compliant cryptographic libraries, is newly designed and engineered and replaces the Credential Provider application. After the initial setup and first-time usage, the end-user subsequently logs on without a password by just using a 2-Factor Authentication method.
Automatically convert OATH Seed values into the OATH Token collection

In preparation for transitioning the SecureAuth IdP product to use OATH tokens instead of OATH seeds, you can now convert an existing OATH Seed value to an OATH Token property.

If users have a hard token, or were previously set up to use OATH seed enrollment, then you can map a field to the OATH Token property and make it writable. If the OATH Seed value doesn't exist in the OATH Token collection, then that value will be converted and written to the OATH Token property.

9.2.0 Resolved Issues

Ref ID



IDP-55Supported Language "Slovakian" should be "Slovak"Slovak language option now reflects correct label
IDP-563Content and Localization Items Triple after SavingContent and Localization items no longer triple after saving
IDP-686Status Message on Password Reset Page is IncorrectSystem now correctly reflects status of locked-out user
IDP-1186ASP Provider not Correctly Reading Status of UserASP provider now correctly reads status of user
IDP-2061FormPost.aspx.vbRefined logic handles null value cookies that are returned
IDP-2158Handle Cases of Lists of IPs in a WS-Trust RequestRefined logic handles IP address formats
IDP-2403CSVImport Unable to Edit GroupsCSVImport now permits groups to be edited
IDP-2500Handling of redirect_uri in Native ApplicationsRefined logic handles redirection URI values
IDP-2620Upgrading to 9.1 Invalidates OATH TokenUpgrading to 9.1 no longer invalidates OATH token
IDP-2664LDAP Issue, Invalid ErrorInvalid error no longer incorrectly appear
IDP-2962KBQ/A Duplicate QuestionsInline update allows editing KBQ/A only
IDP-2963"Testing123" Shows in Verbiage after Upgrading to 9.1 or HotfixVerbiage no longer inappropriately appears
IDP-2964Create User Page Password DiscrepancyPassword creation criteria on Create User page is respected
IDP-3220SMTP Timeout Errors when using SecureAuth APIRefined logic reduces response time
IDP-3221MFA HID Token IssueIdP can now read OATHSeed from HID token
IDP-3225User Blocked on SSPR with OTP App Default ThemeOverlay no longer hides form on submit
IDP-3227Restart.aspx being Called IntermittentlyRefined logic handles SAML assertion
IDP-3229OIDC - Check Session iFrameOIDC logic has been refined
IDP-3326SecureAuth Link-to-Accept and Push-to-Accept not Working through ProxyLink-to-Accept and Push-to-Accept now work through proxy

9.2.0 Known Issues

Ref ID
IDP-2413Post-Auth: Assertion Signing Certificate Downloads Wrong Certificate Despite SelectionNon-original certificate is downloaded


If SecureAuth IdP RADIUS Server 2.3.9 is installed and running on SecureAuth IdP, the software must be upgraded to version 2.3.14 after installing SecureAuth IdP version 9.2.


9.2.0 Latest Hotfix

The latest hotfix release is comprehensive and resolves all issues addressed by the hotfixes in this table:

Release No.Release DateRef IDIssue
9.2.0-2510-May-2019EE-1082Authentication API Parity – The Yubico OTP option is now available to use via the API and also supported through browser workflow.
EE-1181Novell eDirectory Password Reset Parity – Self-service password reset is now supported for eDirectory integrated realms.
EE-1193JWT Missing Claim – In OAuth 2.0 Client Credential Flow, the ‘sub’ (subject) claim is no longer missing in the JWT.


EE-1128Mobile App PIN Settings – The PIN settings configured for SecureAuth Authenticate are now respected per the configuration or the support.
EE-1120URL Encoding Updates – Updates made to URL encoding to ensure security.
EE-1131Device Fingerprint Space Issue – The Device Fingerprint cookie name parses correctly if a space is present in the generated cookie name.
EE-1157Transformation Debug Logging – Transformation Engine logging is no longer automatically enabled when Debug logging is enabled, which prevents the potential exposure of sensitive information in the logs.
9.2.0-2314-Mar-2019EE-1001Phone Number Validation – Invalid phone number formats can now be used in API calls.
EE-1068Logging Updates – Updates made to SecureAuth IdP logs ensure security.
EE-1088SecureAuth IdP Requirements for Login for Windows – Changes made to accommodate AD user check issues addressed in Login for Windows v1.0.4.

EE-867Help Desk Validation Dates Issue – Date values for Certificate Validation Date and Mobile Validation Date fields are no longer missing from the Help Desk page.
EE-1025Help Desk “Update” User Account – Incorrect profile data is no longer automatically saved since the Update button is now properly disabled.
EE-1027URL Encoding Update – Updates made to URL encoding to ensure security.
EE-1029Google Social ID Login – Social ID login feature was updated due to modifications made by Google API.
9.2.0-2021-Dec-2018EE-997OATH Token JSON Encryption Issue – Data is now correctly read when JSON encryption is selected as the OATH token storage method.
EE-1000Multi-Data Store Timeout – Data tab on a realm configured for multi-data stores now loads faster without timeouts.


EE-867Cert and Mobile Validation Dates – Cert Validation Date and Mobile Validation Date values now correctly populate the Help Desk page.
EE-937Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query, causing the realm to break and the workflow to halt.
9.2.0-19 hotfix – machine learning

Non-issue changes:

  • Installation of FileBeat, MetricBeat, and Cloud Transport Service components which gather information about appliance statistics, software configuration, and end-user authentication events, which are submitted to SecureAuth Cloud.
  • Web.config enhancements to enable the configuration of advanced adaptive capabilities powered by machine learning. Learn more:
9.2.0-1810-Oct-2018EE-678SAML Consumer UI – When adding a provider for SAML consumption, SecureAuth IdP Web Admin UI no longer disables editing provider information.
EE-917Unable to Save KBQ / KBA ValueWhen saving the "helpdesk challenge" on the Self-service Account Update page, the user's knowledge based answer is now saved when data is encrypted.
9.2.0-1707-Sep-2018EE-899Debug Logging Issue – Self-service Password Reset page now logs correctly on all configurations.
EE-895Symantec VIP Credentials Display – Symantec VIP Credentials table now displays all user information on the Help Desk and Self-service pages.
EE-903Country Check Cloud Services – When Cloud Services are down, users are no longer stopped during login when SecureAuth IdP performs a country check.
9.2.0-1318-Jul-2018EE-862Country Code Support Issue – Certain country codes were not being supported for phone call and / or SMS TOTP delivery.


Adaptive Authentication IPv6 Processing – Adaptive Authentication policies returned invalid data for users with IPv6 addresses.
9.2.0-911-Jun-2018EE-785Adaptive Authentication Redirection – Redirecting the user via an Adaptive Authentication policy with a static query string parameter resulted in a query string with an invalid format.
9.2.0-805-Jun-2018EE-743User Risk Analysis Response – When retrieving a user risk score from certain third-party providers, SecureAuth IdP was not reading a valid score due to a null reference.

Windows SSO Enhancement – Some IIS settings necessary for Windows SSO / authentication must be manually entered in the web.config, but SecureAuth IdP would remove all these settings if a change was subsequently made on the Workflow tab.

EE-791Adaptive Authentication Redirect Caching – SecureAuth IdP was caching query string parameters from previous Adaptive Authentication redirection URLs, causing redirection failures.

Novell eDirectory Lookup – During login, a user’s profile was not being accessed successfully.


CyberArk Vault Credential Lookup – In multi-domain environments, SecureAuth IdP was not able to retrieve credentials successfully.

9.2.0-424-Apr-2018EE-709SA Cloud Timeout and Fail Open – Due to extended timeouts and no fail open functionality, users were unable to log in when SA Cloud services are down.
9.2.0-321-Mar-2018EE-604User Risk Score Bearer Token Authorization – The format for the OAuth2 Bearer Token used when importing a User Risk Score was causing an error, resulting in the inability to import the risk score.


EE-587Account Management Updates – Users could access Help Desk pages from the Portal despite not being a member of the designated group set up on the administrative page.
EE-619Interface / Customization Communication – Customizations referencing a certain interface were no longer able to communicate with it.
EE-616PIN Not Saved – When updating the PIN field in the self-service realm, the PIN was not successfully saved, causing errors when attempting to use the PIN in subsequent login attempts.

Affected SecureAuth IdP Version(s): 9.2

Support Information: Contact SecureAuth Support (,, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.2.x appliance.


9.1.0 Release Notes

Released on July 27, 2017

Version 9.1.0 New Features

OTP in Email Subject LineAllows users the option to read the OTP from the email subject line
Licensing Expiration Status in ConsoleDisplays the licensing status of appliance in System Info
API Handling for Stateless OTP and DFPStateless calls are supported for OTP and DFP

Multiple Endpoint Support in YubiKey Pre-Auth PageMultiple endpoint support allows handling of failover
Extending Signing to API ResponsesInbound API responses hash and sign the API key
Adaptive Authentication + O365Leverages Adaptive Authentication with WS-Trust Request Blocking before user validation to mitigate DDOS attacks
YubiKey as a Multi-Factor MethodEnables the option of using YubiKeys as a Multi-Factor Method
SecureAuth Link-to-Accept as Multi-Factor MethodEnables the option of using SecureAuth Link-to-Accept as a Multi-Factor Method
Local Account Lockout Feature Based on Bad Password AttemptsProvides method to prevent brute force hacking of accounts from locking out users
Admin APIAn API that configures the Overview and Data settings. Workflow, Multi-Factor Methods, and Post Auth are limited.
Device RecognitionRework of Device Recognition to improve user experience

9.1.0 Resolved Issues

Ref ID



IDP-85System slows when Syslog server is downWhen Syslog server is offline, access to SecureAuth environment no longer slows
IDP-156Back button accesses Post Auth page after restart link is clickedAfter restart link is clicked, user will be prompted to log in again when clicking the back button
IDP-336Error messages not appearing when user passwords do not match in 2016 themeError message will appear when user's passwords do not match
IDP-416Error message does not appear using regular expression to validate phone in 2016 themeError will appear when phone / field entered does not match the regular expression configuration
IDP-692"Show 3rd Party App Support" setting missing in Web AdminThe setting is now accessible in the Web Admin
IDP-725Back button brings user back to siteAfter logout, the back button does not allow the user to return to the site
IDP-912IP Threat Service result inconsistency

Results will be consistent regardless of encryption

IDP-1271Account Management Post Auth page error handlingIf a user's attribute update fails, the page will display an error message
IDP-1274Double click of submit button causes constraint error messageConstraint Violation error no longer shown with double click of submit button
IDP-1370Certain fields not translating in non-English languagesAll fields correctly translate when using other languages
IDP-1648Additional push notification device created on Self Service page when un/re-installing the iOS appOnly one iPhone is now listed on the Self-service page
IDP-1926JSON format not supported for SQLSaving JSON to SQL is successful
IDP-1954Session cookie timeout displays 401 unauthorized errorThe page will be redirected back to the login page instead of showing the 401 unauthorized error
IDP-2308Error with User ID's case sensitivity with the use of "Remember MFA Options"UserID does not provoke error via case sensitivity
IDP-2350IWA validations failingImproved handling of WS-Trust and Active Requestor Client IWA requests

9.1.0 Known Issues

Ref IDIssueDescription
IDP-1186Max Invalid Password Attempts does not work with SQL providerMax Invalid Password Attempts setting in the Data tab is not acknowledged by the SQL provider
IDP-1557User is not notified when device registration failsWhen a user attempts to register a device that exceeds the max device account, they are not notified
IDP-1662Error upon letting the portal page sit for a set length of time on SSO realmUser is unable to proceed after idle timeout length is reached
IDP-1881"Passwordreset_enternewpassword" value overwritten after hitting "Unlock" buttonCustom value for "Passwordreset_enternewpassword" will revert to default if the Unlock button is showing and clicked on Password Reset realm
IDP-1935Password expiration setting is active even if inline password change is disabledUsers are seeing "password has expired" despite having valid and active passwords
IDP-2084Images not loading due to HTML containing template markupsSafari has trouble with loading images due to HTML template markups
IDP-2166Default web UI configurations for Cookie Persistence do not match web.configThe default template in web.config and Admin Console show different configurations
IDP-2231Test Connection under Data tab fails with errorTest Connection under Data tab fails despite realms being fully functional after upgrade
IDP-2241Password encrypting bad behaviorWhen setting the password for a datastore connection, it is not saved but no error is shown
IDP-2242Error message when ProfileProvider is set to "Same as Above"Error message appears when ProfileProvider is set to "Same as Above" in OpenLDAP
IDP-2403CSVImport not able to edit groupsCSVImport does not add users to groups even when GroupList is presented in the CSV
IDP-2413Assertion signing certificate downloads wrong certificate in Post Auth tabThe wrong cert is downloaded when user attempts to download SAML signing cert from the Post Auth tab
IDP-2440Password decrypting issues causes service account lockoutCert permissions are missing due to access issues
IDP-2496False API response when SMTP relay does not send emailWhen SMTP relay does not send an email, the log reflects that the email delivery failed despite API responding with success

9.1.0 Latest Hotfix

The latest hotfix release is comprehensive and resolves all issues addressed by the hotfixes in this table:

Release No.Release DateRef IDIssue
9.1.0-4810-May-2019EE-1179Inline Password Reset Issue – Using the 2016 Light Theme, the Inline Password Reset pages now work as expected for all use cases.
9.1.0-4714-Mar-2019EE-1131Device Fingerprint Space Issue The Device Fingerprint cookie name now parses correctly if a space was present in the generated cookie name.
EE-1069Logging Updates – Updates to SecureAuth IdP logs to ensure security.


URL Encoding Updates – Updates to URL encoding to ensure security.

EE-930Log Database Collection – SecureAuth IdP no longer stops creating log entries when records grow very large (2,147,483,647+).
EE-986Google ID Social Login – Issue resolved in which Google API changes caused SecureAuth IdP’s social login feature for Google Apps to stop working.
EE-991Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query which had been causing the realm to break and the workflow to halt.

EE-906eDirectory Group Issue – Error no longer occurs when attempting to add a user to a group in eDirectory via the Create User function.
EE-123Timeout Message Display – When users are logged out of Secure Portal based on timeout, the notification now displays the timeout message configured on the realm.

EE-847OIDC Subject Claim Issue – Introspection endpoint was failing when access token subject claim contained a client ID.

EE-786OIDC EndSession Redirect – Redirect and session end was not occurring due to the 'post_logout_redirect_uri' parameter requiring the presence of the 'id_token_hint' parameter. Redirect now functions with the presence of 'client_id' only, and does not require 'id_token_hint'.

Create User Failure for eDirectory – Create User page integrated with eDirectory was not functioning due to hardcoded attribute information.

NOTE: This fix enables the creation of users, but certain functionalities of the page are not supported for eDirectory at this time.


Proxy Settings for OIDC Encryption Key Retrieval – Proxy settings configured in SecureAuth IdP are not applied when retrieving OIDC encryption keys.


Create User Group Designation SQL – Create User page with SQL data store integration does not associate users to groups on the page during creation.

NOTE: This fix requires a new stored procedure provided by SecureAuth Support (see contact information below).


Novell eDirectory Lookup – During login, a user’s profile was not accessed successfully and the self-service password reset was unsupported.

EE-642Mobile QR Code Enrollment – When device limitation is enforced, false errors would occur during QR code enrollment.
EE-703SA Cloud Timeout and Fail Open – Due to extended timeouts and no fail open functionality, users were unable to log in when SA Cloud services are down.
EE-446Errant Calls to Invalid URLs – Calls made for IP Evaluation were hitting the wrong endpoint URLs.
EE-629Bad IPv6 Handling – During Adaptive Authentication analysis, IPv6 calls created issues with the evaluation.
9.1.0-39 or earlierVariousEE-559JWT Missing Claim – In OAuth 2.0 Client Credential Flow, the ‘sub’ (subject) claim was missing in the JWT.
EE-586Encryption Functionality – Encryption functionality was static due to the disability of this feature.
EE-533OTPValidateThrottle PUT Call – OTPValidateThrottle PUT call was resetting the count for both values (Select vs. Validate counts).
Self-service PIN Update – The Update button needed two clicks to save new PIN information.
EE-470RADIUS Server Timeouts – RADIUS Server requests were timing out when under a high load.
EE-482Slow Response – When connected to a Syslog Server, too many UDP clients created a massive slow down.
EE-417Tivoli Directory Device Recognition – Device / Browser Profiles were not accurately saved to Tivoli user profiles.
EE-483Link-to-Accept with Proxy – Link-to-Accept did not properly go through the configured proxy settings (both SMS and email).
EE-480Device Recognition on IE10 – PixelRatio property analyzed for fingerprinting was unsupported in IE10 and therefore returned a null response and invalid browser profile.
EE-464YubiKey Validation Call Failure – API calls to validate the YubiKey login fail due to character limitations in the string.
EE-376Account Management Error – Updating the OATH Seed on the Account Management page created an error due to split directory integrations for membership and profile.
EE-429SMTP Timeout Errors – Using the Authentication API to request OTP emails, the user experienced SMTP timeout errors.
EE-366HID Token Read Failure – Login process was unable to read the OATH Seed from an HID token for MFA, and SecureAuth IdP was unable to read the OATH Seed from HID token for post-authentication.
EE-3372016 Light Theme Login Page – When pasting a password (from password manager, for example), the Submit button did not change color and the mouse cursor showed the ‘no entry’ icon. Clicking the button worked, but visually appeared as though it would not.
EE-329Verbiage Customizations – When a user’s browser is not set to English and the preferred language is not selected in the SecureAuth IdP configuration, then the browser defaulted to English, but without the verbiage customizations made in the Web Admin.
EE-345Invalid Username not Updating – With workflow type set to Username & Password, when the user entered an invalid username and then corrected it, the username was still considered invalid and the page reverted the text back to the original invalid entry.
EE-328OTPValidate Throttle not Counting – Instead of creating a unique counter for OTPValidate, the MultiFactorIntervalThrottle counter was used instead.
EE-320Login for Windows UI – Various UI defects were resolved in Login for Windows.
EE-303Username Overflow – On the Account Management page, the username overflowed into the next text box.
EE-295OIDC Redirect URI with Localhost – For OIDC integrations, the Redirect URI did not support localhost.
EE-248NumberProfile API Server Error – Requests to the phone number analysis endpoint with an invalid number (e.g. 123456789) generated a server error response.
EE-265Password Requirements for Create User Page – Password requirements configured on the Web Admin were not applied to the Create User page.
EE-263Unwanted Verbiage on Page – A flag on a page displayed unwanted verbiage on client-side pages.
EE-203Duplicate Knowledge Based Questions – Users were able to select the same KBQ multiple times, thus only having one question to answer for Multi-Factor Authentication.
EE-255No Automatic Redirect – Users were not automatically redirected from SecureAuth IdP with an OIDC token to the relaying application.
EE-212Invalid User Error – LDAP users attempting to log in continually received an “Invalid User” error.
EE-202OATH Token Invalidation – After upgrading to version 9.1, existing OATH Tokens were no longer valid and required re-provisioning.
IDP-1721Login for Windows Configuration – Configuration settings for new Login for Windows product were not available in the Web Admin.
EE-183FIPS Compliance – SecureAuth IdP updates were made for FIPS Compliance requirements.
IDP-2554Admin API HMAC Authentication – It was possible to remove HMAC authentication from the Admin API.
Authentication API Throttling – The Multi-Factor Throttling count doubled based on selection and validation of the OTP, thereby rendering the configuration inaccurate.
IDP-2524Web.config URL Update – Values for some URLs were incorrect in the web.config.
IDP-2486Compilation Error – The SISU code file contained a compilation error.
IDP-2516ChangePassword Error – Username was missing a domain slash for Change Password via the API.
IDP-2497Link-to-Accept UI Update – Color of the button was incorrect.
IDP-2512Authentication API OATH Token Failure – OATH Token was not working as a viable Multi-Factor Authentication option via the Authentication API.

Affected SecureAuth IdP Version(s): 9.1

Support Information: Contact SecureAuth Support (,, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.1.x appliance.

  • No labels