These Release Notes cover all RSA SecurID Access components: RSA Authentication Manager, Cloud Authentication Service, and the RSA SecurID Authenticate apps.
September 2017 (Cloud Authentication Service)
The Cloud Authentication Service includes the following new features and enhancements.
Support for Installing Identity Routers as Microsoft Hyper-V® Virtual Machines
RSA SecurID Access supports installing identity routers as Microsoft Hyper-V-based virtual machines. You can use the Cloud Administration Console to download a Microsoft Hyper-V Virtual Hard Disk (VHD) image, which includes all necessary identity router applications.
Download User Reports
You can use the Cloud Administration Console to create a report listing all users who have been synchronized from identity sources to the Cloud Authentication Service and download the report to a .CSV file. The report provides dates for user account creation and update, and information about user devices and authenticators.
Improved Visibility of Authentication Options When Configuring Access Policies
When you select the assurance level for an access policy, the Cloud Administration Console displays the authentication options for the level that you selected and all higher levels. For example, if you select Low, the console displays options from the Low, Medium, and High assurance levels. End users may see options for all levels but are not presented with options they cannot complete.
New Videos for End Users
The RSA SecurID Access End User Toolkit now includes two YouTube videos that you can use to show your users how to authenticate with the Approve and Fingerprint authentication methods.
Fixed Issues
The Cloud Authentication Service includes numerous fixes, including the following.
NGX-17635 - When a user authenticates to an authentication client or a custom client developed with the RSA SecurID Authentication API, the User Event Monitor no longer displays unnecessary "Device registration succeeded" and "Device deletion succeeded" messages.
NGX-17934 - After you modify administrator API settings in the Cloud Administration Console, the publishing status bar no longer displays “Changes Pending” to indicate that the new settings must be published.
NGX-18264 - You can now edit, delete, and export metadata from a configuration for a SAML 2 Generic Direct SP application with an expired certificate. Open the edit page in the Cloud Administration Console and upload a new certificate if necessary.
August 2017 (Cloud Authentication Service)
The Cloud Authentication Service includes the following new features and enhancements:
- Improved authentication experience during single sign-on
- RADIUS events sent to Syslog (user authentication, start and stop)
- RADIUS support for Fingerprint and Eyeprint ID
- SMS Tokencode authentication method
- Additional authentication for the Cloud Administration Console
- Just-in-time synchronization for LDAP user records
- Configurable security levels for identity router connection ciphers
- Authenticate app updates
- Numerous additional improvements
Note: To take full advantage of new features, make sure you update your identity router. For instructions, see https://community.rsa.com/docs/DOC-54075 on RSA Link.
For the latest product documentation, see the RSA SecurID Access Documentation page at https://community.rsa.com/community/products/securid/securid-access.
Improved Authentication Experience During Single Sign-On
The authentication experience for users trying to access a protected application in an SSO Agent deployment has been improved by displaying more options to complete authentication. Users can select options from the required assurance level and higher assurance levels. For example, if an application has a policy that requires a certain set of users to use the Low assurance level, then those users accessing the application can authenticate using an authentication method defined for the Low, Medium, or High level.
RADIUS Improvements
RADIUS for the Cloud Authentication Service provides the following improvements.
| Improvement | Description |
|---|---|
| RADIUS events (such as user authentication and start and stop events) are sent to Syslog. | The identity router sends RADIUS events to the Syslog server if you enable logging for identity router system events in the Cloud Administration Console. |
| Support for Fingerprint and Eyeprint ID authentication | RADIUS supports the Fingerprint and Eyeprint ID authentication methods. Users with registered compatible mobile devices can use these methods for RADIUS authentication if allowed by the access policy for the RADIUS client. |
SMS Tokencode Authentication Method
RSA SecurID Access has a new authentication method, SMS Tokencode. When RSA enables this feature, the Cloud Authentication Service can send a six-digit code to the user's mobile phone in a text message. This method is useful for emergency access, for example, when the user cannot locate the device used to register the Authenticate app. SMS Tokencodes can be sent to phone numbers that are synchronized from LDAP directory servers, or administrators can enter user phone numbers manually. Contact RSA Customer Support for more information.
Additional Authentication for the Cloud Administration Console
You can require additional authentication factors, such as tokencodes or push notifications, to protect the Cloud Administration Console. Passwords are still required. You configure an access policy to set up authentication requirements for the console just as you do for other resources. Use the policy to specify different access requirements for administrators based on identity source attributes and conditional attributes.
Just-in-Time Synchronization for LDAP User Records
Just-in-time synchronization automatically adds or updates user records in the Cloud Authentication Service when users attempt to register a device or access a protected resource. When this feature is enabled, the user records and related attributes in the Cloud Authentication Service stay up-to-date without administrative action. An administrator never needs to add user records through manual or scheduled synchronization. Contact RSA Customer Support to enable just-in-time synchronization.
Configurable Security Levels for Identity Router Connection Ciphers
Security levels determine the cipher requirements for connections between the identity router and other components such as user browsers and load balancers. Using the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming connections.
Authenticate App Updates
RSA SecurID Authenticate 1.5.3 for Android, RSA SecurID Authenticate 1.5.4 for iOS, and RSA SecurID Authenticate 1.0.3 for Windows 10 contain the following updates:
-
(Android only) New minimum Android operating system of version 5.0. With the release of RSA SecurID Authenticate 1.5.3 for Android, earlier versions of the app will no longer be supported, and the app will no longer be available in Google Play for devices that do not meet this new minimum OS requirement. Encourage your end users to upgrade to Android version 5.0 or higher.
- Improved backup support for communication between the app and RSA SecurID Access.
-
Updated RSA SecurID Access logo.
-
Bug fixes.
Additional Improvements
The Cloud Authentication Service contains the following additional improvements:
- The Welcome page of the Identity Router VMware Console includes detailed instructions for navigation, selection, and saving configuration changes. When you save your settings, the console displays a progress bar and status messages.
- In the Cloud Administration Console, service providers are now managed in Authentication Clients > Relying Parties.
- There is now only one RSA SecurID Access Solution Architecture Workbook. The region-specific information is available within the workbook.
April 2017 (RSA Authentication Manager)
RSA Authentication Manager 8.2 SP1 includes the following new features and enhancements:
- Cloud Authentication Service users can access on-premise resources protected by SecurID agents.
- Remotely restore original system settings to an RSA SecurID Appliance 250 hardware appliance
- Additional improvements
- Documentation changes
- Upgrade path from version 8.2
Remotely Restore Original System Settings to an RSA SecurID Appliance 250
For disaster recovery on the RSA SecurID Appliance 250 hardware appliance, you can remotely restore the original hardware appliance system image. This release qualifies remotely restoring the version 8.2 SP1 original system image, but any version 8.2 or later system image can be restored. A hardware appliance ISO image is provided on RSA Download Central at https://download.rsasecurity.com.
On an RSA SecurID Appliance 250, you must have configured the integrated Dell Remote Access Controller (iDRAC) or the Intel Remote Management Module (RMM), or else you can only restore the original system image locally. The original system settings can only be restored locally on the RSA SecurID Appliance 130 because this model does not include a port for remote access.
For instructions, see "Hardware Appliance System Image Installation" on RSA Link: https://community.rsa.com/docs/DOC-76910.
Additional Improvements for RSA Authentication Manager
RSA Authentication Manager contains the following additional improvements.
| Improvement | Description |
|---|---|
| Download and save network settings | On a primary or replica instance, you can download a text file that lists the network settings for that instance. You can save this information, and refer to it if you need to restore the original system image on a hardware appliance or if you need to replace a virtual appliance. |
| RSA RADIUS upgrade | The upgraded RSA RADIUS software uses the Transport Layer Security (TLS) 1.2 cryptographic protocol, instead of SSL 3.0, for RADIUS replication ports, such as port 1813, TCP. |
| Microsoft Active Directory Lightweight Directory Services 2012 R2 | Microsoft Active Directory Lightweight Directory Services 2012 R2 (AD LDS) is qualified to run as an external identity source with RSA Authentication Manager. Authentication Manager only supports Active Directory Lightweight Directory Services without domain controllers. |
| Workflow provisioning included with Authentication Manager Base or Enterprise license | Workflow Provisioning is now a non-licensed feature and available at no additional cost. This feature automates workflows for distributing authenticators and allows users to perform many provisioning tasks from the Self-Service Console. |
| On-Demand Authentication (ODA) tokencode length | You can choose either 6 or 8 digits as the character length for ODA tokencodes generated by RSA Authentication Manager. The default value is 8. For instructions, see the Help topic “Change the Character Length for On-Demand Authentication Tokencodes.” |
| Transfer ODA data between deployments | The Export Tokens and Users page in the Security Console allows you to specify whether to export ODA data. Users configured for ODA authentication can continue using ODA features when you import the data to another deployment. |
RSA Authentication Manager Product Documentation Changes
RSA Authentication Manager 8.2 Service Pack 1 guides and Help systems were updated for this release. For the most recent documentation, see RSA Link at https://community.rsa.com/community/products/securid/authentication-manager-821.
In addition, the documentation includes the following changes.
| Guide or Help System | Description |
|---|---|
| Operations Console Help and Security Console Help | |
| Help Desk Administrator’s Guide | Included in the combined Help. The “Help Desk Administrator Reference” Help topic includes links to the most common Help Desk Administrator tasks. |
| SNMP Reference Guide | |
| Troubleshooting Guide | Available in HTML format on RSA Link instead of in a PDF file. |
| Administrator's Guide | Shorter and more usable. This guide focuses on the information that is most commonly requested, such as system maintenance, troubleshooting, and replica instance promotion. All of the information that was removed from this guide is included in the Help. |
Note: The Developer’s Guide and the software development kit (SDK) are located in the Extras download kit, rsa-am-extras-8.2.1.0.0.zip, from Download Central at https://download.rsasecurity.com.
Upgrading from RSA Authentication Manager 8.2
RSA Authentication Manager 8.2 can be upgraded to version 8.2 SP1. A direct migration from RSA Authentication Manager 6.1 or RSA Authentication Manager 7.1 is not supported. Instead, do the following:
| Deployment | Upgrade Path |
|---|---|
| VMware virtual appliance |
|
| Hyper-V virtual appliance |
|
| Hardware appliance |
|
RSA Authentication Manager 8.2 SP1 includes the software fixes in the cumulative Patch 3 for version 8.2. Applying version 8.2 SP1 removes any software fixes that are not included in the cumulative Patch 3 for version 8.2. To obtain these fixes, you must apply version 8.2 SP1 patches as they become available.
For the upgrade instructions, see Appendix A, “Upgrading to RSA Authentication Manager 8.2 SP1” in the RSA Authentication Manager 8.2 SP1 Setup and Configuration Guide.
Note: The upgrade to RSA Authentication Manager 8.2 SP1 is not reversible. If SP1 is not applied successfully, you cannot roll back to version 8.2. Before applying SP1, RSA strongly recommends backing up your deployment in one of the following ways: using the Back Up Now feature in the Operations Console of the primary instance, backing up a hardware appliance with PING, taking a VMware snapshot, or creating a Hyper-V checkpoint.
Fixed Issues for the Cloud Authentication Service (August 2017)
The Cloud Authentication Service includes numerous fixes, including the following.
NGX-17207 - If an identity router is originally configured as part of a non-default cluster, changing settings for that identity router in the Cloud Administration Console no longer resets the cluster back to default when you navigated back to the Basic Information page for the identity router.
NGX-17456 - After you complete an initial setup option, the dashboard now shows the System Summary screen.
NGX-17603 - When you set up an identity router with single sign-on (SSO) disabled, you are no longer required to enter a Portal Hostname.
NGX-17615 - When you connect to the identity router through SSH using the idradmin account, messages regarding the Enterprise Connector no longer appear.
NGX-16883 - This fix applies when an identity source is configured for multiple replica directory servers and each server is assigned to a different cluster. When a user signs in to the application portal, the identity router authenticates the user through the directory servers in the cluster to which the identity router belongs.
NGX-17333 - If a user attempts to access two applications from the application portal on two different browsers using the same mobile authentication method, and the user successfully responds to both mobile notifications, each application can authenticate successfully.
If a user attempts to access two applications from the application portal on the same browser and both applications are protected by the same assurance level, and the user successfully responds to the authentication prompt, only the first tab where the user clicks Continue on the Remember This Browser screen can be opened. The second attempt displays an error message. The user must launch the second application from the application portal again, but is not required to provide additional authentication.
NGX-17660 - If the user selects an authentication method from the list of available options, the selected method reliably persists when clicked, and authentication begins.
NGX-17700 - A user with an Android device with a time delay of two minutes or more can now complete device registration using RSA SecurID Authenticate versions 1.4 through 1.5.1.
Fixed Issues for RSA Authentication Manager (April 2017)
RSA Authentication Manager 8.2 Service Pack 1 (SP1) includes the fixes that were provided in Patches 1 through 3 for RSA Authentication Manager 8.2. For the complete list of the issues that were resolved, see the RSA Authentication Manager 8.2 Patch 3 Readme at https://community.rsa.com/docs/DOC-64632.
Known Issues
For a list of known issues for the Cloud Authentication Service, see Cloud Authentication Service Known Issues.
For a list of known issues for RSA Authentication Manager 8.2 SP1, see RSA Authentication Manager 8.2 Service Pack 1 Known Issues.