RSA SecurID® Access Release Notes for RSA Authentication Manager 8.2 SP1 and the Cloud Authentication Service

Document created by RSA Information Design and Development on Oct 7, 2016Last modified by Joyce Cohen on Nov 17, 2017
Version 30Show Document
  • View in full screen mode

 

These Release Notes cover all RSA SecurID Access components: RSA Authentication Manager, Cloud Authentication Service, and the RSA SecurID Authenticate apps.

Cumulative patches are available for Authentication Manager. For the most recent update, see: https://community.rsa.com/community/products/securid/authentication-manager-821/downloads.

 

November 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following feature and bug fixes.

 

Voice Tokencode

RSA SecurID Access has a new authentication method, Voice Tokencode. When RSA enables this feature, a user
can request RSA SecurID Access to call the user’s phone and provide a six-digit code, which the user enters to
access a protected resource. This method is handy for emergency access, for example, when the user cannot
access a registered device or RSA SecurID Token.


Device Biometrics

In the Cloud Administration Console, the Assurance Levels page (Access > Assurance Levels) has replaced
the Fingerprint option with Device Biometrics. When you select Device Biometrics for an assurance level, users
can select Biometrics as an authentication option and use fingerprint if they registered fingerprint on their
devices. Other biometric methods will be supported in future releases.


Miscellaneous Upgrades

The November release will also include several miscellaneous infrastructure upgrades and bug fixes.

November 2017 (RSA SecurID Authenticate Apps)

RSA SecurID Authenticate 1.0.4 for Windows contains bug fixes.


All users of this app should update to this version. Users who have installed the app on a PC can update on their own. Users of the app on Windows phones require administrative assistance. An administrator must first delete the users' Windows phones in the Cloud Administration Console, and then the users must complete device registration again.

October 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following feature and bug fixes.

Multifactor Authentication to Protect Microsoft Azure Active Directory

You can protect Microsoft Azure Active Directory applications, the Azure Active Directory application portal, and the Azure AD admin console with RSA SecurID Access multifactor authentication. For instructions, see https://community.rsa.com/docs/DOC-81278.

End User Toolkit Update

The End User Toolkit now contains step-by-step instructions for RSA SecurID Authenticate device registration, available in HTML, PDF, and video. See https://community.rsa.com/docs/DOC-75817.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17664 - After a user successfully authenticates with an RSA SecurID token in New PIN Mode, the message “3006 Device deletion failed” is no longer logged in the User Event Monitor.

NGX-17927 - If the name configured for an application in the Cloud Administration Console contains more than 32 characters, the RSA SecurID Authenticate app no longer truncates the name when prompting users for authentication credentials.

NGX-17960 - On the User Management page, if you highlight all or part of the user’s SMS phone number while updating it, the Save button is now activated after you type the replacement number.

NGX- 17964 - If an Android user is trying to authenticate with Fingerprint or Eyeprint Verification to an authentication client or custom client developed with the RSA SecurID Authentication API, RSA SecurID Access no longer sends an actionable notification (Approve/Deny) to the user.

NGX-17986 - When a user reaches the limit for failed authentication attempts using RSA SecurID Authenticate Tokencode, the audit trail now continues to record additional authentication attempts after the method is locked.

NGX-18007 - In an SSO Agent deployment, when configuring an application to use SP-initiated SAML with the HTTP REDIRECT binding, the Choose File button for certificate upload is now disabled to reflect that signed SAML requests are not supported for the redirect binding method.

NGX-18137 - In an SSO Agent deployment, importing metadata from an XML file for a new SAML Direct application created from a template now works properly in Internet Explorer 10 and 11.

NGX-18261 - The +ADD buttons on the Access > Assurance Levels page of the Cloud Administration Console no longer appear inactive in some deployments, and new assurance levels can be added normally.

October 2017 (RSA SecurID Authenticate Apps)

RSA SecurID Authenticate 1.5.4 for Android contains the following updates:

  • Qualified on Android 8.0 (Android O)
  • Bug fixes

September 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following new features and enhancements.

Support for Installing Identity Routers as Microsoft Hyper-V® Virtual Machines

RSA SecurID Access supports installing identity routers as Microsoft Hyper-V-based virtual machines. You can use the Cloud Administration Console to download a Microsoft Hyper-V Virtual Hard Disk (VHD) image, which includes all necessary identity router applications.

Download User Reports

You can use the Cloud Administration Console to create a report listing all users who have been synchronized from identity sources to the Cloud Authentication Service and download the report to a .CSV file. The report provides dates for user account creation and update, and information about user devices and authenticators.

Improved Visibility of Authentication Options When Configuring Access Policies

When you select the assurance level for an access policy, the Cloud Administration Console displays the authentication options for the level that you selected and all higher levels. For example, if you select Low, the console displays options from the Low, Medium, and High assurance levels. End users may see options for all levels but are not presented with options they cannot complete.

New Videos for End Users

The RSA SecurID Access End User Toolkit now includes two YouTube videos that you can use to show your users how to authenticate with the Approve and Fingerprint authentication methods.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17635 - When a user authenticates to an authentication client or a custom client developed with the RSA SecurID Authentication API, the User Event Monitor no longer displays unnecessary "Device registration succeeded" and "Device deletion succeeded" messages.

NGX-17934 - After you modify administrator API settings in the Cloud Administration Console, the publishing status bar no longer displays “Changes Pending” to indicate that the new settings must be published.

NGX-18264 - You can now edit, delete, and export metadata from a configuration for a SAML 2 Generic Direct SP application with an expired certificate. Open the edit page in the Cloud Administration Console and upload a new certificate if necessary.

August 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following new features and enhancements:

  • Improved authentication experience during single sign-on
  • RADIUS events sent to Syslog (user authentication, start and stop)
  • RADIUS support for Fingerprint and Eyeprint ID
  • SMS Tokencode authentication method
  • Additional authentication for the Cloud Administration Console
  • Just-in-time synchronization for LDAP user records
  • Configurable security levels for identity router connection ciphers
  • Authenticate app updates
  • Numerous additional improvements

Note:  To take full advantage of new features, make sure you update your identity router. For instructions, see https://community.rsa.com/docs/DOC-54075 on RSA Link.

For the latest product documentation, see the RSA SecurID Access Documentation page at https://community.rsa.com/community/products/securid/securid-access.

Improved Authentication Experience During Single Sign-On

The authentication experience for users trying to access a protected application in an SSO Agent deployment has been improved by displaying more options to complete authentication. Users can select options from the required assurance level and higher assurance levels. For example, if an application has a policy that requires a certain set of users to use the Low assurance level, then those users accessing the application can authenticate using an authentication method defined for the Low, Medium, or High level.

RADIUS Improvements

RADIUS for the Cloud Authentication Service provides the following improvements.

                   
ImprovementDescription
RADIUS events (such as user authentication and start and stop events) are sent to Syslog.The identity router sends RADIUS events to the Syslog server if you enable logging for identity router system events in the Cloud Administration Console.
Support for Fingerprint and Eyeprint ID authenticationRADIUS supports the Fingerprint and Eyeprint ID authentication methods. Users with registered compatible mobile devices can use these methods for RADIUS authentication if allowed by the access policy for the RADIUS client.

SMS Tokencode Authentication Method

RSA SecurID Access has a new authentication method, SMS Tokencode. When RSA enables this feature, the Cloud Authentication Service can send a six-digit code to the user's mobile phone in a text message. This method is useful for emergency access, for example, when the user cannot locate the device used to register the Authenticate app. SMS Tokencodes can be sent to phone numbers that are synchronized from LDAP directory servers, or administrators can enter user phone numbers manually. Contact RSA Customer Support for more information.

Additional Authentication for the Cloud Administration Console

You can require additional authentication factors, such as tokencodes or push notifications, to protect the Cloud Administration Console. Passwords are still required. You configure an access policy to set up authentication requirements for the console just as you do for other resources. Use the policy to specify different access requirements for administrators based on identity source attributes and conditional attributes.

Just-in-Time Synchronization for LDAP User Records

Just-in-time synchronization automatically adds or updates user records in the Cloud Authentication Service when users attempt to register a device or access a protected resource. When this feature is enabled, the user records and related attributes in the Cloud Authentication Service stay up-to-date without administrative action. An administrator never needs to add user records through manual or scheduled synchronization. Contact RSA Customer Support to enable just-in-time synchronization.

Configurable Security Levels for Identity Router Connection Ciphers

Security levels determine the cipher requirements for connections between the identity router and other components such as user browsers and load balancers. Using the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming connections.

Authenticate App Updates

RSA SecurID Authenticate 1.5.3 for Android, RSA SecurID Authenticate 1.5.4 for iOS, and RSA SecurID Authenticate 1.0.3 for Windows 10 contain the following updates:

  • (Android only) New minimum Android operating system of version 5.0. With the release of RSA SecurID Authenticate 1.5.3 for Android, earlier versions of the app will no longer be supported, and the app will no longer be available in Google Play for devices that do not meet this new minimum OS requirement. Encourage your end users to upgrade to Android version 5.0 or higher.

  • Improved backup support for communication between the app and RSA SecurID Access.
  • Updated RSA SecurID Access logo.

  • Bug fixes.

Additional Improvements

The Cloud Authentication Service contains the following additional improvements:

  • The Welcome page of the Identity Router VMware Console includes detailed instructions for navigation, selection, and saving configuration changes. When you save your settings, the console displays a progress bar and status messages.
  • In the Cloud Administration Console, service providers are now managed in Authentication Clients > Relying Parties.
  • There is now only one RSA SecurID Access Solution Architecture Workbook. The region-specific information is available within the workbook.

 

   

April 2017 (RSA Authentication Manager)

RSA Authentication Manager 8.2 SP1 includes the following new features and enhancements:

  • Cloud Authentication Service users can access on-premise resources protected by SecurID agents.
  • Remotely restore original system settings to an RSA SecurID Appliance 250 hardware appliance
  • Numerous additional improvements described below.
  • Documentation changes
  • Upgrade path from version 8.2

Remotely Restore Original System Settings to an RSA SecurID Appliance 250

For disaster recovery on the RSA SecurID Appliance 250 hardware appliance, you can remotely restore the original hardware appliance system image. This release qualifies remotely restoring the version 8.2 SP1 original system image, but any version 8.2 or later system image can be restored. A hardware appliance ISO image is provided on RSA Download Central at https://download.rsasecurity.com.

On an RSA SecurID Appliance 250, you must have configured the integrated Dell Remote Access Controller (iDRAC) or the Intel Remote Management Module (RMM), or else you can only restore the original system image locally. The original system settings can only be restored locally on the RSA SecurID Appliance 130 because this model does not include a port for remote access.

For instructions, see "Hardware Appliance System Image Installation" on RSA Link: https://community.rsa.com/docs/DOC-76910.

Additional Improvements for RSA Authentication Manager

RSA Authentication Manager contains the following additional improvements.

                                   
ImprovementDescription
Download and save network settings

On a primary or replica instance, you can download a text file that lists the network settings for that instance.

You can save this information, and refer to it if you need to restore the original system image on a hardware appliance or if you need to replace a virtual appliance.

RSA RADIUS upgradeThe upgraded RSA RADIUS software uses the Transport Layer Security (TLS) 1.2 cryptographic protocol, instead of SSL 3.0, for RADIUS replication ports, such as port 1813, TCP.

Microsoft Active Directory Lightweight Directory Services 2012 R2

Microsoft Active Directory Lightweight Directory Services 2012 R2 (AD LDS) is qualified to run as an external identity source with RSA Authentication Manager.

Authentication Manager supports Active Directory Lightweight Directory Services (LDS) servers if the same server does not also have an Active Directory Domain Controller role. If a server has an Active Directory Domain Controller role, select that identity source type when connecting the identity source to Authentication Manager.

Workflow provisioning included with Authentication Manager Base or Enterprise license

Workflow Provisioning is now a non-licensed feature and available at no additional cost. This feature automates workflows for distributing authenticators and allows users to perform many provisioning tasks from the Self-Service Console.

On-Demand Authentication (ODA) tokencode length

You can choose either 6 or 8 digits as the character length for ODA tokencodes generated by RSA Authentication Manager. The default value is 8. For instructions, see the Help topic “Change the Character Length for On-Demand Authentication Tokencodes.”

Transfer ODA data between deployments

The Export Tokens and Users page in the Security Console allows you to specify whether to export ODA data. Users configured for ODA authentication can continue using ODA features when you import the data to another deployment.

RSA Authentication Manager Product Documentation Changes

RSA Authentication Manager 8.2 Service Pack 1 guides and Help systems were updated for this release. For the most recent documentation, see RSA Link at https://community.rsa.com/community/products/securid/authentication-manager-821.

In addition, the documentation includes the following changes.

                               
Guide or Help SystemDescription

Operations Console Help and Security Console Help

Help Desk Administrator’s GuideIncluded in the combined Help. The “Help Desk Administrator Reference” Help topic includes links to the most common Help Desk Administrator tasks.
SNMP Reference Guide
  • Available in HTML format on RSA Link instead of in a PDF file.
Troubleshooting GuideAvailable in HTML format on RSA Link instead of in a PDF file.
Administrator's GuideShorter and more usable. This guide focuses on the information that is most commonly requested, such as system maintenance, troubleshooting, and replica instance promotion. All of the information that was removed from this guide is included in the Help.

Note:  The Developer’s Guide and the software development kit (SDK) are located in the Extras download kit, rsa-am-extras-8.2.1.0.0.zip, from Download Central at https://download.rsasecurity.com.

Upgrading from RSA Authentication Manager 8.2

RSA Authentication Manager 8.2 can be upgraded to version 8.2 SP1. A direct migration from RSA Authentication Manager 6.1 or RSA Authentication Manager 7.1 is not supported. Instead, do the following:

                       
DeploymentUpgrade Path
VMware virtual appliance
  • Migrate to RSA Authentication Manager 8.1
  • Upgrade to RSA Authentication Manager 8.1 SP1
  • Upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
Hyper-V virtual appliance
  • Migrate to RSA Authentication Manager 8.1 SP1
  • Upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
Hardware appliance
  • Migrate to RSA Authentication Manager 8.1
  • Upgrade to RSA Authentication Manager 8.1 SP1
  • Upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1

    Note:  Some RSA SecurID Appliance 3.0 hardware appliances can be upgraded and do not require new hardware. For instructions on how to determine if you can upgrade a particular appliance, see the RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 on Existing Hardware.

RSA Authentication Manager 8.2 SP1 includes the software fixes in the cumulative Patch 3 for version 8.2. Applying version 8.2 SP1 removes any software fixes that are not included in the cumulative Patch 3 for version 8.2. To obtain these fixes, you must apply version 8.2 SP1 patches as they become available.

For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.2 SP1” in the RSA Authentication Manager 8.2 SP1 Setup and Configuration Guide.

Note:  The upgrade to RSA Authentication Manager 8.2 SP1 is not reversible. If SP1 is not applied successfully, you cannot roll back to version 8.2. Before applying SP1, RSA strongly recommends backing up your deployment in one of the following ways: using the Back Up Now feature in the Operations Console of the primary instance, backing up a hardware appliance with PING, taking a VMware snapshot, or creating a Hyper-V checkpoint.

Fixed Issues for the Cloud Authentication Service (August 2017)

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17207 - If an identity router is originally configured as part of a non-default cluster, changing settings for that identity router in the Cloud Administration Console no longer resets the cluster back to default when you navigated back to the Basic Information page for the identity router.

NGX-17456 - After you complete an initial setup option, the dashboard now shows the System Summary screen.

NGX-17603 - When you set up an identity router with single sign-on (SSO) disabled, you are no longer required to enter a Portal Hostname.

NGX-17615 - When you connect to the identity router through SSH using the idradmin account, messages regarding the Enterprise Connector no longer appear.

NGX-16883 - This fix applies when an identity source is configured for multiple replica directory servers and each server is assigned to a different cluster. When a user signs in to the application portal, the identity router authenticates the user through the directory servers in the cluster to which the identity router belongs.

NGX-17333 - If a user attempts to access two applications from the application portal on two different browsers using the same mobile authentication method, and the user successfully responds to both mobile notifications, each application can authenticate successfully.

If a user attempts to access two applications from the application portal on the same browser and both applications are protected by the same assurance level, and the user successfully responds to the authentication prompt, only the first tab where the user clicks Continue on the Remember This Browser screen can be opened. The second attempt displays an error message. The user must launch the second application from the application portal again, but is not required to provide additional authentication.

NGX-17660 - If the user selects an authentication method from the list of available options, the selected method reliably persists when clicked, and authentication begins.

NGX-17700 - A user with an Android device with a time delay of two minutes or more can now complete device registration using RSA SecurID Authenticate versions 1.4 through 1.5.1.

Fixed Issues for RSA Authentication Manager (April 2017)

RSA Authentication Manager 8.2 Service Pack 1 (SP1) includes the fixes that were provided in Patches 1 through 3 for RSA Authentication Manager 8.2. For the complete list of the issues that were resolved, see the RSA Authentication Manager 8.2 Patch 3 Readme at https://community.rsa.com/docs/DOC-64632.

Known Issues

For a list of known issues for the Cloud Authentication Service, see Cloud Authentication Service Known Issues

For a list of known issues for RSA Authentication Manager 8.2 SP1, see RSA Authentication Manager 8.2 Service Pack 1 Known Issues.

 

 

 

 

 

You are here

RSA® SecurID Access Release Notes

Attachments

    Outcomes