Release Notes Archive - Cloud Authentication Service and RSA SecurID Authenticate Apps

Document created by RSA Information Design and Development Employee on Jan 3, 2019Last modified by RSA Information Design and Development Employee on Nov 17, 2020
Version 23Show Document
  • View in full screen mode

This document contains release notes for releases prior to December 2019. For the most current release notes, see RSA SecurID Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App.

November 2019 - Cloud Authentication Service (Identity Router)

The November 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

                       
DateDescription
12/4/19Updated identity router software is available to all customers.
1/25/2020Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
2/22/2020If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

                   
Deployment TypeVersion
On-premises2.8.0.0.5
Amazon Cloud

RSA_Identity_Router 2.8.0.0.6

RADIUS Support for Emergency Tokencode

Emergency Tokencode is supported for thick RADIUS clients and for Cisco Adaptive Security Appliance (ASA). RADIUS users who forget or misplace their registered devices can access protected SaaS and web applications using Emergency Tokencode by selecting it from the list of available authentication options. You can also customize your Cisco ASA to accept Emergency Tokencode.

Note:  If you are planning to use Emergency Tokencode, perform the customization before you update the identity router.

For instructions, see Customize the RSA SecurID Access Web Interface for a Cisco Adaptive Security Appliance.

SAML Configuration Improvements

The following configuration improvements affect SAML-enabled web applications when the Cloud Authentication Service is the identity provider:

  • You can require the identity provider to send AuthnContextClassRef in the SAML response as PasswordProtectedTransport to indicate that the password exchange must use a secure transport method. Currently, AuthnContextClassRef is sent as Password.

  • You can configure multivalued attributes to send each value in a separate attributeValue element. Currently, these values are separated by commas.

For instructions, see Configure Advanced Settings for a SAML Connection.

Customizable Attribute Mappings for Active Directory Identity Sources

You are now allowed to customize the default attribute mappings for Active Directory identity sources. For more information, see Directory Server Attributes Synchronized for Authentication.

Improved Documentation for Access Policies

RSA Link now provides complete documentation describing how to use operators when specifying LDAP attributes in access policies. For more information, see Operators for Using LDAP Attributes in Access Policies.

Fixed Issues

                                       
Fixed IssueDescription
NGX-37423

When the Cloud identity provider was configured for RSA SecurID Access manages all authentication with Password as the primary authentication method, iOS auto-populated the password field with a suggested strong password and forced the user to choose a password. This problem no longer occurs and users are simply prompted to enter the email address and password.

NGX-37397

Previously, in environments that used the SSO Agent with a load balancer, when the load balancer checked the identity router health status and no alternate Cloud Authentication Service IPs were reachable, the identity router status servlet reported the identity router as unhealthy. As a result, load balancer stopped sending traffic to the identity router. This problem has been fixed.

NGX-37059

Previously, when domain certificates that had been uploaded to the Cloud Authentication Service expired, administrators were unable to navigate to other console pages, including the Authentication API Keys. Now, a warning message appears when certificates expire and navigation to other pages is allowed.

NGX-35793Approve authentication through the MFA Agent was failing because inactive notifications were being sent to the user's device. This problem has been fixed.
NGX-34903In some deployments, users were able to access SAML and Windows O365 applications directly with an expired LDAP password. Now, users are prompted to change their passwords when the option to allow password change is enabled.
NGX-34426

Previously, a security vulnerability was found in a version of jQuery-ui included in the identity router. The jQuery-ui was upgraded to a newer version to address this vulnerability.

NGX-33608The security vulnerability affecting session fixation for the identity router setup console and web portal was fixed.

Known Issues

                   
Known IssueDescription
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for RSA SecurID Access.

NGX-38137

Problem: Multifactor authentication fails when a company (deployment) has the following configuration settings:

  • The RSA Setup Administrator selected Allow access to Authenticate Tokencode, Approve, Device Biometrics and FIDO Token for the company.

  • The resource is protected by a preconfigured access policy.

Authentication fails with the message "No challenge methods found for given policy."

Workaround: Use a custom access policy.

November 14, 2019 - RSA SecurID Authenticate for Windows 10 App

RSA SecurID Authenticate 3.2 for Windows 10 allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes.

October 2019 - Cloud Authentication Service

The October 2019 release includes the following features and benefits.

Enable Password-Less Authentication Using FIDO2 Tokens When Authenticating to Service Providers

You can now specify FIDO Token as a primary authentication option when configuring service providers. To authenticate with this option, a user must have a FIDO2 token that requires multifactor authentication on the token (such as PIN or biometric), the user must set up the token multifactor authentication, and the user must register the FIDO Token in My Page. For more information, see Cloud Authentication Service User Requirements.

Add Your Own Customized Logos to User Authentication Pages

You will be able to customize pages used for additional authentication by adding your own logo when you configure RSA SecurID Access My Page. For instructions, see Manage RSA SecurID Access My Page.

User Event Log API Provides Details on Users' Identity Confidence Scores

The Cloud Administration User Event Log API will return the overall identity confidence score, including threshold and category scores (behavior, location and device) for users. Previously this information was exposed only in the User Event Monitor. Through the API, you can now export user risk information to any Security Information and Event Management (SIEM) platform for further analysis. For more information, see Cloud Administration User Event Log API.

Full Support for Adding 10 Accounts in RSA SecurID Authenticate App Releases

RSA SecurID Authenticate 3.1 for iOS allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes. A November release of RSA SecurID Authenticate for Windows will allow a user to add up to 10 different accounts.

RSA is aware of the current iOS 13 issue in which the Touch ID screens do not display when a user is trying to authenticate with Touch ID on some devices. For example, this issue is noticed in the Authenticate app when a user is authenticating with a fingerprint to view the Authenticate Tokencode or to access an application.

Users should update to iOS 13.1.3 to resolve this issue. In the meantime, users can continue to use Touch ID in the Authenticate app by placing their fingers on the Home button when they would usually see the Touch ID screens. Touch ID is working in the background, so placing their fingers on the Home button completes the authentication request.

More Flexibility with New "Determined by Service Provider" Primary Authentication Option When Adding a Service Provider

To provide more flexibility when configuring authentication for a service provider, if you select the option to have RSA SecurID Access manage all authentication, you can now select the Determined by Service Provider at Run Time option to specify primary authentication in the RequestedAuthnContext attribute. For more information, see Add a Service Provider.

Expanded Cloud Authentication Service Authentication Methods and Improved Productivity and Security with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.2 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve, Authenticate Tokencode, RSA SecurID Token, Device Biometrics, SMS Tokencode, Voice Tokencode and Emergency Tokencode.

  • Seamless authentication using the same registered authentication device for both online and offline Windows sign-in.

  • Online emergency access to Windows computers when users misplace or lose their authenticators (RSA SecurID Authenticate device or RSA SecurID hardware token).

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

  • Many features to improve productivity and security during Windows sign-in.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

Fixed Issues

                       
Fixed IssueDescription
NGX-33732

Previously, a customer was unable to export a large number of user event logs using the Cloud Administration User Event Log API. This problem has been fixed.

NGX-34352Previously, when a new customer used a Firefox or Microsoft Edge browser to sign in to the Cloud Administration Console for the first time, the license did not display correctly. This problem has been fixed.
NGX-36891

Previously, you were not permitted to save a relying party configuration with an ACS URL of more than 100 characters. The limit has been increased to 4000 characters.

Known Issue

               
Known IssueDescription
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for RSA SecurID Access.

September 2019 - Cloud Authentication Service

Cloud Authentication Service Phased Update Process

Cloud Authentication Service updates will be rolled out in phases for each region (ANZ, EMEA, US) between October 9-17, 2019. RSA will notify you before your region is updated.

Emergency Access Enhancements

To enhance emergency access capabilities, Emergency Tokencode will be available for users who forget or misplace their registered devices. After you generate the tokencode in the Cloud Administration Console, the user can select Emergency Tokencode during the next authentication. For more information, see Supported Authentication Methods - Emergency Tokencode.

Note:  In the September release, this feature is supported for SaaS and web applications only. Support for RADIUS applications is expected to be available in a future release.

Performance and Reliability Improvements

To help improve performance and reliability, the components responsible for backend communication in the Cloud will be updated.

Planned Update to Cloud Authentication Service IP Address Rescheduled

For more information on this update, see the RSA Link notification.

October 1, 2019 - RSA SecurID Authenticate for Android

RSA SecurID Authenticate 3.1 for Android allows an individual user to add up to 10 different accounts (formerly called companies) in the app. Also, this release is qualified with Android 10.

September 18, 2019 - RSA SecurID Authenticate for iOS

RSA SecurID Authenticate 3.0.4 for iOS is qualified with iOS 13 and resolves NGX-34252, an issue with the Authenticate Tokencode display on iOS 13.

September 5, 2019 - RSA SecurID Authenticate for Windows 10

RSA SecurID Authenticate 3.1.1 for Windows contains the following updates:

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate app continues to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

With this release, RSA SecurID Authenticate for Windows no longer supports Windows Mobile devices.

August 2019 - Cloud Authentication Service

The August 2019 release provides the following features and bug fixes.

Generate a Device Registration Code for Users

Help Desk Administrators can use the Cloud Administration Console to generate a one-time numeric device registration code and provide it to users who need to register iOS, Android, and Windows devices with the RSA SecurID Authenticate App. This capability will help your company move closer towards meeting requirements for National Institute of Standards and Technology (NIST) Identity Assurance Level 2. To learn how to use this feature, see Manage Users for the Cloud Authentication Service - Generate a Device Registration Code.

Improved Single Sign-On Option When Adding a Service Provider

To improve usability, when you add a service provider and select RSA SecurID Access to manage all authentication, you can now select a Cloud identity provider to provide the primary authentication. This is useful for providing single sign-on from RSA SecurID Access or third-party portals or links.

Improvements and Additional Configuration Options for My Page

You can now provide single sign-on to RSA SecurID Access My Page when users access My Page through the RSA SecurID Access Application Portal, a third-party portal where My Page is configured, or directly through the My Page URL.

Additionally, to increase flexibility, RSA SecurID Access My Page now contains the following configuration options:

  • Logout URL to redirect users to a specific URL after they sign out of My Page.

  • Error URL to redirect users to a specific URL after they encounter an error.

  • Assertion Consumer Service value for copying into your identity provider configuration settings if you are configuring My Page for single sign-on in an unsolicited response flow (for example, when users access My Page through a third-party portal).

For more information, see Manage RSA SecurID Access My Page.

Additional Deployment Option for RSA SecurID Authenticate for Windows

Generally, users install RSA SecurID Authenticate for Windows from the Microsoft Store. If your users cannot use the Microsoft Store, you can use Deployment Image Servicing and Management (DISM) to deploy the app from a command-line tool. After the app is deployed, users can then complete RSA SecurID Authenticate device registration.

For more information, see Deploying the RSA SecurID Authenticate for Windows App Using DISM.

Send Us Your Feedback

Do you have thoughts on RSA SecurID Access that you want to tell us? Are you finding what you need in the documentation on RSA Link? It is easier than ever to send us your feedback.

We can't wait to hear from you!

Fixed Issues

               
Fixed IssueDescription
NGX-33217Publishing in a cluster with a Global Server Load Balancer (GSLB) resulted in a HTTP status code 503 error for some customers. The documentation has been clarified to explain that if you use GSLBs, configure them to wait for seven minutes before they switch to another cluster. This guidance is now documented in Publishing Changes to the Identity Router and Cloud Authentication Service.

August 14, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.3 for iOS contains bug fixes.

Fixed Issue

               
Fixed IssueDescription
NGX-33118RSA SecurID Authenticate for iOS no longer freezes on the splash screen when receiving notifications.

July 2019 - Cloud Authentication Service (Identity Router)

The July 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

                       
DateDescription
July 27, 2019Updated identity router software is available to all customers.
September 7, 2019Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
October 12, 2019If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

                   
Deployment TypeVersion
On-premises2.7.0.0.5
Amazon Cloud

RSA_Identity_Router-2.7.0.0.5

My Page Improves Secure Registration for FIDO Tokens

Users can register FIDO Tokens in a more secure environment using RSA SecurID Access My Page. My Page allows you to protect FIDO registration with an access policy that you can align with your company’s existing policies. After you enable My Page registration for FIDO Tokens, the FIDO Token registration process that occurs during user authentication automatically becomes disabled. Users can also use My Page to delete their FIDO Tokens. For more information, see Device Registration.

Automatic Push Notifications for Users Who Access RADIUS-Based Applications

The user experience for accessing RADIUS-based applications has been improved. You can ensure that the Cloud Authentication Service always sends automatic push notifications for Approve or Device Biometrics when your deployment is configured as follows:

  • The RADIUS client is configured to apply an access policy for additional authentication without primary (for example, password) validation.

  • Approve or Device Biometrics is available in the access policy protecting the resource the user is attempting to access.

Previously, automatic push notifications were not available when only the access policy was applied for additional authentication without primary validation. For more information, see RADIUS for the Cloud Authentication Service Overview.

Identity Confidence Analytics Report for Troubleshooting User Authentication Issues

You can view up-to-date identity confidence analytics by generating a report in the Cloud Administration Console. The report, provided in a graphical, easy-to-read format, displays the number of times users attempted to access resources that are protected by access policies that contain the identity confidence attribute. The report can include all users in your company or only individual users within a specified timeframe. This report is particularly useful to Help Desk Administrators when they assist users who, for example, may have to authenticate at a high assurance level because their identity confidence scores are low. For more information, see Condition Attributes for Access Policies - Identity Confidence Analytics Report.

Identity Router Improvements

The following features require you to update your identity router software.

Identity Router Setup Made Easier

Identity router setup has been simplified for identity routers deployed in the VMware and Hyper-V environments. The proxy interface, which is not required for non-SSO deployments, is disabled by default in the Identity Router Setup Console. You can enable it as needed for SSO deployments.

Note:  This enhancement affects only identity routers you deploy in the future. It does not affect identity routers already configured.

For more information, see Identity Router Network Interfaces and Default Ports.

Improved Status Indicators for Identity Routers

You can quickly identify potential problems that might occur when you set up and monitor identity routers using the improved status indicators in the Cloud Administration Console. The Platform > Identity Routers list page provides more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity. For more information, see View Identity Router Status in the Cloud Administration Console.

Improved Proxy Management for Identity Routers

More flexible deployment options are available to you for identity routers. Identity routers now support transparent, explicit, and man-in-the-middle proxy configurations. The identity router informs you if a non-RSA SSL proxy certificate is configured, and allows you to temporarily accept the certificate and proceed while you work with your network IT to whitelist the URL. For more information, see Connect the Identity Router to the Cloud Administration Console.

RSA SecurID Authentication API Enhancements

The RSA SecurID Authentication API contains new methodIDs for SMS and Voice Tokencodes to promote consistency with other authentication methods. For more information, see RSA SecurID Authentication API Developer's Guide.

Fixed Issues

                                           
Fixed IssueDescription
NGX-33346If you have configured My Page to use a Cloud identity provider, users can now use the SAMAccountName attribute as the user ID when registering devices.
NGX-17148

If an IWA user attempted to access the application portal when IWA connector server was down, the user received a connection timeout error rather than a message indicating unsuccessful authentication. To mitigate this, you can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests avoid a single point of failure. For more information, see Integrated Windows Authentication.

NGX-17276Previously, the Disabled option on the Basic Information page in the application configuration wizard did not disable applications that were configured to use SAML or HTTP Federation. This issue has been fixed. Beginning in July 2019, all applications that were previously configured as disabled will be unavailable to users and will not appear in the application portal and will not be available through deep linking.
NGX-29977You can now access the Cloud Administration Console using an email address containing a plus sign (+). Previously, this operation failed intermittently.
NGX-32525Documentation update clarifies when location is collected from users and administrators.
NGX-31946The Cloud Administration Console now displays the correct number of active user sessions. Previously, for some customers who used rich clients, the number of active sessions increased until the identity router was restarted.
NGX-31068

The publish status is displayed correctly in the Cloud Administration Console after you add and associate a profile for the RADIUS client. Previously, the status was Changes Pending even when no changes were pending.

NGX-30235

RADIUS profiles now allow multi-valued LDAP attributes to be mapped to the "Class" attribute. Each value of the multi-valued LDAP attribute will create a separate "Class" RADIUS attribute.

July 8, 2019 - RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 3.0 for Android contains the following updates:

  • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Users must keep the app open during the update process, which can take up to a few minutes to complete. Subsequent actionable notifications work as expected.

This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

To see release notes for earlier releases, see Release Notes Archive | Cloud Authentication Service and RSA SecurID Authenticate Apps.

June 2019 - Cloud Authentication Service

Extend Cloud Authentication Service Authentication Methods to Windows Computers with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.1 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve or Authenticate Tokencode.

  • Authenticate with the same registered device for both online and offline Windows sign-in.

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

More Options for Customizing My Page

To improve the user experience, you can now customize My Page in the following ways:

Clear the userParameters Attribute Checkbox in the Identity Source Configuration

If the userParameters attribute is selected for synchronization in your identity source configuration, RSA recommends that you clear the checkbox. Selecting this attribute occasionally prevents identity source synchronization.

Fixed Issues

                                   
IssueDescription
NGX-24290

If a user locks his or her LDAP password, the User Management page for that user now shows a message indicating that the user's password is locked and what time it will unlock.

NGX-31821RSA SecurID Authenticate 3.0.1 for iOS users no longer displays an incorrect error that the user already has a registered device.

NGX-31158

The top-level domain part of the protected domain name can now accept up to 33 characters.
NGX-29843When you add a RADIUS profile, you can now only map supported attributes.
NGX-29702The system now prevents an administrator from accidentally updating an identity router multiple times within a short period of time, which could cause the application portal sign-in to stop working.
NGX-29547The Cloud Administration Console and associated documentation were updated to clarify that when adding an application bookmark, you can allow all authenticated users to access the bookmark or select a policy that limits access to a subset of users.

June 10, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.2 for iOS resolves NGX-31886. With this fix, the Authenticate Tokencode will no longer display as zeroes for a small percentage of users who update to this app from version 2.2.

All Authenticate for iOS users should update to this version. This release requires iOS 11.

The small percentage of users who have updated to app version 3.0.1 and still experience this issue must do the following:

  1. Delete the device in My Page, or have an administrator delete the user's device in the Cloud Administration Console.
  2. Delete the Authenticate app on the mobile device.
  3. Install the Authenticate app from the App Store.
  4. Re-register the app with RSA SecurID Access.

May 29, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.1 for iOS resolves the following issues:

  • NGX-31260- Users who update to the latest app version now receive notifications for the Approve authentication method.
  • NGX-31263- Users who update to the latest app version no longer need to re-register their devices with RSA SecurID Access.

This version of the app requires iOS 11.

May 2019 - Cloud Authentication Service

RSA SecurID Authenticate App Improvements Require Users to Update Before June 15, 2019

There are new versions for RSA SecurID Authenticate for iOS, Android, and Windows, described below. To prevent issues with device registration and adding additional companies, users must update to these versions or higher before June 15, 2019.

  • RSA SecurID Authenticate 3.0.3 for Windows contains bug fixes.

  • RSA SecurID Authenticate 3.0 for iOS and Android contain the following updates:

    • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

    • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

    • Bug fixes.

    After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Subsequent actionable notifications work as expected.

    This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

Improved Reporting of Users' Identity Confidence Scores Benefits Help Desk Administrators and Users

The User Event Monitor will report detailed information about users’ identity confidence scores. This information includes the user’s overall identity confidence score and tenant level confidence threshold, as well as the user's separate scores for device confidence, behavior confidence, and location confidence. Help Desk administrators can make use of this information when they assist users who are challenged for additional authentication factors or are unable to access protected resources. For more information, see Condition Attributes for Access Policies - Identity Confidence.

Fixed Issues

                           
IssueDescription
NGX-27407

Previously, if a user waited too long to complete additional authentication when accessing My Page, a User Session Expired message displayed, and the user had to cut and paste a URL to return to My Page. This problem has been fixed. Now, the user can provide additional authentication and then return to My Page by clicking a button, or the user will be automatically redirected to My Page after 20 seconds of inactivity.

NGX-26573Previously, generating a report listing all synchronized users took progressively longer over time. Performance has been significantly improved.

NGX-16693

NGX-17168

Previously, in the Cloud Administration Console, the dashboard incorrectly displayed the number of active sessions for identity routers. This problem has been fixed and the dashboard now displays the correct number of sessions.
NGX-20399Previously, if users' email addresses changed in identity sources, the users had to re-register their devices with the RSA SecurID Authenticate app. Email address changes are now handled seamlessly by the Authenticate app, and users do not need to re-register.

April 2019 - Cloud Authentication Service

Send Emails to Users When They Register or Delete Devices

To help increase security, you can configure the Cloud Authentication Service to automatically send confirmation email to users in the following situations:

  • A user completes RSA SecurID Authenticate device registration.

  • A user adds an additional company in the RSA SecurID Authenticate app.

  • A user deletes a company in the RSA SecurID Authenticate app.

  • A user deletes an RSA SecurID Authenticate registered device.

You configure these options in My Account > Company Settings> Device Registration & Deletion Emails. For instructions, see Configure Device Registration and Deletion Emails.

Pagination for RADIUS Profiles in the Cloud Administration Console

Pagination now makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page. Expand each profile to see details, dissociate, or delete the profile. Profiles disappear from the list when you dissociate or delete them. For instructions on configuring RADIUS profiles, see Configure a RADIUS Profile for the Cloud Authentication Service.

Fixed Issues

                           
IssueDescription
NGX-25560If you manage the RSA SecurID Authenticate for Android app with an Enterprise Mobility Management (EMM) solution, the Email Logs button now works in the app.
NGX-26628

Previously, a user who had repeatedly attempted to register the same device unsuccessfully might not be able to register the device at all. This problem has been fixed - the user can now register the device.

NGX-28022Documentation for creating a custom portal has been updated to include the missing information.

NGX-28076

NGX-28338

User who previously could not be synchronized due to case change in attribute value can now be synchronized correctly.

March 2019 - Cloud Authentication Service (Identity Router)

The March 2019 release includes the following features and bug fixes.

Identity Router Update Versions and Schedule

The latest identity router software versions are:

                   
Deployment TypeVersion
On-premises2.6.0.0.11
Amazon Cloud

RSA_Identity_Router-2.6.0.0.12

Identity routers will be updated to these versions according to the following schedule.

                       
DateDescription
March 23, 2019Updated identity router software is available to all customers.
May 25, 2019Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
June 22, 2019If you postponed the default date, this is the last day when updates can be performed.

Identity Router Replication Improvements Require Simultaneous Updates for All Clusters

RSA SecurID Access has significantly improved the replication of critical data across identity routers for SSO Agent deployments. This critical data includes user profiles (keychains), user sessions, and cookies used for LDAP connections.

To take advantage of this new functionality, you must update all of your identity routers within a cluster at the same time and update all clusters at the same time. Perform simultaneous updates to avoid breaking inter- and intra-cluster keychain replication. After updates are complete, you will not be able to restore backup files created using the previous version. RSA recommends that you create backups immediately after performing the update.

Just-in-Time Synchronization Automatically Enabled for New Customers Beginning March 2019

Just-in-time synchronization is now automatically enabled for all customers who deploy the Cloud Authentication Service after the March 2019 release is available. Before March 2019, you needed to contact RSA Customer Support to enable this feature. Now Super Admins can enable it in the Cloud Administration Console on the My Account > Company Settings > Company Information tab without contacting Customer Support. If you are an existing customer and just-in-time synchronization was enabled prior to March 2019, it remains enabled until you choose to disable it.

Just-in-time synchronization ensures that the identity source in the Cloud Authentication Service is updated every time a user attempts to register a device using the RSA SecurID Authenticate app or access a protected resource using additional authentication after the LDAP password is validated. When this feature is enabled, you never need to add user records through manual or scheduled synchronization. For more information, see Identity Sources for the Cloud Authentication Service.

Identify High Risk Users and Restrict Access to Protected Resources

You can control whether users who are identified as high risk can access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Use the Add/Remove High Risk User API to identify high risk users within the Cloud Authentication Service. Access policies provide a new condition attribute, High Risk User List, so that you can configure authentication requirements for high risk users. You can also use the Retrieve High Risk User List API to retrieve a list of all users identified as high risk. For more information, see:

If your company deploys RSA NetWitness Respond Version 11.3 or later, use that product instead of the APIs to obtain the same benefits. For instructions, see NetWitness Respond Configuration Guide for Version 11.3.

Control Cloud Access for Cloud Administration REST APIs Using Role Permissions

You can ensure that each Administration API has permission to access appropriate information in the Cloud Authentication Service by assigning an administrative role to each API key. The API uses the key in the request. By default, all Administration API keys generated before March 2019 default to the Help Desk Administrator role. The new Add/Remove High Risk User API and Retrieve High Risk User List API require keys assigned to the Super Admin role. For more information, see Using the Cloud Administration REST APIs.

FIDO Token Authentication Method Available on Multiple Browsers

The FIDO Token authentication method is now available on more browsers (including mobile browsers) and supports the FIDO 2 authentication standard. For a list of supported browsers, see Cloud Authentication Service User Requirements.

Emergency SSH and Debug Logging Helps You Resolve Identity Router Connectivity Issues

If the identity router is unable to connect to the Cloud Authentication Service (for example, during setup), you can use the Identity Router Setup Console to enable these emergency troubleshooting features:

  • Secure Shell (SSH) to access the command line

  • Emergency debug logging

After troubleshooting is completed and the identity router is connected to the Cloud Authentication Service, you can disable these features and use the Cloud Administration Console for future troubleshooting. For more information, see Troubleshoot Identity Router Issues.

Support for Multiple RADIUS Profiles

You can create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. Custom profiles increase flexibility because you can associate multiple profiles with a single client or the same profile with multiple clients. This feature allows you to implement strong, policy-based granular controls (for example, for Active Directory groups) for users and administrators who access RADIUS-based applications. For more information, see Configure a RADIUS Profile for the Cloud Authentication Service.

Enhanced Status Indicators for Identity Routers

Status indicators for the identity router have been improved and expanded, making it easier for you to troubleshoot problems with identity router services, as well as connectivity problems between identity routers and the Cloud Authentication Service. You can view detailed status information for each identity router in the Cloud Administration Console on the Platform > Identity Router page. For more information, see View Identity Router Status in the Cloud Administration Console.

Reminder: Users Must Update Their RSA SecurID Authenticate for Android Apps by March 31, 2019

To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Fixed Issues

NGX-18781. Previously, after you modified cluster relationships and published the changes, all identity routers in the clusters were restarted and the publish operation did not complete. The restart no longer occurs and publishing completes as expected.

NGX-21183. When you use the Identity Router VM Console to update network settings or recommit changes, static routes that were configured in the Cloud Administration Console are no longer deleted from the identity router.

February 2019 - Cloud Authentication Service

The February 2019 release includes the following features and bug fixes.

Note:  The current version of the identity router, v2.5.0.0.5, was not updated in this release.

Disaster Recovery Environment for the EMEA and AUS Regions

The disaster recovery environment for the Cloud Authentication Service is now available for the EMEA and AUS regions. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. RSA recommends that you test access to this environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.

On-Demand Access to Uptime Status of Cloud Services

You can now monitor the current and historical uptime of the Cloud Authentication Service and the Cloud Administration Console on a service status page. This page includes current service availability, recent uptime percentage, and historical uptime percentage. For more information, see Monitor Uptime Status for the Cloud Authentication Service.

Receive Frequent Updates on Cloud Authentication Service Availability with Health Check API

If you want to receive frequent updates on the Cloud Authentication Service availability, you can use the Health Check API to integrate with your application monitoring product. For more information, see RSA SecurID Access Health Check API.

Updated RSA SecurID Authenticate Apps Simplify Device Registration with EMM Technology

RSA SecurID Authenticate 2.3.0 for Android and RSA RSA SecurID Authenticate 2.2.0 for iOS now support simplifying device registration with Enterprise Mobility Management (EMM) technology that supports the AppConfig Community standards, such as VMWare AirWatch. With this functionality, you can help reduce the costs of device registration in your company by automatically downloading the app to users' devices and optionally configuring the Company ID and Email Address values. For more information, see Deploying the RSA SecurID Authenticate App in EMM Environment.

These app releases also contain bug fixes.

Users Must Update Their RSA SecurID Authenticate for Android App by March 31, 2019

To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Fixed Issues

NGX-21223. If you update the protected domain name after it has been initially configured on the My Account > Company Settings > Company Information page in the Cloud Administration Console, authentication no longer fails when users who access the RSA SecurID Application Portal attempt to open a Microsoft Office 365 application.

February 5, 2019 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.2.1 for Android resolves an issue with app instability on Samsung devices running Android 9 Pie. Samsung users should upgrade to this app version.

January 2019 - Cloud Authentication Service

RSA SecurID Authenticate for AndroidNow Uses Updated Push Notification Service

To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

New Administration APIs Expand Integration of Help Desk Functions Into Your Existing Tool Framework

RSA SecurID Access added four new Administration APIs to help you expand the integration of Help Desk functions into your existing enterprise service desk tools. These APIs can be used to synchronize a user between an identity source and the Cloud Authentication Service, update a user's Enabled/Disabled status, find a user by searching for a string in the user's email address, and mark an inactive user as pending deletion or remove the marked deletion status. Also, the Retrieve Authentication Audit Logs API now supports filtering authentication audit logs using a specified date range. For more information, see:

Improved Look and Feel of End-User Authentication Experience

To increase the usability on mobile browsers, the look and feel of the end-user authentication experience has been improved. One key change is the checkbox that displayed the contents of fields (for example, a passcode or tokencode field) has been replaced with a visibility toggle. For a list of supported browsers, see Cloud Authentication Service User Requirements.

Ability to Control If Users Can Delete Devices in My Page

To help improve security and increase flexibility, you can now specify if you want users to delete their devices in My Page. You configure this option in the Cloud Administration Console in Platform > My Page.

Support for Active Directory 2019

The Cloud Authentication Service now supports Active Directory 2019 as an identity source.

Disaster Recovery Environment Available for US Region

RSA maintains a disaster recovery environment for the Cloud Authentication Service. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. The disaster recovery environment is currently available for the US region. RSA recommends that you test access to the disaster recovery environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.

Fixed Issues

NGX-22022. Previously, when you used the Cloud Administration Console to add a SAML application, on the Connection Profile page, the Identity Provider URL field was not automatically populated if one identity router in the cluster was inactive. Now, if high availability is enabled for the cluster, the Identity Provider URL includes the load balancer name. If high availability is disabled, the URL includes the identity router hostname.

NGX-21728. Previously, some blocks of user data were too large to be successfully synchronized to the Cloud Authentication Service. The service has been modified to accept larger blocks of user data, so this problem no longer occurs.

NGX-21682. RSA SecurID Access has updated the list of country codes it supports for SMS Tokencode and Voice Tokencode authentication.

NGX-21553. Previously, authentication failed after an administrator re-mapped identity source attributes after the initial mapping. This problem has been corrected and mapping changes are now handled as expected.

NGX-21286. Previously, a misleading message indicating successful synchronization appeared in the administration audit logs after an administrator initiated identity source synchronization. The message has been corrected to reflect what actually happened: <Administrator_name> manually initiated synchronization for <identity source>.

NGX-20908. Previously, in certain deployments, after an administrator attempted to delete or edit and save an access policy, a publish operation succeeded to the identity routers but failed to the Cloud Authentication Service. This problem has been fixed.

November 2018 - Cloud Authentication Service

Deploy Identity Routers in the Cloud Using Amazon Web Services

You can now deploy the identity router in the Amazon Web Services (AWS) Elastic Compute Cloud (EC2), thus reducing or eliminating the on-premises footprint of RSA SecurID Access. You have the flexibility to choose a cloud-only or hybrid-cloud deployment. For example, in a hybrid-cloud deployment, the identity router in the AWS cloud can connect to on-premises components such as RSA Authentication Manager or your LDAP directory server. You use an Amazon Machine Image (AMI) that you access with your AWS account to deploy the identity router in the cloud. For more information, see Amazon Web Services Identity Router Deployment Models.

Users Can Delete Registered Devices in My Page

To increase user self-service capabilities and reduce administrative support costs, My Page now allows users to delete their current registered devices. When users get new devices (for example, mobile phones) they can first delete their current devices in My Page and then complete registration on the new devices—all without administrative assistance.

New Administration APIs Available to Integrate Help Desk Functions Into Your Existing Tool Framework

RSA SecurID Access provides new Administration APIs to help you integrate RSA SecurID Access Help Desk functions into your existing enterprise service desk tools. The new APIs support the ability to retrieve user and device details, unlock tokencodes, delete user devices, update SMS Tokencode and Voice Tokencode phone numbers, and retrieve authentication audit logs for specific users. For more information, see Using the Cloud Administration REST APIs.

Improved Documentation for Configuring High Availability Deployments

You will find it easier to configure high availability for different types of deployment using improved documentation on RSA Link. High availability increases the likelihood that an identity router will be available to process authentication requests when one or more identity routers in the same cluster are down. High availability also improves performance by ensuring that requests are distributed evenly among identity routers. For instructions, see Configure High Availability for Cloud Authentication Service Deployments.

Updated RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.1.0 for iOS and RSA SecurID Authenticate 2.1.0 for Android contain bug fixes.

Fixed Issues

NGX-19853. When you disable a user, the RSA SecurID Authenticate for iOS and Android apps no longer delete the user's company in the app.

NGX-19870. When an automatic Integrated Windows Authentication (IWA) identity provider is configured in your deployment and users try to open the application portal URL in a browser, the portal sign-in page used to appear instead of the portal landing page that lists the applications. This problem has been fixed and now the portal landing page appears.

NGX-20598. Previously, when you attempted to add a location to the Trusted Location page using an address, certain addresses did not appear in the Bing maps suggestion list. Now you can use the Search button to find addresses that do not appear in this list.

October 2018 - Cloud Authentication Service

Easier Direct-to-Cloud Integration for Key Apps

To provide easier direct-to-cloud integration, you can now protect Workday, ServiceNow, and Microsoft Office 365 without needing to use the SSO Agent. For instructions, see the following:

Updated RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 2.0.2 for Android contains bug fixes.

Fixed Issues

NGX-17695. Previously, in some SSO Agent deployments, the publishing status indicator displayed “Changes Pending” when there were no updated settings to be published. This problem no longer occurs.

NGX-19930. The Identity Router Setup Console Network Diagnostics page no longer reports that the identity router failed to connect to two URLs used for software updates. The problem is corrected if you publish after the cloud or identity router upgrade is performed.

October 15, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.0.1 for iOS is qualified with iOS 12 and contains bug fixes.

September 27, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.0.1 for Android contains bug fixes.

September 2018 - Cloud Authentication Service

The September 2018 release of the Cloud Authentication Service includes the following features and updates:

My Page - User Portal for Easy Device Registration

To enhance the security of device registration while minimizing user friction, this release introduces RSA SecurID Access My Page, a new web-based portal that uses multifactor authentication and QR or limited one-time-use numeric registration codes to complete device registration. See how this works.

If you are currently using the RSA SecurID Authenticate Device Registration access policy, be aware that the name and purpose of this policy will change in the September release to help control migration to My Page. The policy will be renamed to Device Registration Using Password and will allow you to control who can use password as the registration code. If necessary, update the policy configuration to align with your company needs.

Note that if you want to continue using a password to complete device registration, your users can enter their passwords as the registration code.

Updated RSA SecurID Authenticate Apps for My Page and Android 9 Pie Qualification

RSA SecurID Authenticate 2.0.0 for iOS, RSA SecurID Authenticate 2.0.0 for Android, and RSA SecurID Authenticate 3.0.0 for Windows 10 contain the following updates:

  • Updated device registration flow to work with RSA SecurID Access My Page. To register a device, iOS and Android users scan a QR code or enter a limited one-time-use numeric registration code. Windows 10 users enter a limited one-time-use numeric registration code.

    Users only need to register a device if they are a new user, adding a new company, or switching a device. Existing users do not need to re-register.

  • If you require users to enter a PIN or Device Biometrics to view the Authenticate Tokencode, the process to reset a PIN has changed. iOS users will first be prompted for the device passcode. Android users will first be prompted for device credentials. Windows 10 users must first delete all the companies that protect the Authenticate Tokencode and then re-register those companies.

  • The RSA SecurID Authenticate for Android app is qualified with Android 9 Pie.

  • Bug fixes.

RSA SecurID Access User Event Log API

You can use the User Event Log API to export user audit logs from the Cloud Authentication Service. This feature improves auditing and security monitoring of end-user activity, which is useful for compliance audits, troubleshooting, risk assessment, and security information and event monitoring (SIEM) analysis. For more information, see RSA SecurID Access User Event Log API.

Preconfigured Access Policy with Contextual Risk-Based Analytics

To further assist new customers in getting up an running more quickly, an additional preconfigured access policy has been added to the initial three delivered in August 2018. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium edition customers.

Improved Logging for User Synchronization Events

Improved log messages for user synchronization events will make troubleshooting easier when users are automatically re-enabled or disabled in the Cloud Authentication Service, or when users are not found in the directory server during synchronization.

Fixed Issues

NGX-19192. In RADIUS and relying party deployments, the proxy server specified in the Identity Router Setup Console now handles traffic for authentication and product maintenance (such as cluster updates). In an SSO Agent deployment, the proxy server now handles traffic for product maintenance.

NGX-19829. Previously, you were unable to delete an identity source after you had visited the Clusters page. This problem has been fixed.

NGX-19798. In the Cloud Administration Console, the Device Enrollment policy is no longer included in the access policy count displayed on the Dashboard page. The Dashboard count includes your company’s custom access policies and preconfigured access policies.

August 29, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.8.0 for iOS and RSA SecurID Authenticate 1.6.3 for Android contain bug fixes. For more information, see Critical Updates for RSA SecurID Access Components Used with the Cloud Authentication Service.

Users who need to complete device registration (for example, new users, users adding a new company in the app, or users switching devices) must update to these app versions before completing device registration.

Users who have already completed device registration are not required to update to these app versions. However, RSA recommends that users always use the latest version of the apps, so they have the latest fixes, features, and enhancements.

August 2018 - Cloud Authentication Service

Critical Update for Identity Routers

The August 2018 release includes a critical fix for your identity router, which will be released Saturday, August 18, 2018. This critical update requires that you update your identity router software on or before August 29, 2018 to ensure continued connectivity to the service. For more information, click here.

What's New in This Release

This release also includes the following features and bug fixes:

  • New customers can get up and running more quickly using three preconfigured access policies that they can either use as is, or clone and customize. These customers do not need to create new access policies. For more information, click here.

  • You can generate and download a user report that displays your users’ Enable and Disabled status. This information improves visibility into your user population. For instructions, click here.

  • When you configure strong authentication to access the Cloud Administration Console, RSA SecurID Access prevents you from unintentionally locking yourself out by evaluating the access policy and verifying if it allows you to access the console. For example, the policy might exclude you based on identity source or contextual conditions. If you are excluded for any reason, you will be prevented from configuring this feature until you modify the policy or select a different policy. For configuration instructions, click here.

  • This release offers an optional sneak peek into a new direction that we are taking for RSA SecurID Authenticate device registration---including multifactor authentication and QR codes. If you want to try this new registration process, contact your RSA sales representative for more information.

  • The Cloud Authentication Service is now hosted on Microsoft Azure Australia Central, a protected-level Azure instance within the Canberra Data Centre. This new hosting option enables compliance with Australian and New Zealand Privacy Legislation. The data centers are designed for Australian government and critical infrastructure sectors.

Fixed Issues

NGX-19516. Previously, if a user was synchronized to the Cloud Authentication Service, deleted from a directory server, and then re-added using the same DN, the user could not be resynchronized to the Cloud Authentication Service. Now you can successfully resynchronize such users.

NGX-19643. When the Load Balancer DNS Name is not within the Protected Domain Name configured on the My Account > Company Settings page of the Cloud Administration Console, multiple identical event log messages are generated when a user attempts to sign out of the application portal. Now the Cloud Administration Console verifies if the Load Balancer DNS Name is within the Protected Domain Name, fixing the issue.

NGX-19737. Previously, under certain circumstances, users who entered their LDAP credentials correctly to access Microsoft Office 365 through a desktop client, and then expected to be prompted for additional authentication, instead encountered a script error that prevented them from authenticating. This problem has been fixed.

July 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Disabled Users Automatically Changed to Pending Deletion

By default, the Cloud Authentication Service will automatically change the status of all Disabled users to Pending Deletion after the users have been disabled for 90 days, or the number of days you configure. Automatic bulk user deletion benefits your deployment by preventing inefficiencies that result from processing large numbers of disabled users.

Note:   It is important to know that this feature takes effect immediately after the cloud upgrade goes live on July 21. At that time, the status of all users who have been Disabled for at least 90 days will automatically change to Pending Deletion, and these users will be automatically purged from the Cloud Authentication Service seven days after the upgrade. Purging removes all information and devices associated with the user from the Cloud Authentication Service. It does not remove users from the directory server. If any users were automatically marked Pending Deletion and you want to prevent them from being purged after seven days, click here for instructions.

Cloud Authentication Service Automatically Disables Users Missing From Directory Server

The Cloud Authentication Service now recognizes when previously synchronized users are either no longer present in the directory server or are excluded from the User Search Filter scope and disables these users in the Cloud Authentication Service during identity source synchronization. This feature ensures that users who may have been terminated from your organization can no longer authenticate. When automatic bulk user deletion is enabled, these users will automatically be changed to Pending Deletion after 90 days (or the number of days you configure), and then purged seven days after Pending Deletion.

Streamlined Authentication for RADIUS Users

The Cloud Authentication Service provides new features to deliver an optimized experience with reduced friction to RADIUS users:

Push Notifications Sent Automatically to RADIUS Users without User Selection

You can configure RADIUS clients to send push notifications for Approve and Device Biometrics without forcing users to select an authentication method by entering a number, when one of these is the user's default method. Users who do not respond to the automatic notification within a configured timeframe can select any method provided from the assurance level in the access policy. The timeout does not apply if this feature is disabled and the user manually selects a method.

LDAP Password Not Required During Authentication When Managed by the RADIUS Client

Some use cases require users to authenticate with LDAP passwords, but then RSA SecurID Access requires the same passwords a second time, before prompting for additional authentication. You can simplify authentication by configuring the RADIUS client to manage the primary authentication and the Cloud Authentication Service to only perform additional authentication, as determined by the access policy. When you enable this feature for a RADIUS client, users enter their passwords only once. See how this works.

Note:   When this feature is enabled, either the RADIUS client must require password authentication, or the access policy must require all users to perform additional authentication. If you do not enforce either password or additional authentication, unauthorized users can gain access.

For complete information on RADIUS features, see RADIUS for the Cloud Authentication Service Overview.

Retries Supported During RADIUS Authentication

If users enter a tokencode incorrectly or if a method times out before the user completes authentication, the user can choose to retry the same method. Previously, the method disappeared from the list of choices.

RSA SecurID Access Log Events API

To ensure audit log compliance with industry standards, the Cloud Authentication Service now supports a REST API to retrieve Administration logs from the service. For the complete list of events, click here.

The RSA SecurID Access Log Events API Software Developer Kit (SDK) contains a REST client command line tool that generates an Administration API access token and exports logs using the generated access token. To download the Software Development Kit, click here.

HTTPS Strict Transport Security (HSTS) for Standard and Custom Web Application Portals

HSTS forces compatible browsers to interact with the application portal and web applications using only the HTTPS protocol, which helps to protect these interactions against threats such as protocol downgrade attacks and cookie hijacking. It is enabled by default for standard and custom portals, but can be disabled on the Access > Portal Settings page of the Cloud Administration Console.

Updated Definitions for Identity Router Security Levels

The latest identity router version updates the encryption ciphers supported by the Medium and Low security levels for incoming connections, and adds the High security level, which allows only the most secure ciphers and encryption options.

Improved Visibility of NTP Service Synchronization

To assist with troubleshooting system issues, you can view NTP service synchronization status in two locations:

  • Identity Router Setup Console in Diagnostics > View Network Diagnostics

  • Identity Router Status Servlet in System Services

Improved Troubleshooting During Identity Router Setup

To more quickly identify network connection issues, when you connect an identity router to the Cloud Administration Console, the Identity Router Setup Console checks for connections to the Cloud Administration Console and Cloud Authentication Service that are required for authentication and product maintenance. If the identity router cannot connect to these URLs, the connection process is not successful and the Identity Router Setup Console lists the URLs to which it cannot connect.

Improved Look and Feel of RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.7.0 for iOS and RSA SecurID Authenticate 1.6.1 for Android contain the following updates:

  • Improved look and feel of the Approve authentication option

  • Bug fixes

Fixed Issues

NGX-15746. Previously, when you changed the IP address of the identity router management or proxy interface using the VMWare Console, the address was not updated intermittently. This problem has been fixed.

NGX-17649. Previously, when you signed into the Cloud Administration Console, the publish status sometimes displayed a success message even if the last publish operation had failed. Now, when you sign in to the console, the publish status message is always accurate.

NGX-18622. When one or more identity providers are configured for automatic authentication on the Authentication Sources page of the Cloud Administration Console and a user cancels the first automatic identity provider authentication prompt that appears when attempting to access the application portal, the user is not automatically prompted to authenticate again during the same session. This is expected behavior.

NGX-18737. You no longer need to enter a value in the Portal Hostname field when adding an identity router to the Cloud Administration Console in order to set up an identity router.

NGX-18807. If you enter an invalid static route in the Identity Router Setup Console, a message indicates the static route is invalid.

NGX-19024. Previously, a time format mismatch caused failed connections and time and date errors when integrating the Cloud Authentication Service with RSA Authentication Manager if the Authentication Manager instance was deployed in certain time zones. This problem has been fixed.

NGX-19183. Communication issues that previously occurred between the identity routers due to DNS intermittency, connectivity, and timeout errors have been fixed.

NGX-19357. The identity source settings in the Cloud Administration Console and in the documentation have been updated to indicate more clearly that you must click the User Attributes tab and select the Synchronize the selected policy attributes with the Cloud Authentication Service checkbox. This setting ensures that user attributes are synchronized, which is required for additional authentication to succeed.

NGX-19497. Previously, when a user’s userPrincipalName (UPN) had a different suffix (@<domain>) than the user-joined domain, the user's IWA sign-in failed. This problem has been fixed.

NGX-19537. You can now reuse identity source names that were previously used for identity sources that have been deleted.

June 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Microsoft AD FS Agents Provide Cloud-Based, Multifactor Authentication

The RSA Authentication Agent for Microsoft AD FS now supports cloud-based multifactor authentication methods such as Device Biometrics and push notifications by connecting your AD FS server and the Cloud Authentication Service.

Simplified Access Policy Wizard for Authentication Conditions

To improve ease of use, the Access Policy wizard has been simplified to reduce the number of steps necessary to configure authentication conditions.

Additional Condition Attributes for RSA SecurID Authenticate Device Registration Policy

To provide more control over which users can complete RSA SecurID Authenticate device registration, you can now use the Authentication Source, IP Address, and Trusted Network condition attributes in the RSA SecurID Authenticate Device Registration policy. For example, you might allow only users from certain IP addresses to complete device registration.

New System Event Monitor Improves Visibility

The System Event Monitor provides visibility into system-generated and managed events to aid in troubleshooting. You can filter the results according to Event Code, timeframe, and event type.

Restore Users Who Are Pending Deletion

You can use a bulk operation to undelete users who are Pending Deletion and restore them to their previous Disabled state. Disabled users can be re-enabled by the administrator or during synchronization. Undeleting prevents the users from being automatically purged from the Cloud Authentication Service. For example, this is useful if you deleted too many users from the Cloud and you want to restore those users.

RSA SecurID Authentication API Enhancements

The RSA SecurID Authentication API contains the following enhancements:

  • Initialize request supports specifying an assurance level outside of an access policy.

  • The keepAttempt parameter in the Initialize request applies to both completed and canceled authentication attempts.

  • The removeAttemptId parameter has been added to the Cancel request. The parameter requests to remove the authentication attempt ID as a part of this call.

Fixed Issues

NGX-19557. You can use the Delete Now button on the Users > Management page to immediately remove a user from the Cloud Authentication Service. This function is intended for emergency situations. For example, suppose you are trying to synchronize a record that has the same email address as a slightly different record for the same user that already exists in the Cloud Authentication Service. The user record fails to synchronize and the user cannot authenticate. You must delete the existing record from the Cloud Authentication Service and resynchronize in order to recreate the user record correctly so the user can complete authentication.

NGX-19521. Adding an identity router and saving a static DNS entry without an associated alias value no longer causes identity router registration to fail.

NGX-19074. Previously, under certain circumstances, you were unable to save an identity source after deleting one of the directory servers. This has now been fixed.

May 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Approve Authentication Method Available with Device Unlock

You can now require users to unlock their devices before completing authentication using the Approve method. When this feature is enabled, users receive a notification on their registered devices, tap Approve, and are prompted to unlock their devices before authentication is completed.

Before enabling this option, instruct your users to update to the latest version of the RSA SecurID Authenticate app:

  • Android: 1.6.0

  • iOS: 1.6.0

  • Windows: 2.1.0

When this feature is enabled, after users update the app, the first time that they try to use Approve they must open the app, pull down to get the notification, and Approve from within the app. After the first use, Approve will work normally. Older app versions do not display a push notification and users must always open the app and pull down to respond to an Approve request.

Protected RSA SecurID Authenticate Device Registration

To help increase the security of end-user device registration, you can now use an access policy to control which users are allowed to complete device registration. You might want to use this access policy to allow only a subset of your users (for example, your Sales organization) to use the Authenticate app for additional authentication. When you enable the RSA SecurID Authenticate Device Registration policy you can specify identity source user attributes to define the target population for device registration. To learn more about this feature, click here.

Improved Management for User Deletion

You now have increased control when deleting a user from the Cloud Authentication Service. First, you mark the disabled user for deletion, which changes the user's account status to Pending Deletion. You can still view the user's detail information in the Cloud Authentication Service and synchronize a user who is Pending Deletion. After seven days, the user is automatically deleted from the Cloud Authentication Service. The user cannot register a device or authenticate to the Cloud Authentication Service while pending deletion or after deletion has taken place. Deletion removes all information and devices associated with the user from the Cloud Authentication Service.

You can also undelete a user who is pending deletion, which changes the user’s status from Pending Deletion to Disabled.

For instructions on deleting and undeleting users, click here.

LDAPv3 Account Status Now Synchronized with the Cloud Authentication Service

Users who have been disabled or expired in an LDAPv3 directory server are automatically disabled in the Cloud Authentication Service after manual, scheduled, or just-in-time synchronization. Disabled users cannot authenticate through the Cloud Authentication Service or register devices. You must manually map attributes for account status synchronization to happen. To learn more about identity source synchronization, click here and here.

Note:  Make sure all LDAPv3 users who need to use the Cloud Authentication Service are active and enabled in the LDAPv3 directory server.

Additional Enhancements to User Account Synchronization

User account status in the Cloud Authentication Service is now more closely tied to the user account status in the Active Directory and LDAPv3 directory servers. The following enhancements were implemented:

  • Users who are disabled in any directory server and who do not have existing records in the Cloud Authentication Service are not added to the Cloud Authentication Service during synchronization.

  • Users who were re-enabled in the directory server or who are no longer expired, but are pending deletion in the Cloud Authentication Service, become re-enabled in the Cloud Authentication Service after synchronization.

Users who were manually disabled in the Cloud Authentication Service remain disabled and are not overridden during synchronization.

Simplified Planning and Setup Content

To help streamline the initial setup of your production deployment, the planning and setup content has been reorganized and simplified. The updated Planning Guide focuses on understanding the Cloud Authentication Service at a high level. Quick Setup Guides, available for each deployment type, walk you through both planning and setup. The guides are available here:

With these changes, the Solution Architecture Workbook and Setup and Configuration Guide are no longer available.

Additional Improvements

  • For custom security requirements, you can now specify the minimum PIN length if you require PIN or Device Biometrics to view the Authenticate Tokencode. The default PIN length is four. If users have registered the RSA SecurID Authenticate app with multiple companies, the PIN applies to the RSA SecurID Authenticate Tokencodes for all companies, and the minimum PIN length is the longest minimum PIN length of these companies.

  • To simplify user rollout, users can now complete RSA SecurID Authenticate device registration on devices that do not allow push notifications for the app. However, RSA recommends enabling or allowing push notifications for the RSA SecurID Authenticate options like Approve or Biometrics. This feature is useful in certain environments which have locked down push notifications, but want to use the RSA SecurID Authenticate Tokencode.

RSA SecurID Authenticate App iOS Upgrade

New minimum iOS operating system of version 10.0 for the RSA SecurID Authenticate for iOS app. Encourage your end users to upgrade to iOS version 10.0 or higher so they can continue using the app and take advantage of the latest improvements and bug fixes.

Incorrect Publish Status Message After the May Cloud Authentication Service Upgrade

After the Cloud Authentication Service is upgraded, the Changes Pending message appears in the Publish Status bar even if no changes are waiting to be published. You can safely ignore this message and it will disappear after your next publish operation.

Fixed Issues

NGX-19012. The User Event Monitor now reports errors for unsuccessful authentication attempts to SSO Agent applications when the identity router time and the Cloud Authentication Service time are out of synch.

NGX-19088. In the Cloud Administration Console, when you click My Account > Administrators to edit an administrator, in the API Configuration section, the examples provided for the IP Address and Netmask fields are now accurate and the fields are marked as required.

NGX-19066. Identity routers that are updated in debug mode no longer remain in the Updating phase.

NGX-19072. iOS and Windows users can now complete RSA SecurID Authenticate device registration if the Authenticate app or their devices do not receive push notifications.

NGX-19102. In the Cloud Administration Console, clearing the Enable the Identity Router REST API checkbox on the My Account > Administrators page correctly disables the API for an administrator.

NGX-19175. Unintentional audit logging changes are no longer saved to the Cloud Administration Console when Portal Settings are saved.

NGX-19176. RSA Support can now be enabled if a backup is added but not saved.

NGX-19177. Multiple audit log entries are no longer saved to the Cloud Administration Console if the backup schedule is changed and RSA Support is enabled.

NGX-19350. The Approve authentication method was failing intermittently to send notifications to Android mobile devices, resulting in failed authentications. This problem no longer occurs.

NGX-19397 and NGX-19431. Previously, when you edited and saved some existing SAML direct templates, extra attribute rows were created. This problem no longer occurs.

NGX-19494. If you are synchronizing identities from Active Directory Global Catalog, RSA recommends that you include accountExpires in the Partial Attribute Set to ensure that user accounts in the Cloud Authentication Service are enabled or disabled to match the directory server after synchronization. You no longer need to include the accountExpires attribute in the Partial Attribute Set to successfully synchronize the Cloud Authentication Service to an Active Directory Global Catalog.

April 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Active Directory Account Status Now Synchronized with the Cloud Authentication Service

Users who have been disabled or expired in Active Directory are automatically disabled in the Cloud Authentication Service after manual, scheduled, or just-in-time synchronization. Disabled users cannot authenticate through the Cloud Authentication Service or register devices.

The next time you perform a publish operation and synchronize your Active Directory identity sources following the Cloud Authentication Service update on April 21, the Cloud Authentication Service will disable any cloud users whose accounts are already disabled or expired in Active Directory. This capability is not configurable. Support for LDAPv3 directory servers is expected in the near future.

Users who are disabled in Active Directory and who do not have existing records in the Cloud Authentication Service are not added to the Cloud Authentication Service during synchronization.

Note:  Make sure all Active Directory users who need to use the Cloud Authentication Service are active and enabled in Active Directory.

Administrators Can Override User Account Status in the Cloud Authentication Service

You can use the Cloud Administration Console to manually enable and disable users. This feature applies to users from Active Directory and LDAPv3 directory servers. For information about user disablement and identity source synchronization, click here.

Enhanced Authentication Options Available in RSA SecurID Authenticate 2.0.1 for Windows

RSA SecurID Authenticate 2.0.1 for Windows adds support for the Approve and Biometrics options. As part of leveraging native biometric authentication capabilities, the Biometrics option supports any Windows Hello sign-in option.

Also, if you require additional authentication before viewing the Authenticate Tokencode, the tokencode can now be protected with an app-specific PIN, instead of Windows Hello. When a user tries to view the tokencode, the app prompts the user to create this PIN.

Users should update to this version when it is released.

SSO Agent Web Server User Traffic Uses Only https://

The Cloud Administration Console now ensures that all SSO Agent web server configurations use https:// for traffic between users and identity routers. You can no longer configure http:// for user traffic. You can still configure web servers to connect to backend application web servers over https:// or http:// as necessary. Also, the console has been improved to clarify steps for the SSO Agent web server configuration.

Identity Router Update Available

A new identity router update is now available with the following improvements:

  • Improved handling for environments with unreliable time synchronization.

  • Improved handling of out-of-memory conditions in cluster replication.

If you are using the SSO Agent, RSA recommends that you apply this update to your identity routers. If you have updated your identity routers after February 2018, your identity routers do not display OUT_OF_DATE, but you can update the cluster now using these instructions. If you do not take any action, these improvements are not applied to your identity routers until your next scheduled update.

Fixed Issues

NGX-17578. In the Cloud Administration Console, the Forgot Password popup has been improved to specify that the administrator must enter the same email address that belongs to Username.

NGX-18600. Single sign-on no longer fails if you accidentally add a leading or trailing space to an access policy name.

NGX-18889. IWA connector uses global catalog to search for users in the Active Directory forest and can now find a user based on the user's domain, even when multiple user records have the same sAMAccountName in the forest.

NGX-19037. When you search for a user by entering the user’s exact email address, the user, if found, appears at the top of the list.

NGX-19079. In the Cloud Administration Console, on the My Applications page, you are no longer prevented from editing an application if you added a SAML application before adding an identity source.

March 2018 - Cloud Authentication Service

RSA SecurID Authenticate 1.5.6 for iOS and RSA SecurID Authenticate 1.5.8 for Android contain the following updates:

  • To ensure that your users have a consistent and familiar experience and to leverage the native biometric authentication capabilities of mobile devices, Eyeprint ID has been removed from the apps. Eyeprint biometric data stored within the apps on these devices is removed. As a reminder, RSA does not store any biometric data in the Cloud Authentication Service.

    If Eyeprint ID is an authentication option in your assurance levels, remove it. If users are prompted to use Eyeprint ID, the apps present a message instructing the users to select a different option in the browser or VPN.

  • As part of this change, Face ID is now officially supported as an option for the Device Biometrics authentication method, along with Touch ID and Android fingerprint.

  • Bug fixes.

February 28, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.5.7 for Android includes bug fixes.

February 23, 2018 - Identity Router Update Available

If you downloaded the identity router template or applied the identity router update between February 10, 2018 and today, certain browsers, including Chrome and Internet Explorer on Windows, might reject the self-signed certificate presented by the Identity Router Setup Console. This issue prevents you from accessing the Setup Console.

This issue does not affect you if you did not update your identity routers using the February 10 release. When you do update your identity routers, the fix for this issue will be included in the update.

If you encounter this issue, you can fix it by performing the following actions:

  • If you downloaded the virtual machine image on or after February 10 but have not yet deployed or registered it, you must download and use the latest the image. For instructions, click here.
  • If you updated and registered your identity router on or after February 10 but did not upload your own certificate, you must perform the update again, as described here. The identity router does not show OUT_OF_DATE status, but you must still update it with the latest patch to resolve this issue.

February 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Note:   RSA strongly recommends that you deploy this update on identity routers in your test environment and become familiar with all changes before updating identity routers in your production environment. For questions or to report issues, contact RSA Customer Support.

Enhanced Authentication Method Availability

SMS Tokencode and Voice Tokencode are now available as authentication methods in RADIUS and SSO Agent deployments. You must update your cluster to allow this capability.

FIDO Tokens are now available as an authentication method in relying party deployments. In SSO Agent deployments, you must update your cluster to continue using FIDO Tokens, and existing FIDO Token users will need to re-register their FIDO Tokens.

Additional Authentication Screens Presented in SSO Agent Deployments

The Cloud Authentication Service now presents the browser-based additional authentication screens to users in both SSO Agent and relying party deployments. In the past, the identity router presented these screens to SSO Agent deployment users, although the Cloud Authentication Service verified the users. As a result of this, users' default authentication preferences are reset. After the reset, authentication behaves the same as in the previous release, described here: https://community.rsa.com/docs/DOC-75855. Also, if you have restrictive internet access policies, you must ensure that users are allowed to access your company's authentication service domain. To view your authentication service domain, click Platform > Identity Routers > Edit (to the right of an identity router) > Registration.

Improved Cluster Mapping for Authentication Requests

Identity routers now send authentication requests only to the directory servers that are assigned to the cluster for that identity router. You do not need to perform additional configuration to make this happen.

Support for IP Address-Based Conditions in Access Policies for Office 365 STS Apps

The identity router can access client IP addresses from header information provided by Microsoft for Office 365 ActiveSync and Outlook clients that use legacy authentication. You can use conditions in access policies to configure access and authentication requirements based on these client IP addresses. For more information, see the Microsoft Office 365 STS - RSA SecurID Access WS-Federation Implementation Guide on RSA Link.

RSA SecurID Authenticate App Releases

RSA SecurID Authenticate 1.5.5 for iOS and RSA SecurID Authenticate 1.5.6 for Android include increased reliability of push notifications from the Cloud Authentication Service and bug fixes.

Cloud Administration Console Improvements

The Cloud Administration Console was enhanced to improve reliability and failover. Additional improvements include:

  • The console sign-in page has been modified to improve usability.
  • The dashboard page provides monthly usage information for SMS Tokencode and Voice Tokencode.
  • On the Users > Management page, a Super Admin or Help Desk Admin can click a refresh button to synchronize an individual user from an identity source.

Terminology Update

In the user authentication interface for RADIUS, relying parties, and SSO Agent, the term Fingerprint has been replaced with Device Biometric. Device Biometric includes Fingerprint and Face ID.

Fixed Issues

NGX-17834. When a user authenticates to an HFED application and RSA SecurID Access does not receive a response from the application, RSA SecurID Access displays an appropriate timeout error.

NGX-17855. If you test the identity source connection, click Refresh Attributes on the User Attributes page, save changes, publish, and synchronize, you no longer see a failed synchronization message if the LDAP directory server is running and SSL certificates are invalid. Instead, a message instructs you to check the SSL configuration and certificates.

NGX-17883. If the IP address of a RADIUS client device is translated using Network Address Translation (NAT) before connecting to the identity router RADIUS server, the server responds and no longer times out prematurely.

NGX-17928. If RSA Authentication Manager is connected to the Cloud Authentication Service but cannot be reached by the identity router, and a user attempts RADIUS authentication using an RSA SecurID Token or an invalid RSA Authenticate Tokencode, the User Event Monitor now displays an appropriate timeout message.

NGX-18434. When you deploy a custom portal and add a trusted header application to proxy the web traffic between users and the custom portal web server, the web servers created using HTTPS or Both (HTTP/HTTPS) now function correctly.

NGX-18518. Authentications from the identity router to HTTP Federation applications that were configured for HTTPS or BOTH and were incorrectly sent over HTTP are now configured and sent correctly.

NGX-18642. The initial publish to identity routers no longer fails after the Cloud Authentication Service has been upgraded.

November 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following feature and bug fixes.

Voice Tokencode

RSA SecurID Access has a new authentication method, Voice Tokencode. When RSA enables this feature, a user can request RSA SecurID Access to call the user’s phone and provide a six-digit code, which the user enters to access a protected resource. This method is handy for emergency access, for example, when the user cannot access a registered device or RSA SecurID Token.

Device Biometrics

In the Cloud Administration Console, the Assurance Levels page (Access > Assurance Levels) has replaced the Fingerprint option with Device Biometrics. When you select Device Biometrics for an assurance level, users can select Biometrics as an authentication option and use fingerprint if they registered fingerprint on their devices. Other biometric methods will be supported in future releases.

Miscellaneous Upgrades

The November release will also include several miscellaneous infrastructure upgrades and bug fixes.

November 2017 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.0.4 for Windows contains bug fixes.

All users of this app should update to this version. Users who have installed the app on a PC can update on their own. Users of the app on Windows phones require administrative assistance. An administrator must first delete the users' Windows phones in the Cloud Administration Console, and then the users must complete device registration again.

October 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following feature and bug fixes.

Multifactor Authentication to Protect Microsoft Azure Active Directory

You can protect Microsoft Azure Active Directory applications, the Azure Active Directory application portal, and the Azure AD admin console with RSA SecurID Access multifactor authentication. For instructions, see https://community.rsa.com/docs/DOC-81278.

End User Toolkit Update

The End User Toolkit now contains step-by-step instructions for RSA SecurID Authenticate device registration, available in HTML, PDF, and video. See https://community.rsa.com/docs/DOC-75817.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17664 - After a user successfully authenticates with an RSA SecurID token in New PIN Mode, the message “3006 Device deletion failed” is no longer logged in the User Event Monitor.

NGX-17927 - If the name configured for an application in the Cloud Administration Console contains more than 32 characters, the RSA SecurID Authenticate app no longer truncates the name when prompting users for authentication credentials.

NGX-17960 - On the User Management page, if you highlight all or part of the user’s SMS phone number while updating it, the Save button is now activated after you type the replacement number.

NGX- 17964 - If an Android user is trying to authenticate with Fingerprint or Eyeprint Verification to an authentication client or custom client developed with the RSA SecurID Authentication API, RSA SecurID Access no longer sends an actionable notification (Approve/Deny) to the user.

NGX-17986 - When a user reaches the limit for failed authentication attempts using RSA SecurID Authenticate Tokencode, the audit trail now continues to record additional authentication attempts after the method is locked.

NGX-18007 - In an SSO Agent deployment, when configuring an application to use SP-initiated SAML with the HTTP REDIRECT binding, the Choose File button for certificate upload is now disabled to reflect that signed SAML requests are not supported for the redirect binding method.

NGX-18137 - In an SSO Agent deployment, importing metadata from an XML file for a new SAML Direct application created from a template now works properly in Internet Explorer 10 and 11.

NGX-18261 - The +ADD buttons on the Access > Assurance Levels page of the Cloud Administration Console no longer appear inactive in some deployments, and new assurance levels can be added normally.

October 2017 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 1.5.4 for Android contains the following updates:

  • Qualified on Android 8.0 (Android O)
  • Bug fixes

September 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following new features and enhancements.

Support for Installing Identity Routers as Microsoft Hyper-V Virtual Machines

RSA SecurID Access supports installing identity routers as Microsoft Hyper-V-based virtual machines. You can use the Cloud Administration Console to download a Microsoft Hyper-V Virtual Hard Disk (VHD) image, which includes all necessary identity router applications.

Download User Reports

You can use the Cloud Administration Console to create a report listing all users who have been synchronized from identity sources to the Cloud Authentication Service and download the report to a .CSV file. The report provides dates for user account creation and update, and information about user devices and authenticators.

Improved Visibility of Authentication Options When Configuring Access Policies

When you select the assurance level for an access policy, the Cloud Administration Console displays the authentication options for the level that you selected and all higher levels. For example, if you select Low, the console displays options from the Low, Medium, and High assurance levels. End users may see options for all levels but are not presented with options they cannot complete.

New Videos for End Users

The RSA SecurID Access End User Toolkit now includes two YouTube videos that you can use to show your users how to authenticate with the Approve and Fingerprint authentication methods.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17635 - When a user authenticates to an authentication client or a custom client developed with the RSA SecurID Authentication API, the User Event Monitor no longer displays unnecessary "Device registration succeeded" and "Device deletion succeeded" messages.

NGX-17934 - After you modify administrator API settings in the Cloud Administration Console, the publishing status bar no longer displays “Changes Pending” to indicate that the new settings must be published.

NGX-18264 - You can now edit, delete, and export metadata from a configuration for a SAML 2 Generic Direct SP application with an expired certificate. Open the edit page in the Cloud Administration Console and upload a new certificate if necessary.

August 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following new features and enhancements:

  • Improved authentication experience during single sign-on
  • RADIUS events sent to Syslog (user authentication, start and stop)
  • RADIUS support for Fingerprint and Eyeprint ID
  • SMS Tokencode authentication method
  • Additional authentication for the Cloud Administration Console
  • Just-in-time synchronization for LDAP user records
  • Configurable security levels for identity router connection ciphers
  • Authenticate app updates
  • Numerous additional improvements

Note:  To take full advantage of new features, make sure you update your identity router. For instructions, see https://community.rsa.com/docs/DOC-54075 on RSA Link.

For the latest product documentation, see the RSA SecurID Access Documentation page at https://community.rsa.com/community/products/securid/securid-access.

Improved Authentication Experience During Single Sign-On

The authentication experience for users trying to access a protected application in an SSO Agent deployment has been improved by displaying more options to complete authentication. Users can select options from the required assurance level and higher assurance levels. For example, if an application has a policy that requires a certain set of users to use the Low assurance level, then those users accessing the application can authenticate using an authentication method defined for the Low, Medium, or High level.

RADIUS Improvements

RADIUS for the Cloud Authentication Service provides the following improvements.

                   
ImprovementDescription
RADIUS events (such as user authentication and start and stop events) are sent to Syslog.The identity router sends RADIUS events to the Syslog server if you enable logging for identity router system events in the Cloud Administration Console.
Support for Fingerprint and Eyeprint ID authenticationRADIUS supports the Fingerprint and Eyeprint ID authentication methods. Users with registered compatible mobile devices can use these methods for RADIUS authentication if allowed by the access policy for the RADIUS client.

SMS Tokencode Authentication Method

RSA SecurID Access has a new authentication method, SMS Tokencode. When RSA enables this feature, the Cloud Authentication Service can send a six-digit code to the user's mobile phone in a text message. This method is useful for emergency access, for example, when the user cannot locate the device used to register the Authenticate app. SMS Tokencodes can be sent to phone numbers that are synchronized from LDAP directory servers, or administrators can enter user phone numbers manually. Contact RSA Customer Support for more information.

Additional Authentication for the Cloud Administration Console

You can require additional authentication factors, such as tokencodes or push notifications, to protect the Cloud Administration Console. Passwords are still required. You configure an access policy to set up authentication requirements for the console just as you do for other resources. Use the policy to specify different access requirements for administrators based on identity source attributes and conditional attributes.

Just-in-Time Synchronization for LDAP User Records

Just-in-time synchronization automatically adds or updates user records in the Cloud Authentication Service when users attempt to register a device or access a protected resource. When this feature is enabled, the user records and related attributes in the Cloud Authentication Service stay up-to-date without administrative action. An administrator never needs to add user records through manual or scheduled synchronization. Contact RSA Customer Support to enable just-in-time synchronization.

Configurable Security Levels for Identity Router Connection Ciphers

Security levels determine the cipher requirements for connections between the identity router and other components such as user browsers and load balancers. Using the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming connections.

Authenticate App Updates

RSA SecurID Authenticate 1.5.3 for Android, RSA SecurID Authenticate 1.5.4 for iOS, and RSA SecurID Authenticate 1.0.3 for Windows 10 contain the following updates:

  • (Android only) New minimum Android operating system of version 5.0. With the release of RSA SecurID Authenticate 1.5.3 for Android, earlier versions of the app will no longer be supported, and the app will no longer be available in Google Play for devices that do not meet this new minimum OS requirement. Encourage your end users to upgrade to Android version 5.0 or higher.

  • Improved backup support for communication between the app and RSA SecurID Access.
  • Updated RSA SecurID Access logo.

  • Bug fixes.

Additional Improvements

The Cloud Authentication Service contains the following additional improvements:

  • The Welcome page of the Identity Router VMware Console includes detailed instructions for navigation, selection, and saving configuration changes. When you save your settings, the console displays a progress bar and status messages.
  • In the Cloud Administration Console, service providers are now managed in Authentication Clients > Relying Parties.
  • There is now only one RSA SecurID Access Solution Architecture Workbook. The region-specific information is available within the workbook.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17207 - If an identity router is originally configured as part of a non-default cluster, changing settings for that identity router in the Cloud Administration Console no longer resets the cluster back to default when you navigated back to the Basic Information page for the identity router.

NGX-17456 - After you complete an initial setup option, the dashboard now shows the System Summary screen.

NGX-17603 - When you set up an identity router with single sign-on (SSO) disabled, you are no longer required to enter a Portal Hostname.

NGX-17615 - When you connect to the identity router through SSH using the idradmin account, messages regarding the Enterprise Connector no longer appear.

NGX-16883 - This fix applies when an identity source is configured for multiple replica directory servers and each server is assigned to a different cluster. When a user signs in to the application portal, the identity router authenticates the user through the directory servers in the cluster to which the identity router belongs.

NGX-17333 - If a user attempts to access two applications from the application portal on two different browsers using the same mobile authentication method, and the user successfully responds to both mobile notifications, each application can authenticate successfully.

If a user attempts to access two applications from the application portal on the same browser and both applications are protected by the same assurance level, and the user successfully responds to the authentication prompt, only the first tab where the user clicks Continue on the Remember This Browser screen can be opened. The second attempt displays an error message. The user must launch the second application from the application portal again, but is not required to provide additional authentication.

NGX-17660 - If the user selects an authentication method from the list of available options, the selected method reliably persists when clicked, and authentication begins.

NGX-17700 - A user with an Android device with a time delay of two minutes or more can now complete device registration using RSA SecurID Authenticate versions 1.4 through 1.5.1.

 

 

 

You are here
Release Notes Archive - Cloud Authentication Service and RSA SecurID Authenticate Apps

Attachments

    Outcomes