Release Notes Archive | Cloud Authentication Service and RSA SecurID Authenticate Apps

Document created by RSA Information Design and Development on Jan 3, 2019Last modified by RSA Information Design and Development on Apr 19, 2019
Version 7Show Document
  • View in full screen mode

This document contains release notes for releases prior to March 2018. For the most current release notes, see RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App.

March 2018 - Cloud Authentication Service

RSA SecurID Authenticate 1.5.6 for iOS and RSA SecurID Authenticate 1.5.8 for Android contain the following updates:

  • To ensure that your users have a consistent and familiar experience and to leverage the native biometric authentication capabilities of mobile devices, Eyeprint ID has been removed from the apps. Eyeprint biometric data stored within the apps on these devices is removed. As a reminder, RSA does not store any biometric data in the Cloud Authentication Service.

    If Eyeprint ID is an authentication option in your assurance levels, remove it. If users are prompted to use Eyeprint ID, the apps present a message instructing the users to select a different option in the browser or VPN.

  • As part of this change, Face ID is now officially supported as an option for the Device Biometrics authentication method, along with Touch ID and Android fingerprint.

  • Bug fixes.

February 28, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.5.7 for Android includes bug fixes.

February 23, 2018 - Identity Router Update Available

If you downloaded the identity router template or applied the identity router update between February 10, 2018 and today, certain browsers, including Chrome and Internet Explorer on Windows, might reject the self-signed certificate presented by the Identity Router Setup Console. This issue prevents you from accessing the Setup Console.

This issue does not affect you if you did not update your identity routers using the February 10 release. When you do update your identity routers, the fix for this issue will be included in the update.

If you encounter this issue, you can fix it by performing the following actions:

  • If you downloaded the virtual machine image on or after February 10 but have not yet deployed or registered it, you must download and use the latest the image. For instructions, click here.
  • If you updated and registered your identity router on or after February 10 but did not upload your own certificate, you must perform the update again, as described here. The identity router does not show OUT_OF_DATE status, but you must still update it with the latest patch to resolve this issue.

February 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Note:   RSA strongly recommends that you deploy this update on identity routers in your test environment and become familiar with all changes before updating identity routers in your production environment. For questions or to report issues, contact RSA Customer Support.

Enhanced Authentication Method Availability

SMS Tokencode and Voice Tokencode are now available as authentication methods in RADIUS and SSO Agent deployments. You must update your cluster to allow this capability.

FIDO Tokens are now available as an authentication method in relying party deployments. In SSO Agent deployments, you must update your cluster to continue using FIDO Tokens, and existing FIDO Token users will need to re-register their FIDO Tokens.

Additional Authentication Screens Presented in SSO Agent Deployments

The Cloud Authentication Service now presents the browser-based additional authentication screens to users in both SSO Agent and relying party deployments. In the past, the identity router presented these screens to SSO Agent deployment users, although the Cloud Authentication Service verified the users. As a result of this, users' default authentication preferences are reset. After the reset, authentication behaves the same as in the previous release, described here: Also, if you have restrictive internet access policies, you must ensure that users are allowed to access your company's authentication service domain. To view your authentication service domain, click Platform > Identity Routers > Edit (to the right of an identity router) > Registration.

Improved Cluster Mapping for Authentication Requests

Identity routers now send authentication requests only to the directory servers that are assigned to the cluster for that identity router. You do not need to perform additional configuration to make this happen.

Support for IP Address-Based Conditions in Access Policies for Office 365 STS Apps

The identity router can access client IP addresses from header information provided by Microsoft for Office 365 ActiveSync and Outlook clients that use legacy authentication. You can use conditions in access policies to configure access and authentication requirements based on these client IP addresses. For more information, see the Microsoft Office 365 STS - RSA SecurID Access WS-Federation Implementation Guide on RSA Link.

RSA SecurID Authenticate App Releases

RSA SecurID Authenticate 1.5.5 for iOS and RSA SecurID Authenticate 1.5.6 for Android include increased reliability of push notifications from the Cloud Authentication Service and bug fixes.

Cloud Administration Console Improvements

The Cloud Administration Console was enhanced to improve reliability and failover. Additional improvements include:

  • The console sign-in page has been modified to improve usability.
  • The dashboard page provides monthly usage information for SMS Tokencode and Voice Tokencode.
  • On the Users > Management page, a Super Admin or Help Desk Admin can click a refresh button to synchronize an individual user from an identity source.

Terminology Update

In the user authentication interface for RADIUS, relying parties, and SSO Agent, the term Fingerprint has been replaced with Device Biometric. Device Biometric includes Fingerprint and Face ID.

Fixed Issues

NGX-17834. When a user authenticates to an HFED application and RSA SecurID Access does not receive a response from the application, RSA SecurID Access displays an appropriate timeout error.

NGX-17855. If you test the identity source connection, click Refresh Attributes on the User Attributes page, save changes, publish, and synchronize, you no longer see a failed synchronization message if the LDAP directory server is running and SSL certificates are invalid. Instead, a message instructs you to check the SSL configuration and certificates.

NGX-17883. If the IP address of a RADIUS client device is translated using Network Address Translation (NAT) before connecting to the identity router RADIUS server, the server responds and no longer times out prematurely.

NGX-17928. If RSA Authentication Manager is connected to the Cloud Authentication Service but cannot be reached by the identity router, and a user attempts RADIUS authentication using an RSA SecurID Token or an invalid RSA Authenticate Tokencode, the User Event Monitor now displays an appropriate timeout message.

NGX-18434. When you deploy a custom portal and add a trusted header application to proxy the web traffic between users and the custom portal web server, the web servers created using HTTPS or Both (HTTP/HTTPS) now function correctly.

NGX-18518. Authentications from the identity router to HTTP Federation applications that were configured for HTTPS or BOTH and were incorrectly sent over HTTP are now configured and sent correctly.

NGX-18642. The initial publish to identity routers no longer fails after the Cloud Authentication Service has been upgraded.

November 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following feature and bug fixes.

Voice Tokencode

RSA SecurID Access has a new authentication method, Voice Tokencode. When RSA enables this feature, a user can request RSA SecurID Access to call the user’s phone and provide a six-digit code, which the user enters to access a protected resource. This method is handy for emergency access, for example, when the user cannot access a registered device or RSA SecurID Token.

Device Biometrics

In the Cloud Administration Console, the Assurance Levels page (Access > Assurance Levels) has replaced the Fingerprint option with Device Biometrics. When you select Device Biometrics for an assurance level, users can select Biometrics as an authentication option and use fingerprint if they registered fingerprint on their devices. Other biometric methods will be supported in future releases.

Miscellaneous Upgrades

The November release will also include several miscellaneous infrastructure upgrades and bug fixes.

November 2017 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.0.4 for Windows contains bug fixes.

All users of this app should update to this version. Users who have installed the app on a PC can update on their own. Users of the app on Windows phones require administrative assistance. An administrator must first delete the users' Windows phones in the Cloud Administration Console, and then the users must complete device registration again.

October 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following feature and bug fixes.

Multifactor Authentication to Protect Microsoft Azure Active Directory

You can protect Microsoft Azure Active Directory applications, the Azure Active Directory application portal, and the Azure AD admin console with RSA SecurID Access multifactor authentication. For instructions, see

End User Toolkit Update

The End User Toolkit now contains step-by-step instructions for RSA SecurID Authenticate device registration, available in HTML, PDF, and video. See

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17664 - After a user successfully authenticates with an RSA SecurID token in New PIN Mode, the message “3006 Device deletion failed” is no longer logged in the User Event Monitor.

NGX-17927 - If the name configured for an application in the Cloud Administration Console contains more than 32 characters, the RSA SecurID Authenticate app no longer truncates the name when prompting users for authentication credentials.

NGX-17960 - On the User Management page, if you highlight all or part of the user’s SMS phone number while updating it, the Save button is now activated after you type the replacement number.

NGX- 17964 - If an Android user is trying to authenticate with Fingerprint or Eyeprint Verification to an authentication client or custom client developed with the RSA SecurID Authentication API, RSA SecurID Access no longer sends an actionable notification (Approve/Deny) to the user.

NGX-17986 - When a user reaches the limit for failed authentication attempts using RSA SecurID Authenticate Tokencode, the audit trail now continues to record additional authentication attempts after the method is locked.

NGX-18007 - In an SSO Agent deployment, when configuring an application to use SP-initiated SAML with the HTTP REDIRECT binding, the Choose File button for certificate upload is now disabled to reflect that signed SAML requests are not supported for the redirect binding method.

NGX-18137 - In an SSO Agent deployment, importing metadata from an XML file for a new SAML Direct application created from a template now works properly in Internet Explorer 10 and 11.

NGX-18261 - The +ADD buttons on the Access > Assurance Levels page of the Cloud Administration Console no longer appear inactive in some deployments, and new assurance levels can be added normally.

October 2017 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.5.4 for Android contains the following updates:

  • Qualified on Android 8.0 (Android O)
  • Bug fixes

September 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following new features and enhancements.

Support for Installing Identity Routers as Microsoft Hyper-V® Virtual Machines

RSA SecurID Access supports installing identity routers as Microsoft Hyper-V-based virtual machines. You can use the Cloud Administration Console to download a Microsoft Hyper-V Virtual Hard Disk (VHD) image, which includes all necessary identity router applications.

Download User Reports

You can use the Cloud Administration Console to create a report listing all users who have been synchronized from identity sources to the Cloud Authentication Service and download the report to a .CSV file. The report provides dates for user account creation and update, and information about user devices and authenticators.

Improved Visibility of Authentication Options When Configuring Access Policies

When you select the assurance level for an access policy, the Cloud Administration Console displays the authentication options for the level that you selected and all higher levels. For example, if you select Low, the console displays options from the Low, Medium, and High assurance levels. End users may see options for all levels but are not presented with options they cannot complete.

New Videos for End Users

The RSA SecurID Access End User Toolkit now includes two YouTube videos that you can use to show your users how to authenticate with the Approve and Fingerprint authentication methods.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17635 - When a user authenticates to an authentication client or a custom client developed with the RSA SecurID Authentication API, the User Event Monitor no longer displays unnecessary "Device registration succeeded" and "Device deletion succeeded" messages.

NGX-17934 - After you modify administrator API settings in the Cloud Administration Console, the publishing status bar no longer displays “Changes Pending” to indicate that the new settings must be published.

NGX-18264 - You can now edit, delete, and export metadata from a configuration for a SAML 2 Generic Direct SP application with an expired certificate. Open the edit page in the Cloud Administration Console and upload a new certificate if necessary.

August 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following new features and enhancements:

  • Improved authentication experience during single sign-on
  • RADIUS events sent to Syslog (user authentication, start and stop)
  • RADIUS support for Fingerprint and Eyeprint ID
  • SMS Tokencode authentication method
  • Additional authentication for the Cloud Administration Console
  • Just-in-time synchronization for LDAP user records
  • Configurable security levels for identity router connection ciphers
  • Authenticate app updates
  • Numerous additional improvements

Note:  To take full advantage of new features, make sure you update your identity router. For instructions, see on RSA Link.

For the latest product documentation, see the RSA SecurID Access Documentation page at

Improved Authentication Experience During Single Sign-On

The authentication experience for users trying to access a protected application in an SSO Agent deployment has been improved by displaying more options to complete authentication. Users can select options from the required assurance level and higher assurance levels. For example, if an application has a policy that requires a certain set of users to use the Low assurance level, then those users accessing the application can authenticate using an authentication method defined for the Low, Medium, or High level.

RADIUS Improvements

RADIUS for the Cloud Authentication Service provides the following improvements.

RADIUS events (such as user authentication and start and stop events) are sent to Syslog.The identity router sends RADIUS events to the Syslog server if you enable logging for identity router system events in the Cloud Administration Console.
Support for Fingerprint and Eyeprint ID authenticationRADIUS supports the Fingerprint and Eyeprint ID authentication methods. Users with registered compatible mobile devices can use these methods for RADIUS authentication if allowed by the access policy for the RADIUS client.

SMS Tokencode Authentication Method

RSA SecurID Access has a new authentication method, SMS Tokencode. When RSA enables this feature, the Cloud Authentication Service can send a six-digit code to the user's mobile phone in a text message. This method is useful for emergency access, for example, when the user cannot locate the device used to register the Authenticate app. SMS Tokencodes can be sent to phone numbers that are synchronized from LDAP directory servers, or administrators can enter user phone numbers manually. Contact RSA Customer Support for more information.

Additional Authentication for the Cloud Administration Console

You can require additional authentication factors, such as tokencodes or push notifications, to protect the Cloud Administration Console. Passwords are still required. You configure an access policy to set up authentication requirements for the console just as you do for other resources. Use the policy to specify different access requirements for administrators based on identity source attributes and conditional attributes.

Just-in-Time Synchronization for LDAP User Records

Just-in-time synchronization automatically adds or updates user records in the Cloud Authentication Service when users attempt to register a device or access a protected resource. When this feature is enabled, the user records and related attributes in the Cloud Authentication Service stay up-to-date without administrative action. An administrator never needs to add user records through manual or scheduled synchronization. Contact RSA Customer Support to enable just-in-time synchronization.

Configurable Security Levels for Identity Router Connection Ciphers

Security levels determine the cipher requirements for connections between the identity router and other components such as user browsers and load balancers. Using the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming connections.

Authenticate App Updates

RSA SecurID Authenticate 1.5.3 for Android, RSA SecurID Authenticate 1.5.4 for iOS, and RSA SecurID Authenticate 1.0.3 for Windows 10 contain the following updates:

  • (Android only) New minimum Android operating system of version 5.0. With the release of RSA SecurID Authenticate 1.5.3 for Android, earlier versions of the app will no longer be supported, and the app will no longer be available in Google Play for devices that do not meet this new minimum OS requirement. Encourage your end users to upgrade to Android version 5.0 or higher.

  • Improved backup support for communication between the app and RSA SecurID Access.
  • Updated RSA SecurID Access logo.

  • Bug fixes.

Additional Improvements

The Cloud Authentication Service contains the following additional improvements:

  • The Welcome page of the Identity Router VMware Console includes detailed instructions for navigation, selection, and saving configuration changes. When you save your settings, the console displays a progress bar and status messages.
  • In the Cloud Administration Console, service providers are now managed in Authentication Clients > Relying Parties.
  • There is now only one RSA SecurID Access Solution Architecture Workbook. The region-specific information is available within the workbook.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17207 - If an identity router is originally configured as part of a non-default cluster, changing settings for that identity router in the Cloud Administration Console no longer resets the cluster back to default when you navigated back to the Basic Information page for the identity router.

NGX-17456 - After you complete an initial setup option, the dashboard now shows the System Summary screen.

NGX-17603 - When you set up an identity router with single sign-on (SSO) disabled, you are no longer required to enter a Portal Hostname.

NGX-17615 - When you connect to the identity router through SSH using the idradmin account, messages regarding the Enterprise Connector no longer appear.

NGX-16883 - This fix applies when an identity source is configured for multiple replica directory servers and each server is assigned to a different cluster. When a user signs in to the application portal, the identity router authenticates the user through the directory servers in the cluster to which the identity router belongs.

NGX-17333 - If a user attempts to access two applications from the application portal on two different browsers using the same mobile authentication method, and the user successfully responds to both mobile notifications, each application can authenticate successfully.

If a user attempts to access two applications from the application portal on the same browser and both applications are protected by the same assurance level, and the user successfully responds to the authentication prompt, only the first tab where the user clicks Continue on the Remember This Browser screen can be opened. The second attempt displays an error message. The user must launch the second application from the application portal again, but is not required to provide additional authentication.

NGX-17660 - If the user selects an authentication method from the list of available options, the selected method reliably persists when clicked, and authentication begins.

NGX-17700 - A user with an Android device with a time delay of two minutes or more can now complete device registration using RSA SecurID Authenticate versions 1.4 through 1.5.1.



You are here
Release Notes Archive | Cloud Authentication Service and RSA SecurID Authenticate Apps