RSA SecurID® Access Release Notes for RSA Authentication Manager and the Cloud Authentication Service

Document created by RSA Information Design and Development on Oct 7, 2016Last modified by RSA Information Design and Development on May 18, 2018
Version 43Show Document
  • View in full screen mode

These Release Notes cover all RSA SecurID Access components: RSA Authentication Manager, Cloud Authentication Service, and the RSA SecurID Authenticate apps.

Cumulative patches are available for Authentication Manager. For the most recent update, see: https://community.rsa.com/community/products/securid/authentication-manager-83/downloads.

May 2018 Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Approve Authentication Method Available with Device Unlock

You can now require users to unlock their devices before completing authentication using the Approve method. When this feature is enabled, users receive a notification on their registered devices, tap Approve, and are prompted to unlock their devices before authentication is completed.

Before enabling this option, instruct your users to update to the latest version of the RSA SecurID Authenticate app:

  • Android: 1.6.0
  • iOS: 1.6.0
  • Windows: 2.1.0

When this feature is enabled, after users update the app, the first time that they try to use Approve they must open the app, pull down to get the notification, and Approve from within the app. After the first use, Approve will work normally. Older app versions do not display a push notification and users must always open the app and pull down to respond to an Approve request.

Protected RSA SecurID Authenticate Device Registration

To help increase the security of end-user device registration, you can now use an access policy to control which users are allowed to complete device registration. You might want to use this access policy to allow only a subset of your users (for example, your Sales organization) to use the Authenticate app for additional authentication. When you enable the RSA SecurID Authenticate Device Registration policy you can specify identity source user attributes to define the target population for device registration. To learn more about this feature, click here.

Improved Management for User Deletion

You now have increased control when deleting a user from the Cloud Authentication Service. First, you mark the disabled user for deletion, which changes the user's account status to Pending Deletion. You can still view the user's detail information in the Cloud Authentication Service and synchronize a user who is Pending Deletion. After seven days, the user is automatically deleted from the Cloud Authentication Service. The user cannot register a device or authenticate to the Cloud Authentication Service while pending deletion or after deletion has taken place. Deletion removes all information and devices associated with the user from the Cloud Authentication Service.

You can also undelete a user who is pending deletion, which changes the user’s status from Pending Deletion to Disabled.

For instructions on deleting and undeleting users, click here.

LDAPv3 Account Status Now Synchronized with the Cloud Authentication Service

Users who have been disabled or expired in an LDAPv3 directory server are automatically disabled in the Cloud Authentication Service after manual, scheduled, or just-in-time synchronization. Disabled users cannot authenticate through the Cloud Authentication Service or register devices. You must manually map attributes for account status synchronization to happen. To learn more about identity source synchronization, click here and here.

Note:  Make sure all LDAPv3 users who need to use the Cloud Authentication Service are active and enabled in the LDAPv3 directory server.

Additional Enhancements to User Account Synchronization

User account status in the Cloud Authentication Service is now more closely tied to the user account status in the Active Directory and LDAPv3 directory servers. The following enhancements were implemented:

  • Users who are disabled in any directory server and who do not have existing records in the Cloud Authentication Service are not added to the Cloud Authentication Service during synchronization.
  • Users who were re-enabled in the directory server or who are no longer expired, but are pending deletion in the Cloud Authentication Service, become re-enabled in the Cloud Authentication Service after synchronization.

Users who were manually disabled in the Cloud Authentication Service remain disabled and are not overridden during synchronization.

Simplified Planning and Setup Content

To help streamline the initial setup of your production deployment, the planning and setup content has been reorganized and simplified. The updated Planning Guide focuses on understanding the Cloud Authentication Service at a high level. Quick Setup Guides, available for each deployment type, walk you through both planning and setup. The guides are available here:

With these changes, the Solution Architecture Workbook and Setup and Configuration Guide are no longer available.

Additional Improvements

  • For custom security requirements, you can now specify the minimum PIN length if you require PIN or Device Biometrics to view the Authenticate Tokencode. The default PIN length is four. If users have registered the RSA SecurID Authenticate app with multiple companies, the PIN applies to the RSA SecurID Authenticate Tokencodes for all companies, and the minimum PIN length is the longest minimum PIN length of these companies.
  • To simplify user rollout, users can now complete RSA SecurID Authenticate device registration on devices that do not allow push notifications for the app. However, RSA recommends enabling or allowing push notifications for the RSA SecurID Authenticate options like Approve or Biometrics. This feature is useful in certain environments which have locked down push notifications, but want to use the RSA SecurID Authenticate Tokencode.

RSA SecurID Authenticate App iOS Upgrade

New minimum iOS operating system of version 10.0 for the RSA SecurID Authenticate for iOS app. Encourage your end users to upgrade to iOS version 10.0 or higher so they can continue using the app and take advantage of the latest improvements and bug fixes.

Incorrect Publish Status Message After the May Cloud Authentication Service Upgrade

After the Cloud Authentication Service is upgraded, the Changes Pending message appears in the Publish Status bar even if no changes are waiting to be published. You can safely ignore this message and it will disappear after your next publish operation.

Fixed Issues

NGX-19012. The User Event Monitor now reports errors for unsuccessful authentication attempts to SSO Agent applications when the identity router time and the Cloud Authentication Service time are out of synch.

NGX-19088. In the Cloud Administration Console, when you click My Account > Administrators to edit an administrator, in the API Configuration section, the examples provided for the IP Address and Netmask fields are now accurate and the fields are marked as required.

NGX-19066. Identity routers that are updated in debug mode no longer remain in the Updating phase.

NGX-19072. iOS and Windows users can now complete RSA SecurID Authenticate device registration if the Authenticate app or their devices do not receive push notifications.

NGX-19102. In the Cloud Administration Console, clearing the Enable the Identity Router REST API checkbox on the My Account > Administrators page correctly disables the API for an administrator.

NGX-19175. Unintentional audit logging changes are no longer saved to the Cloud Administration Console when Portal Settings are saved.

NGX-19176. RSA Support can now be enabled if a backup is added but not saved.

NGX-19177. Multiple audit log entries are no longer saved to the Cloud Administration Console if the backup schedule is changed and RSA Support is enabled.

NGX-19350. The Approve authentication method was failing intermittently to send notifications to Android mobile devices, resulting in failed authentications. This problem no longer occurs.

NGX-19397 and NGX-19431. Previously, when you edited and saved some existing SAML direct templates, extra attribute rows were created. This problem no longer occurs.

NGX-19494. If you are synchronizing identities from Active Directory Global Catalog, RSA recommends that you include accountExpires in the Partial Attribute Set to ensure that user accounts in the Cloud Authentication Service are enabled or disabled to match the directory server after synchronization. You no longer need to include the accountExpires attribute in the Partial Attribute Set to successfully synchronize the Cloud Authentication Service to an Active Directory Global Catalog.

April 2018 (Cloud Authentication Service)

The Cloud Authentication Service includes the following features and bug fixes.

Active Directory Account Status Now Synchronized with the Cloud Authentication Service

Users who have been disabled or expired in Active Directory are automatically disabled in the Cloud Authentication Service after manual, scheduled, or just-in-time synchronization. Disabled users cannot authenticate through the Cloud Authentication Service or register devices.

The next time you perform a publish operation and synchronize your Active Directory identity sources following the Cloud Authentication Service update on April 21, the Cloud Authentication Service will disable any cloud users whose accounts are already disabled or expired in Active Directory. This capability is not configurable. Support for LDAPv3 directory servers is expected in the near future.

Users who are disabled in Active Directory and who do not have existing records in the Cloud Authentication Service are not added to the Cloud Authentication Service during synchronization.

Note:  Make sure all Active Directory users who need to use the Cloud Authentication Service are active and enabled in Active Directory.

Administrators Can Override User Account Status in the Cloud Authentication Service

You can use the Cloud Administration Console to manually enable and disable users. This feature applies to users from Active Directory and LDAPv3 directory servers. For information about user disablement and identity source synchronization, click here.

Enhanced Authentication Options Available in RSA SecurID Authenticate 2.0.1 for Windows

RSA SecurID Authenticate 2.0.1 for Windows adds support for the Approve and Biometrics options. As part of leveraging native biometric authentication capabilities, the Biometrics option supports any Windows Hello sign-in option.

Also, if you require additional authentication before viewing the Authenticate Tokencode, the tokencode can now be protected with an app-specific PIN, instead of Windows Hello. When a user tries to view the tokencode, the app prompts the user to create this PIN.

Users should update to this version when it is released.

SSO Agent Web Server User Traffic Uses Only https://

The Cloud Administration Console now ensures that all SSO Agent web server configurations use https:// for traffic between users and identity routers. You can no longer configure http:// for user traffic. You can still configure web servers to connect to backend application web servers over https:// or http:// as necessary. Also, the console has been improved to clarify steps for the SSO Agent web server configuration.

Identity Router Update Available

A new identity router update is now available with the following improvements:

  • Improved handling for environments with unreliable time synchronization.
  • Improved handling of out-of-memory conditions in cluster replication.

If you are using the SSO Agent, RSA recommends that you apply this update to your identity routers. If you have updated your identity routers after February 2018, your identity routers do not display OUT_OF_DATE, but you can update the cluster now using these instructions. If you do not take any action, these improvements are not applied to your identity routers until your next scheduled update.

Fixed Issues

NGX-17578. In the Cloud Administration Console, the Forgot Password popup has been improved to specify that the administrator must enter the same email address that belongs to Username.

NGX-18600. Single sign-on no longer fails if you accidentally add a leading or trailing space to an access policy name.

NGX-18889. IWA connector uses global catalog to search for users in the Active Directory forest and can now find a user based on the user's domain, even when multiple user records have the same sAMAccountName in the forest.

NGX-19037. When you search for a user by entering the user’s exact email address, the user, if found, appears at the top of the list.

NGX-19079. In the Cloud Administration Console, on the My Applications page, you are no longer prevented from editing an application if you added a SAML application before adding an identity source.

March 2018 (RSA SecurID Authenticate Apps)

RSA SecurID Authenticate 1.5.6 for iOS and RSA SecurID Authenticate 1.5.8 for Android contain the following updates:

  • To ensure that your users have a consistent and familiar experience and to leverage the native biometric authentication capabilities of mobile devices, Eyeprint ID has been removed from the apps. Eyeprint biometric data stored within the apps on these devices is removed. As a reminder, RSA does not store any biometric data in the Cloud Authentication Service.

    If Eyeprint ID is an authentication option in your assurance levels, remove it. If users are prompted to use Eyeprint ID, the apps present a message instructing the users to select a different option in the browser or VPN.

  • As part of this change, Face ID is now officially supported as an option for the Device Biometrics authentication method, along with Touch ID and Android fingerprint.

  • Bug fixes.

February 28, 2018 (RSA SecurID Authenticate Apps)

RSA SecurID Authenticate 1.5.7 for Android includes bug fixes.

February 23, 2018 Identity Router Update Available

If you downloaded the identity router template or applied the identity router update between February 10, 2018 and today, certain browsers, including Chrome and Internet Explorer on Windows, might reject the self-signed certificate presented by the Identity Router Setup Console. This issue prevents you from accessing the Setup Console.

This issue does not affect you if you did not update your identity routers using the February 10 release. When you do update your identity routers, the fix for this issue will be included in the update.

If you encounter this issue, you can fix it by performing the following actions:

  • If you downloaded the virtual machine image on or after February 10 but have not yet deployed or registered it, you must download and use the latest the image. For instructions, click here.
  • If you updated and registered your identity router on or after February 10 but did not upload your own certificate, you must perform the update again, as described here. The identity router does not show OUT_OF_DATE status, but you must still update it with the latest patch to resolve this issue.

February 2018 (RSA Authentication Manager 8.3)

RSA Authentication Manager 8.3 includes the following new features and enhancements:
  • Amazon Web Services (AWS) deployment
  • Token distribution and management enhancements
  • Agent reporting enhancements
  • Authentication Manager Bulk Administration (AMBA) utility integrated into RSA Authentication Manager for Enterprise Server license customers
  • Upgrade path from RSA Authentication Manager 8.2 Service Pack 1 (SP1)

For the latest product documentation, see "RSA SecurID Access Product Documentation" on RSA Link at https://community.rsa.com/docs/DOC-60094.

Amazon Web Services Deployment

This release adds support for an Amazon Web Services (AWS) virtual appliance. The AWS virtual appliance is deployed on AWS or AWS GovCloud (US) with an Amazon Machine Image (AMI) file that RSA provides. You must have created a Virtual Private Cloud (VPC) with a private subnet on AWS.

A mixed deployment with Cloud and on-premise appliances is supported. For example, you can deploy a primary instance on AWS and replica instances on your local network.

Token Distribution and Management Enhancements

RSA Authentication Manager 8.3 includes token distribution and management enhancements that were suggested by our customers:

  • Time-saving enhancements to the User Dashboard allow Help Desk administrators to more efficiently manage tokens:
    • The User Profile section on the User Dashboard displays the last authentication time and date for the selected user.
    • The Assigned SecurID Tokens section of the User Dashboard displays the last logon time and date for each assigned token.
    • The Quick Search field on the User Dashboard and the Security Console Home page allow you to search by token serial number. If the token is already assigned, the user dashboard is displayed for the user. If the token is not assigned, the SecurID Tokens View page displays.
  • You can prevent the system from assigning tokens that are expiring soon. When tokens are automatically assigned or used as replacement tokens, the system only selects unassigned tokens that have more than the configured number of days remaining. This enhancement applies when a user requests a new or replacement token in the Self-Service Console and when an administrator assigns the next available token.

Agent Reporting Enhancements

Two new report templates allow you to generate reports with information on the authentication agents in your Authentication Manager deployment:

  • The List All Authentication Agent Records report provides information on the authentication agents that have been added to Authentication Manager. For example, you can view the user groups and security domains assigned to each agent, how many times each authentication agent is installed in your deployment, and whether each agent is enabled or disabled.
  • The List All Installed Agents report provides details for all of the installed authentication agents in your deployment that have a corresponding record in Authentication Manager. For each installed authentication agent, this report displays the version number and platform, the hostname and IP address that was last used, the time and date of the last authentication, the security domain, and the name of the corresponding authentication agent record in Authentication Manager. Some newer authentication agents provide a unique Software Identifier for each installed agent. An agent might have one record in Authentication Manager, but the agent can be installed on multiple machines with a unique identifier for each installation.

RSA Authentication Manager Bulk Administration (AMBA) Utility Included with RSA Authentication Manager

Enterprise Edition and Premium Edition license customers receive the ability to use the RSA Authentication Manager Bulk Administration (AMBA) utility. AMBA is no longer offered as an add-on option to the Base Server license. Existing AMBA customers with a Base Server license can continue to use AMBA after upgrading to version 8.3.

AMBA is installed by Quick Setup, instead of being included as a separate installation from the Extras download kit. The sample templates are located in the /opt/rsa/am/utils/resources/amba_template_files directory.

Additional Improvements

RSA Authentication Manager contains the following additional improvements.

                                   
ImprovementDescription
Support for Red Hat Enterprise Linux 7.4 Server (64-bit) on the web tier.

Version 8.2 SP1 Patch 3 or later adds support for installing the web tier on Red Hat Enterprise Linux 7.4 Server (64-bit).

You can install the web tier on the following Linux operating systems:

  • Red Hat Enterprise Linux 5 Server (64-bit)
  • Red Hat Enterprise Linux 5 Server (64-bit)
  • Red Hat Enterprise Linux 7.4 Server (64-bit)

The following Windows operating systems are also supported:

  • Windows Server 2008 R2 (64-bit)
  • Windows Server 2012 (64-bit)
  • Windows Server 2012 R2 (64-bit)
Apply administrative roles to specific lower-level security domains.

When you add or edit administrative roles in your deployment, you can assign the administrative role to specific security domains. By default, selecting a security domain automatically includes the subdomains. You can change this behavior, and only assign administrative roles to the security domains that you select.

Ability to hide menu items in the Security Console from administrators (except for Super Admins).

Instead of restricting access to menu items through administrative roles and security domains, you can hide menu items. For instructions, see the Help topic "Hide Security Console Menu Items from Administrators."

Generate a text-based report that lists all current configuration and policy settings for Authentication Manager.

You can analyze the CSV or XML report with third-party tools to monitor your Authentication Manager configuration over time.

For instructions on generating the report, see the Help topic "Generate a Text-Based Report of the Current Configuration Settings."

Certificate signing requests can include more than one fully qualified domain name (FQDN) and an encryption key size that you select.

To replace a console certificate or an RSA virtual host certificate, you must generate a certificate signing request (CSR) and submit it to a third-party certificate authority (CA).

Version 8.3 provides two new fields for these requests:

  • Subject Alternate Name. The Subject Alternate Name (SAN) allows you to protect multiple fully qualified domain names (FQDNs) with a single certificate. You can enter one or more FQDNs as comma-separated values, for example, authservices.corp.com,authexample.com. The default value is the FQDN used by the Authentication Manager administrative consoles.
  • Key Size. The default encryption key size is 2048.

For instructions, see the Help topics "Generate a Certificate Signing Request Using the Operations Console" and "Generate a Certificate Signing Request for the Web Tier."

Updated the Help system format used for the RSA Token Management Snap-in.

The Token Management Snap-In Help system has been updated to the same HTML5 format used in the Operations Console and Security Console Help.

After upgrading to RSA Authentication Manager 8.3, you must re-install the Token Management Snap-In to use the new Help system. For instructions, see Appendix E, "Installing the RSA Authentication Manager Token Management Snap-In" in the RSA Authentication Manager 8.3 Setup and Configuration Guide.

Note:  The Developer’s Guide and the software development kit (SDK) are located in the Extras download kit, rsa-am-extras-8.3.0.0.zip, from Download Central at https://download.rsasecurity.com.

Upgrading from RSA Authentication Manager 8.2 Service Pack 1

RSA Authentication Manager 8.2 Service Pack 1 (SP1) can be upgraded to version 8.3. A direct upgrade from earlier releases is not supported. Instead, do the following:

                           
DeploymentUpgrade Path
Amazon Web Service (AWS) virtual appliance

Version 8.3 introduces the AWS virtual appliance with support for a mixed deployment of Cloud and on-premises appliances. To upgrade an existing deployment:

  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Uprade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
  • Deploy new version 8.3 replica instances in the AWS, and delete your existing replica instances.
  • To move your primary instance into AWS, promote a replica instance, and delete your existing primary instance.
VMware virtual appliance
  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Uprade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
Hyper-V virtual appliance
  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
Hardware appliance
  • From earlier releases, upgrade to RSA Authentication Manager 8.2
  • Upgrade to RSA Authentication Manager 8.2 SP1
  • Upgrade to RSA Authentication Manager 8.3
  • Note:  Some RSA SecurID Appliance 3.0 hardware appliances can be upgraded and do not require new hardware. For instructions on how to determine if you can upgrade a particular appliance, see the RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 on Existing Hardware.

RSA Authentication Manager 8.3 includes the software fixes in the cumulative Patch 5 for version 8.2 SP1 and additional Patch 6 and Patch 7 fixes that are listed in "Fixed Issues." Most Patch 6 and Patch 7 fixes are not included in version 8.3. Patch 8 is not included in version 8.3. Applying version 8.3 removes any software fixes that are not included in the cumulative Patch 5 for version 8.2 SP1 or listed in "Fixed Issues." To obtain these fixes, you must apply version 8.3 patches as they become available.

For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.3” in the RSA Authentication Manager 8.3 Setup and Configuration Guide. Upgrading to the latest version of Authentication Manager maintains existing trusted realm relationships with Authentication Manager 8.0 or later deployments.

Note:  The upgrade to RSA Authentication Manager 8.3 is not reversible. If version 8.3 is not applied successfully, you cannot roll back to version 8.2 SP1. Before applying version 8.3, RSA strongly recommends backing up your deployment in one of the following ways: using the Back Up Now feature in the Operations Console of the primary instance, backing up a hardware appliance with PING, taking a VMware snapshot, or creating a Hyper-V checkpoint.

Fixed Issues

RSA Authentication Manager 8.3 includes the fixes that were provided in Patches 1 through 5 for RSA Authentication Manager 8.2 Service Pack 1 (SP1). For the complete list of resolved issues, see the RSA Authentication Manager 8.2 SP1 Patch 5 Readme at https://community.rsa.com/docs/DOC-82988.

This release also includes the following fixes from RSA Authentication Manager 8.2 SP1 Patch 6 and Patch 7:

                                           
Version 8.2 SP1 Tracking NumberVersion 8.3
Tracking Number
Description
AM-31484AM-31613

X-Frame-Options, X-Content-Type, and X-XSS-Protection header options for some parts of the Self-Service Console were either missing or incorrect.

AM-31285AM-31612HTTP Strict-Transport-Security headers were not included in responses sent between the web tier and the curl command-line interface tool.
AM-31427AM-31615Input fields on the Dashboard page of the Security Console were vulnerable to Cross-Site Scripting (XSS) attacks.
AM-31403AM-31614Administrators lacked an option to manually transfer the dump file from a primary instance to a replica instance to facilitate replica synchronization in environments where network latency and packet transmission problems interfered with the automated transfer process. Contact RSA Customer Support if you need to perform a manual dump file transfer.
AM-31236AM-31640Special characters in reports caused problems when the reports were exported in CSV format and viewed using Microsoft Excel.
AM-31585AM-31643A serious security issue existed in the Security Console.

RSA Authentication Manager 8.3 Patch 1 will include the additional fixes in the cumulative Patches 6 and 7. For the complete list of resolved issues, see the RSA Authentication Manager 8.2 SP1 Patch 7 Readme at https://community.rsa.com/docs/DOC-85529.

In addition, the following issue was resolved:

AM-31499. The Token Management Snap-In Help system was not working. To resolve the issue, the Help is updated to the same HTML5 format used in the Operations Console and Security Console Help.

After upgrading to RSA Authentication Manager 8.3, you must re-install the Token Management Snap-In to use the new Help system. For instructions, see Appendix E, "Installing the RSA Authentication Manager Token Management Snap-In" in the RSA Authentication Manager 8.3 Setup and Configuration Guide.

Known Issues

For a list of known issues for RSA Authentication Manager 8.3, see RSA Authentication Manager 8.3 Known Issues.

February 2018 (Cloud Authentication Service)

The Cloud Authentication Service includes the following features and bug fixes.

Note:   RSA strongly recommends that you deploy this update on identity routers in your test environment and become familiar with all changes before updating identity routers in your production environment. For questions or to report issues, contact RSA Customer Support.

Enhanced Authentication Method Availability

SMS Tokencode and Voice Tokencode are now available as authentication methods in RADIUS and SSO Agent deployments. You must update your cluster to allow this capability.

FIDO Tokens are now available as an authentication method in relying party deployments. In SSO Agent deployments, you must update your cluster to continue using FIDO Tokens, and existing FIDO Token users will need to re-register their FIDO Tokens.

Additional Authentication Screens Presented in SSO Agent Deployments

The Cloud Authentication Service now presents the browser-based additional authentication screens to users in both SSO Agent and relying party deployments. In the past, the identity router presented these screens to SSO Agent deployment users, although the Cloud Authentication Service verified the users. As a result of this, users' default authentication preferences are reset. After the reset, authentication behaves the same as in the previous release, described here: https://community.rsa.com/docs/DOC-75855. Also, if you have restrictive internet access policies, you must ensure that users are allowed to access your company's authentication service domain. To view your authentication service domain, click Platform > Identity Routers > Edit (to the right of an identity router) > Registration.

Improved Cluster Mapping for Authentication Requests

Identity routers now send authentication requests only to the directory servers that are assigned to the cluster for that identity router. You do not need to perform additional configuration to make this happen.

Support for IP Address-Based Conditions in Access Policies for Office 365 STS Apps

The identity router can access client IP addresses from header information provided by Microsoft for Office 365 ActiveSync and Outlook clients that use legacy authentication. You can use conditions in access policies to configure access and authentication requirements based on these client IP addresses. For more information, see the Microsoft Office 365 STS - RSA SecurID Access WS-Federation Implementation Guide on RSA Link.

RSA SecurID Authenticate App Releases

RSA SecurID Authenticate 1.5.5 for iOS and RSA SecurID Authenticate 1.5.6 for Android include increased reliability of push notifications from the Cloud Authentication Service and bug fixes.

Cloud Administration Console Improvements

The Cloud Administration Console was enhanced to improve reliability and failover. Additional improvements include:

  • The console sign-in page has been modified to improve usability.
  • The dashboard page provides monthly usage information for SMS Tokencode and Voice Tokencode.
  • On the Users > Management page, a Super Admin or Help Desk Admin can click a refresh button to synchronize an individual user from an identity source.

Terminology Update

In the user authentication interface for RADIUS, relying parties, and SSO Agent, the term Fingerprint has been replaced with Device Biometric. Device Biometric includes Fingerprint and Face ID.

Fixed Issues

NGX-17834. When a user authenticates to an HFED application and RSA SecurID Access does not receive a response from the application, RSA SecurID Access displays an appropriate timeout error.

NGX-17855. If you test the identity source connection, click Refresh Attributes on the User Attributes page, save changes, publish, and synchronize, you no longer see a failed synchronization message if the LDAP directory server is running and SSL certificates are invalid. Instead, a message instructs you to check the SSL configuration and certificates.

NGX-17883. If the IP address of a RADIUS client device is translated using Network Address Translation (NAT) before connecting to the identity router RADIUS server, the server responds and no longer times out prematurely.

NGX-17928. If RSA Authentication Manager is connected to the Cloud Authentication Service but cannot be reached by the identity router, and a user attempts RADIUS authentication using an RSA SecurID Token or an invalid RSA Authenticate Tokencode, the User Event Monitor now displays an appropriate timeout message.

NGX-18434. When you deploy a custom portal and add a trusted header application to proxy the web traffic between users and the custom portal web server, the web servers created using HTTPS or Both (HTTP/HTTPS) now function correctly.

NGX-18518. Authentications from the identity router to HTTP Federation applications that were configured for HTTPS or BOTH and were incorrectly sent over HTTP are now configured and sent correctly.

NGX-18642. The initial publish to identity routers no longer fails after the Cloud Authentication Service has been upgraded.

Known Issues

For a list of known issues for the Cloud Authentication Service, see Cloud Authentication Service Known Issues

November 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following feature and bug fixes.

Voice Tokencode

RSA SecurID Access has a new authentication method, Voice Tokencode. When RSA enables this feature, a user can request RSA SecurID Access to call the user’s phone and provide a six-digit code, which the user enters to access a protected resource. This method is handy for emergency access, for example, when the user cannot access a registered device or RSA SecurID Token.

Device Biometrics

In the Cloud Administration Console, the Assurance Levels page (Access > Assurance Levels) has replaced the Fingerprint option with Device Biometrics. When you select Device Biometrics for an assurance level, users can select Biometrics as an authentication option and use fingerprint if they registered fingerprint on their devices. Other biometric methods will be supported in future releases.

Miscellaneous Upgrades

The November release will also include several miscellaneous infrastructure upgrades and bug fixes.

November 2017 (RSA SecurID Authenticate Apps)

RSA SecurID Authenticate 1.0.4 for Windows contains bug fixes.

All users of this app should update to this version. Users who have installed the app on a PC can update on their own. Users of the app on Windows phones require administrative assistance. An administrator must first delete the users' Windows phones in the Cloud Administration Console, and then the users must complete device registration again.

October 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following feature and bug fixes.

Multifactor Authentication to Protect Microsoft Azure Active Directory

You can protect Microsoft Azure Active Directory applications, the Azure Active Directory application portal, and the Azure AD admin console with RSA SecurID Access multifactor authentication. For instructions, see https://community.rsa.com/docs/DOC-81278.

End User Toolkit Update

The End User Toolkit now contains step-by-step instructions for RSA SecurID Authenticate device registration, available in HTML, PDF, and video. See https://community.rsa.com/docs/DOC-75817.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17664 - After a user successfully authenticates with an RSA SecurID token in New PIN Mode, the message “3006 Device deletion failed” is no longer logged in the User Event Monitor.

NGX-17927 - If the name configured for an application in the Cloud Administration Console contains more than 32 characters, the RSA SecurID Authenticate app no longer truncates the name when prompting users for authentication credentials.

NGX-17960 - On the User Management page, if you highlight all or part of the user’s SMS phone number while updating it, the Save button is now activated after you type the replacement number.

NGX- 17964 - If an Android user is trying to authenticate with Fingerprint or Eyeprint Verification to an authentication client or custom client developed with the RSA SecurID Authentication API, RSA SecurID Access no longer sends an actionable notification (Approve/Deny) to the user.

NGX-17986 - When a user reaches the limit for failed authentication attempts using RSA SecurID Authenticate Tokencode, the audit trail now continues to record additional authentication attempts after the method is locked.

NGX-18007 - In an SSO Agent deployment, when configuring an application to use SP-initiated SAML with the HTTP REDIRECT binding, the Choose File button for certificate upload is now disabled to reflect that signed SAML requests are not supported for the redirect binding method.

NGX-18137 - In an SSO Agent deployment, importing metadata from an XML file for a new SAML Direct application created from a template now works properly in Internet Explorer 10 and 11.

NGX-18261 - The +ADD buttons on the Access > Assurance Levels page of the Cloud Administration Console no longer appear inactive in some deployments, and new assurance levels can be added normally.

October 2017 (RSA SecurID Authenticate Apps)

RSA SecurID Authenticate 1.5.4 for Android contains the following updates:

  • Qualified on Android 8.0 (Android O)
  • Bug fixes

September 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following new features and enhancements.

Support for Installing Identity Routers as Microsoft Hyper-V® Virtual Machines

RSA SecurID Access supports installing identity routers as Microsoft Hyper-V-based virtual machines. You can use the Cloud Administration Console to download a Microsoft Hyper-V Virtual Hard Disk (VHD) image, which includes all necessary identity router applications.

Download User Reports

You can use the Cloud Administration Console to create a report listing all users who have been synchronized from identity sources to the Cloud Authentication Service and download the report to a .CSV file. The report provides dates for user account creation and update, and information about user devices and authenticators.

Improved Visibility of Authentication Options When Configuring Access Policies

When you select the assurance level for an access policy, the Cloud Administration Console displays the authentication options for the level that you selected and all higher levels. For example, if you select Low, the console displays options from the Low, Medium, and High assurance levels. End users may see options for all levels but are not presented with options they cannot complete.

New Videos for End Users

The RSA SecurID Access End User Toolkit now includes two YouTube videos that you can use to show your users how to authenticate with the Approve and Fingerprint authentication methods.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17635 - When a user authenticates to an authentication client or a custom client developed with the RSA SecurID Authentication API, the User Event Monitor no longer displays unnecessary "Device registration succeeded" and "Device deletion succeeded" messages.

NGX-17934 - After you modify administrator API settings in the Cloud Administration Console, the publishing status bar no longer displays “Changes Pending” to indicate that the new settings must be published.

NGX-18264 - You can now edit, delete, and export metadata from a configuration for a SAML 2 Generic Direct SP application with an expired certificate. Open the edit page in the Cloud Administration Console and upload a new certificate if necessary.

August 2017 (Cloud Authentication Service)

The Cloud Authentication Service includes the following new features and enhancements:

  • Improved authentication experience during single sign-on
  • RADIUS events sent to Syslog (user authentication, start and stop)
  • RADIUS support for Fingerprint and Eyeprint ID
  • SMS Tokencode authentication method
  • Additional authentication for the Cloud Administration Console
  • Just-in-time synchronization for LDAP user records
  • Configurable security levels for identity router connection ciphers
  • Authenticate app updates
  • Numerous additional improvements

Note:  To take full advantage of new features, make sure you update your identity router. For instructions, see https://community.rsa.com/docs/DOC-54075 on RSA Link.

For the latest product documentation, see the RSA SecurID Access Documentation page at https://community.rsa.com/community/products/securid/securid-access.

Improved Authentication Experience During Single Sign-On

The authentication experience for users trying to access a protected application in an SSO Agent deployment has been improved by displaying more options to complete authentication. Users can select options from the required assurance level and higher assurance levels. For example, if an application has a policy that requires a certain set of users to use the Low assurance level, then those users accessing the application can authenticate using an authentication method defined for the Low, Medium, or High level.

RADIUS Improvements

RADIUS for the Cloud Authentication Service provides the following improvements.

                   
ImprovementDescription
RADIUS events (such as user authentication and start and stop events) are sent to Syslog.The identity router sends RADIUS events to the Syslog server if you enable logging for identity router system events in the Cloud Administration Console.
Support for Fingerprint and Eyeprint ID authenticationRADIUS supports the Fingerprint and Eyeprint ID authentication methods. Users with registered compatible mobile devices can use these methods for RADIUS authentication if allowed by the access policy for the RADIUS client.

SMS Tokencode Authentication Method

RSA SecurID Access has a new authentication method, SMS Tokencode. When RSA enables this feature, the Cloud Authentication Service can send a six-digit code to the user's mobile phone in a text message. This method is useful for emergency access, for example, when the user cannot locate the device used to register the Authenticate app. SMS Tokencodes can be sent to phone numbers that are synchronized from LDAP directory servers, or administrators can enter user phone numbers manually. Contact RSA Customer Support for more information.

Additional Authentication for the Cloud Administration Console

You can require additional authentication factors, such as tokencodes or push notifications, to protect the Cloud Administration Console. Passwords are still required. You configure an access policy to set up authentication requirements for the console just as you do for other resources. Use the policy to specify different access requirements for administrators based on identity source attributes and conditional attributes.

Just-in-Time Synchronization for LDAP User Records

Just-in-time synchronization automatically adds or updates user records in the Cloud Authentication Service when users attempt to register a device or access a protected resource. When this feature is enabled, the user records and related attributes in the Cloud Authentication Service stay up-to-date without administrative action. An administrator never needs to add user records through manual or scheduled synchronization. Contact RSA Customer Support to enable just-in-time synchronization.

Configurable Security Levels for Identity Router Connection Ciphers

Security levels determine the cipher requirements for connections between the identity router and other components such as user browsers and load balancers. Using the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming connections.

Authenticate App Updates

RSA SecurID Authenticate 1.5.3 for Android, RSA SecurID Authenticate 1.5.4 for iOS, and RSA SecurID Authenticate 1.0.3 for Windows 10 contain the following updates:

  • (Android only) New minimum Android operating system of version 5.0. With the release of RSA SecurID Authenticate 1.5.3 for Android, earlier versions of the app will no longer be supported, and the app will no longer be available in Google Play for devices that do not meet this new minimum OS requirement. Encourage your end users to upgrade to Android version 5.0 or higher.

  • Improved backup support for communication between the app and RSA SecurID Access.
  • Updated RSA SecurID Access logo.

  • Bug fixes.

Additional Improvements

The Cloud Authentication Service contains the following additional improvements:

  • The Welcome page of the Identity Router VMware Console includes detailed instructions for navigation, selection, and saving configuration changes. When you save your settings, the console displays a progress bar and status messages.
  • In the Cloud Administration Console, service providers are now managed in Authentication Clients > Relying Parties.
  • There is now only one RSA SecurID Access Solution Architecture Workbook. The region-specific information is available within the workbook.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17207 - If an identity router is originally configured as part of a non-default cluster, changing settings for that identity router in the Cloud Administration Console no longer resets the cluster back to default when you navigated back to the Basic Information page for the identity router.

NGX-17456 - After you complete an initial setup option, the dashboard now shows the System Summary screen.

NGX-17603 - When you set up an identity router with single sign-on (SSO) disabled, you are no longer required to enter a Portal Hostname.

NGX-17615 - When you connect to the identity router through SSH using the idradmin account, messages regarding the Enterprise Connector no longer appear.

NGX-16883 - This fix applies when an identity source is configured for multiple replica directory servers and each server is assigned to a different cluster. When a user signs in to the application portal, the identity router authenticates the user through the directory servers in the cluster to which the identity router belongs.

NGX-17333 - If a user attempts to access two applications from the application portal on two different browsers using the same mobile authentication method, and the user successfully responds to both mobile notifications, each application can authenticate successfully.

If a user attempts to access two applications from the application portal on the same browser and both applications are protected by the same assurance level, and the user successfully responds to the authentication prompt, only the first tab where the user clicks Continue on the Remember This Browser screen can be opened. The second attempt displays an error message. The user must launch the second application from the application portal again, but is not required to provide additional authentication.

NGX-17660 - If the user selects an authentication method from the list of available options, the selected method reliably persists when clicked, and authentication begins.

NGX-17700 - A user with an Android device with a time delay of two minutes or more can now complete device registration using RSA SecurID Authenticate versions 1.4 through 1.5.1.

   

April 2017 (RSA Authentication Manager 8.2 Service Pack 1)

RSA Authentication Manager 8.2 SP1 includes the following new features and enhancements:

  • Cloud Authentication Service users can access on-premise resources protected by SecurID agents.
  • Remotely restore original system settings to an RSA SecurID Appliance 250 hardware appliance
  • Numerous additional improvements described below.
  • Documentation changes
  • Upgrade path from version 8.2

Remotely Restore Original System Settings to an RSA SecurID Appliance 250

For disaster recovery on the RSA SecurID Appliance 250 hardware appliance, you can remotely restore the original hardware appliance system image. This release qualifies remotely restoring the version 8.2 SP1 original system image, but any version 8.2 or later system image can be restored. A hardware appliance ISO image is provided on RSA Download Central at https://download.rsasecurity.com.

On an RSA SecurID Appliance 250, you must have configured the integrated Dell Remote Access Controller (iDRAC) or the Intel Remote Management Module (RMM), or else you can only restore the original system image locally. The original system settings can only be restored locally on the RSA SecurID Appliance 130 because this model does not include a port for remote access.

For instructions, see "Hardware Appliance System Image Installation" on RSA Link: https://community.rsa.com/docs/DOC-76910.

Additional Improvements for RSA Authentication Manager

RSA Authentication Manager contains the following additional improvements.

                                   
ImprovementDescription
Download and save network settings

On a primary or replica instance, you can download a text file that lists the network settings for that instance.

You can save this information, and refer to it if you need to restore the original system image on a hardware appliance or if you need to replace a virtual appliance.

RSA RADIUS upgradeThe upgraded RSA RADIUS software uses the Transport Layer Security (TLS) 1.2 cryptographic protocol, instead of SSL 3.0, for RADIUS replication ports, such as port 1813, TCP.

Microsoft Active Directory Lightweight Directory Services 2012 R2

Microsoft Active Directory Lightweight Directory Services 2012 R2 (AD LDS) is qualified to run as an external identity source with RSA Authentication Manager.

Authentication Manager supports Active Directory Lightweight Directory Services (LDS) servers if the same server does not also have an Active Directory Domain Controller role. If a server has an Active Directory Domain Controller role, select that identity source type when connecting the identity source to Authentication Manager.

Workflow provisioning included with Authentication Manager Base or Enterprise license

Workflow Provisioning is now a non-licensed feature and available at no additional cost. This feature automates workflows for distributing authenticators and allows users to perform many provisioning tasks from the Self-Service Console.

On-Demand Authentication (ODA) tokencode length

You can choose either 6 or 8 digits as the character length for ODA tokencodes generated by RSA Authentication Manager. The default value is 8. For instructions, see the Help topic “Change the Character Length for On-Demand Authentication Tokencodes.”

Transfer ODA data between deployments

The Export Tokens and Users page in the Security Console allows you to specify whether to export ODA data. Users configured for ODA authentication can continue using ODA features when you import the data to another deployment.

RSA Authentication Manager Product Documentation Changes

RSA Authentication Manager 8.2 Service Pack 1 guides and Help systems were updated for this release. For the most recent documentation, see RSA Link at https://community.rsa.com/community/products/securid/authentication-manager-821.

In addition, the documentation includes the following changes.

                               
Guide or Help SystemDescription

Operations Console Help and Security Console Help

  • Combined into one Help system. The Help is available in both consoles and on RSA Link at https://community.rsa.com/docs/DOC-77519.
  • Help Desk Administrator’s Guide Included in the combined Help. The “Help Desk Administrator Reference” Help topic includes links to the most common Help Desk Administrator tasks.
    SNMP Reference Guide
  • Available in HTML format on RSA Link instead of in a PDF file.
  • Troubleshooting Guide Available in HTML format on RSA Link instead of in a PDF file.
    Administrator's Guide Shorter and more usable. This guide focuses on the information that is most commonly requested, such as system maintenance, troubleshooting, and replica instance promotion. All of the information that was removed from this guide is included in the Help.

    Note:  The Developer’s Guide and the software development kit (SDK) are located in the Extras download kit, rsa-am-extras-8.2.1.0.0.zip, from Download Central at https://download.rsasecurity.com.

    Upgrading from RSA Authentication Manager 8.2

    RSA Authentication Manager 8.2 can be upgraded to version 8.2 SP1. A direct migration from RSA Authentication Manager 6.1 or RSA Authentication Manager 7.1 is not supported. Instead, do the following:

                           
    DeploymentUpgrade Path
    VMware virtual appliance
    • Migrate to RSA Authentication Manager 8.1
    • Upgrade to RSA Authentication Manager 8.1 SP1
    • Upgrade to RSA Authentication Manager 8.2
    • Upgrade to RSA Authentication Manager 8.2 SP1
    Hyper-V virtual appliance
    • Migrate to RSA Authentication Manager 8.1 SP1
    • Upgrade to RSA Authentication Manager 8.2
    • Upgrade to RSA Authentication Manager 8.2 SP1
    Hardware appliance
    • Migrate to RSA Authentication Manager 8.1
    • Upgrade to RSA Authentication Manager 8.1 SP1
    • Upgrade to RSA Authentication Manager 8.2
    • Upgrade to RSA Authentication Manager 8.2 SP1

      Note:  Some RSA SecurID Appliance 3.0 hardware appliances can be upgraded and do not require new hardware. For instructions on how to determine if you can upgrade a particular appliance, see the RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 on Existing Hardware.

    RSA Authentication Manager 8.2 SP1 includes the software fixes in the cumulative Patch 3 for version 8.2. Applying version 8.2 SP1 removes any software fixes that are not included in the cumulative Patch 3 for version 8.2. To obtain these fixes, you must apply version 8.2 SP1 patches as they become available.

    For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.2 SP1” in the RSA Authentication Manager 8.2 SP1 Setup and Configuration Guide.

    Note:  The upgrade to RSA Authentication Manager 8.2 SP1 is not reversible. If SP1 is not applied successfully, you cannot roll back to version 8.2. Before applying SP1, RSA strongly recommends backing up your deployment in one of the following ways: using the Back Up Now feature in the Operations Console of the primary instance, backing up a hardware appliance with PING, taking a VMware snapshot, or creating a Hyper-V checkpoint.

    Fixed Issues

    RSA Authentication Manager 8.2 Service Pack 1 (SP1) includes the fixes that were provided in Patches 1 through 3 for RSA Authentication Manager 8.2. For the complete list of the issues that were resolved, see the RSA Authentication Manager 8.2 Patch 3 Readme at https://community.rsa.com/docs/DOC-64632.

    Known Issues

    For a list of known issues for RSA Authentication Manager 8.2 SP1, see RSA Authentication Manager 8.2 Service Pack 1 Known Issues.

     

     

    You are here
    RSA® SecurID Access Release Notes

    Attachments

      Outcomes