RSA SecurID Access Product Release Notes

• The Cloud Authentication Service supports Windows Hello and Android phone as FIDO authenticators.
• Terminology is changing in the Cloud Administration Console and product documentation to address authenticators that are not necessarily devices.
• A new user identifier, Alternate Username, is available as an identity source attribute. Customers with relying parties such as Azure Active Directory can use any attribute, such as UPN, that is suitable for use as the SecurID Access username.
• A new API allows users to securely register their devices within custom help desk and self-service portals. The API generates one-time device registration codes. 

• The Cloud Authentication Service is now a FIDO2 Certified Server. The certification demonstrates compliance with the FIDO specification and ensures compatibility with any FIDO-certified security key.
• A password is now required to protect the Issuer Signing Certificate file (.pfx) when you install the Integrated Windows Authentication (IWA) Connector. RSA recommends that you install the latest version of the Connector (1.6) with the certificate file password.
• The schedule for planned changes to the Cloud Authentication Service IP addresses is posted in the Release Notes.

• Emergency Tokencode is supported for thick RADIUS clients and for Cisco Adaptive Security Appliance (ASA).
• Configuration improvements affect SAML-enabled web applications when the Cloud Authentication Service is the identity provider.
• You are now allowed to customize the default attribute mappings for Active Directory identity sources.
• RSA Link now provides complete documentation describing how to use operators when specifying LDAP attributes in access policies.

• You can now specify FIDO Token as a primary authentication option when configuring service providers.
• You can customize pages used for additional authentication by adding your own logo when you configure RSA SecurID Access My Page.
• The Cloud Administration User Event Log API returns the overall identity confidence score, including threshold and category scores (behavior, location and device) for users.
• RSA SecurID Authenticate 3.1 for iOS allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes.
• To provide more flexibility when configuring authentication for a service provider, if you select the option to have RSA SecurID Access manage all authentication, you can now select the Determined by Service Provider at Run Time option to specify primary authentication in the RequestedAuthnContext attribute.
• RSA MFA Agent 1.2 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

• Phased update process to occur between October 9-17, 2019.
• Emergency Tokencode available for users who forget or misplace their registered devices. 
• Performance and reliability improvements. 

RSA SecurID Authenticate 3.1 for Android allows an individual user to add up to 10 different accounts (formerly called companies) in the app. Also, this release is qualified with Android 10.

RSA SecurID Authenticate 3.0.4 for iOS is qualified with iOS 13 and resolves NGX-34252, an issue with the Authenticate Tokencode display on iOS 13.

RSA SecurID Authenticate 3.1.1 for Windows contains the following updates:

• To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate app continues to work seamlessly. Users no longer need to re-register their devices.

• Bug fixes.

With this release, RSA SecurID Authenticate for Windows no longer supports Windows Mobile devices.

RSA SecurID Authenticate 3.0.3 contains bug fixes, including NGX-33118. RSA SecurID Authenticate for iOS no longer freezes on the splash screen when receiving notifications.

• Users can register FIDO Tokens in a more secure environment using RSA SecurID Access My Page. My Page allows you to protect FIDO registration with an access policy that you can align with your company’s existing policies. 
• Previously, automatic push notifications were not available when only the access policy was applied for additional authentication (without primary validation). These notifications are now available for this configuration.
• Identity router setup has been simplified for identity routers deployed in the VMware and Hyper-V
  environments.
• The Platform > Identity Routers list page provides more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity.
• The identity router supports transparent, explicit, and man-in-the-middle proxy configurations. The identity router informs you if a non-RSA SSL proxy certificate is configured, and allows you to temporarily accept the certificate and proceed while you work with your network IT to whitelist the URL.
• You can view up-to-date identity confidence analytics information by generating a report in the Cloud Administration Console. 

• You can now extend Cloud Authentication Service authentication methods to Windows computers with RSA MFA Agent for Microsoft Windows. RSA MFA Agent 1.1 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.
• To improve the user experience, you can now customize My Page in the following ways:
  • Add your own company logo.
  • Create a single sign-on experience for My Page by adding your own Cloud Identity Provider.
• To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in September 2019. Your deployment must be able to connect to both new and old IP addresses in September 2019.
• RSA recommends clearing the userParameters Attribute checkbox in your identity source configuration. Selecting this attribute occasionally prevents identity source synchronization.

• RSA SecurID Authenticate 3.0.2 for iOS resolves NGX-31886. With this fix, the Authenticate Tokencode will no longer display as zeroes for a small percentage of users who update to this app from version 2.2.
• All Authenticate for iOS users should update to this version. This release requires iOS 11.

RSA SecurID Authenticate 3.0.1 for iOS resolves the following issues:

• NGX-31260- Users who update to the latest app version now receive notifications for the Approve authentication method.
• NGX-31263- Users who update to the latest app version no longer need to re-register their devices with RSA SecurID Access.

• To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in September 2019. Your deployment must be able to connect to  both new and old IP addresses in September 2019.
• To prevent issues with device registration and adding additional companies, users must update their RSA SecurID Authenticate App before June 15, 2019. 
• Improved reporting of users' identity confidence scores benefits Help Desk Administrators and users.

• You can configure the Cloud Authentication Service to automatically send confirmation email to users when they register or delete devices.
• Pagination makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page.

• Identity router replication improvements require simultaneous updates for all clusters.
• Just-in-time synchronization is automatically enabled for all customers who deploy the Cloud Authentication Service after the March 2019 release is available. 
• You can use the Add/Remove High Risk User API to control whether users who are identified as high risk can access protected resources or if these users must authenticate at a higher assurance level than other users.
• You can ensure that each Administration API has permission to access appropriate information in the Cloud Authentication Service by assigning an administrative role to each API key.
• The FIDO Token authentication method is available on more browsers (including mobile browsers) and supports the FIDO 2 authentication standard.
• If the identity router is unable to connect to the Cloud Authentication Service (for example, during setup), you can use the Identity Router Setup Console to enable emergency troubleshooting features.
• You can create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile.
• Status indicators for the identity router have been improved and expanded, making it easier for you to troubleshoot problems with identity router services, as well as connectivity problems between identity routers and the Cloud Authentication Service.

• The disaster recovery environment for the Cloud Authentication Service is available for the EMEA and AUS regions.
• You can monitor the current and historical uptime of the Cloud Authentication Service and the Cloud Administration Console on a service status page.
• To receive frequent updates on the Cloud Authentication Service availability, use the Health Check API to integrate with your application monitoring product.
• RSA SecurID Authenticate 2.3.0 for Android and RSA RSA SecurID Authenticate 2.2.0 for iOS support simplifying device registration with Enterprise Mobility Management (EMM) technology that supports the AppConfig Community standards, such as VMWare AirWatch. 
• To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Archive

• (Patch 4) New features in RSA Authentication Manager 8.4 Patch 4 make it easier than ever for you to adopt modern multifactor authentication from RSA with minimal infrastructure updates to your deployment.
• Obtain the Azure virtual appliance from the Azure Marketplace
• Easier access to RSA SecurID-protected resources for multifactor authentication users
• Major platform upgrades to enhance security, including upgrades to FIPS compliance
• Ability to delete a console or virtual host certificate
• Upgrade path from version 8.3

• Amazon Web Services deployment
• Token distribution and management enhancements
• Agent reporting enhancements
• Authentication Manager Bulk Administration (AMBA) utility integrated into Authentication Manager for Enterprise Server license customers.
• Upgrade path from version 8.2 SP1

• Cloud Authentication Service users can access on-premise resources protected by SecurID agents.
• Remotely restore original system settings to an RSA SecurID Appliance 250 hardware appliance
• Numerous additional improvements 
• Upgrade path from version 8.2

Includes support for:

• Upgrade path from version 8.1 SP1 with or without patches. Direct migration from version 6.1 or 7.1 is not supported.
• Ability to create a custom token expiry notification that calculates when tokens must be ordered based on the number of tokens available, the number of tokens that are assigned, and the number of tokens that are expiring within a specified time.
• IPv6 addresses for RADIUS clients.
• Extending the lifetime of a distributed software token that has expired or will expire soon.
• Ability to display a custom logon banner before users log on to the Operations Console, the Security Console, the Self-Service Console, or the appliance operating system with a Secure Shell (SSH) client. 
• “FIPS-inside” by including FIPS-compliant cryptographic library module RSA BSAFE® Crypto-J 6.1 (NIST Certificate # 2058).
• Internal SHA-256 certificates for communication between components, such as primary and replica instances and the web tier. 
• The Transport Layer Security (TLS) 1.2 cryptographic protocol for secure network communications. 
• Integration with RSA Via Access (now the Cloud Authentication Service), a cloud-based authentication service. 
• On the virtual appliance, uploading an Evaluation License during Quick Setup automatically creates 25 temporary software tokens that expire after 6 months.
• The Hyper-V virtual appliance on a Microsoft Windows 2012 host machine and a Microsoft Windows 2012 R2 host machine.
• The Authentication Manager Bulk Administration (AMBA) utility automates administrative operations for large new token deployments or token replacements, and simplifies the bulk administration of users, user groups, tokens, and agents.
• Additional trusted realm support.
• Use of nonstandard email domains.
• List user group membership in reports.
• Qualified on VMware ESXi 5.5 and 6.0.
• OpenLDAP qualified to run as an external identity source.
• Authentication Manager Bulk Administration (AMBA) utility added to the Extras kit.
• A downloadable ISO file provides a method for restoring a hardware appliance.
• Factory Reset is no longer supported.

• Hyper-V virtual appliance support.
• Support for SUSE Linux Enterprise Server (SLES) 11 Service Pack 3 with a fully patched SP 2 kernel.
• Support for Web tiers on Microsoft Windows Server 2012 R2
• When you deploy dynamic seed provisioning, you can choose to distribute a CT-KIP URL and activation code encapsulated in a QR Code.
• Active Directory in Windows Server 2012 R2 has been qualified to run as an external identity source with RSA Authentication Manager 8.1 SP1.
• Security enhancements and fixes.
• Software fixes in the cumulative Patch 5 for version 8.1.
• Additional appliance platform support.
• Version 8.1 SP1 is pre-installed on the Hyper-V virtual appliance.
• Version 8.1 is pre-installed on the VMware virtual appliance and the hardware appliance.

Includes support for:

• Upgrade path from RSA Authentication Manager 8.0 with or without patches.
• A hardware appliance and a virtual appliance.
• Factory reset.
• Ability to upgrade RSA SecurID Appliance 3.0 (SP 4 or later) to RSA Authentication Manager 8.1 on the Dell PowerEdge R210, R210XL, R710, or the R710XL.
• Ability to configure an additional network interface card (NIC).
• Promoting a replica instance while the original primary instance is  and functioning.
• New report templates.
• Unrestricted agent access using an alias.
• Quick Setup Access Code.
• BlackBerry 10.

Test Authentication tool allows an administrator to test authentication on a computer with the Authentication Agent.

Added the following new settings to the GPO template:

Specify Cloud Authentication Service Timeout

Disable Cloud Authentication Service Authentication for Local User

Enable Offline Authentication

Configure the RSA SecurID Access Credential Provider Filter Settings

Adds support for Windows Server 2019, which allows you to select RSA SecurID as the primary authentication method.

Fixed a potential problem with device biometrics authentication.

Includes support for:

Authentication using RSA Authentication Manager and the Cloud Authentication Service 

Reporting

FIPS environment

Data collection used to establish a level of identity confidence for a user.

Coexistence with ADFS Agent Version 1.0.2

Includes support for:

Microsoft AD FS 2016 in Windows Server 2016.

Transport Layer Security (TLS) 1.2 when registering the AD FS Agent with RSA Authentication Manager 8.2.

Security-Enhanced Linux (SELinux) support on Red Hat Enterprise Linux 7.1 or later (64-bit only) with Apache 2.4.x..

Includes support for:

Apache Web Server version 2.2.x and Apache Web Server version 2.4.x on Red Hat Enterprise Linux 6.6 (32-bit and 64-bit) and Red Hat Enterprise Linux 7.1.x (64-bit only).

Event, prefork, and worker mode on Apache Web Server 2.2.x and Apache Web Server 2.4.x.

TCP/IP and IPv6

Includes support for:

Multiple Remote Desktop applications, in addition to Microsoft’s “Remote Desktop Connection”.

Ability to configure the RSA Credential Provider credential tile to use the standard Windows image for Windows 7 and Server 2008.

Supports Windows Server 2016.

Accepts credentials from remote applications such as Citrix® XenApp® and Microsoft Remote Desktop Connection. Users who are not required to authenticate with RSA SecurID do not need to enter credentials twice when using those applications.

Bug fixes.

Includes GPO template files in .admx/.adml format, which is required when importing files to the group policy Central Store.

Bug fixes.

Adds support for Solaris SPARC 11.4 (32-bit and 64-bit) with 64-bit tools

Also supports Solaris SPARC 10.5 (32-bit and 64-bit) or Solaris SPARC 11.2 (32-bit and 64-bit)

In Cloud Authentication Service mode, users can authenticate using the SMS Tokencode and Voice Tokencode authentication methods.

Updated operating system version support:

RHEL 6.10 (32-bit and 64-bit) and RHEL 7.5 (64-bit)

CentOS Linux 7.5 (64-bit)

Oracle Linux 6.10 (64-bit) and Oracle Linux 7.5 (64-bit)

SUSE Linux Enterprise Server 11 SP4 (32-bit and 64-bit), SUSE Linux Enterprise Server 12 SP3 (64-bit), and SUSE Linux Enterprise Server 15 (64-bit)

Solaris SPARC 10.5 (32-bit and 64-bit) with Zones and Solaris SPARC 11.2 (32-bit and 64-bit)

Solaris x86 10.5 Update 11 (32-bit) and Solaris x86 11.2 (32-bit)

AIX 7.1 TL3 (SP5) Power 6 (32-bit and 64-bit) and AIX 7.2 TL1 (SP2) Power 8 (32-bit and 64-bit)

Ability to authenticate to the Cloud Authentication Service (in REST mode) or RSA Authentication Manager (in REST mode or UDP mode).

In REST mode, the PAM agent can send additional information to RSA Authentication Manager for agent reporting.

Version 8.0 includes RSA SecurID Authentication Agent 7.1 for PAM features, such as support for SELinux, support for Exponential Backoff, and an option for a silent, unattended installation.

Support for the following operating systems:

AIX 7.1 TL3 (SP5) Power 6: 32-bit and 64-bit and AIX 7.2 TL1 (SP2) Power 8: 32-bit and 64-bit 

RHEL 6.8: 32-bit and 64-bit, RHEL 7.1: 64-bit and RHEL 7.3 64-bit 

Oracle Linux 6.8 64-bit and Oracle Linux 7.3 64-bit 

Solaris SPARC 10 (32-bit and 64-bit), for which RSA recommends Update 8 or later, Solaris SPARC 10.5 (32-bit and 64-bit) with Zones, Solaris SPARC 11.2 (32-bit and 64-bit), Solaris x86 10.5 Update 11 (32-bit), and Solaris x86 11.2 (32-bit) 

SUSE Enterprise Linux Server version 11 SP3 or later (32-bit and 64-bit) and SUSE Enterprise Linux Server version 12 (64-bit)

Includes support for:

Red Hat Linux 7.3

Oracle Linux 6.8 64-bit and 7.3 64-bit

IBM AIX 7.1 64-bit and 7.2 32-bit and 64-bit

Silent Installation

Includes support for:

SELinux on RHEL

Exponential Backoff

Supports Exponential Backoff.

Supports Citrix StoreFront version 3.12 and 3.13.

The process to configure RSA SecurID authentication in the Citrix Storefront Management Console has been updated for Citrix StoreFront version 3.12 and 3.13.

Ability to register nonstandard URLs that don’t support cookies so that the Web Agent can accept them.

Web Agent logging for applications without local administrator or local system privileges for IIS.

Support for SharePoint Server 2016 on Windows Server 2012 R2 (64-bit) with Internet Information Services 8.5 and Windows Server 2016 (64-bit) with Internet Information Services 10.

Security fixes and other software updates.

Supports Windows Server 2016, Internet Information Services 10, and Outlook Web App on Windows Server 2016 (64-bit only).

Includes support for:

Microsoft Exchange Server 2016 and Microsoft SharePoint Server 2013 SP1 on Windows 2008 R2 SP1 with IIS 7.5.

Back-end SharePoint Web App Servers.

Expanded wildcard support for long-term persistent cookie URLs.

Idle timeout support for persistent cookies.

SharePoint sign out command deletes all session cookies and persistent cookies

Ability to disable the RSA Response Interceptor Module.

Includes support for:

FIPS

New APIs for TCP

Additional Windows and Linux platforms

Direct migration from the SDK 8.1 and SDK 8.5

Backward compatibility

IPv6 

Includes support for:

FIPS 

New Java methods

LINUX and Windows

Direct migration from the SDK 8.1 and 8.5

IPv6 

Includes support for:

IPv6

Backward compatibility

Improved cryptography

New agent-server trust model

Synchronous calls for asynchronous calls

Round-robin load balancing

Includes support for:

IPv6 

Backward compatibility

Improved cryptography

New agent-server trust model

New agent management

Round-robin load balancing

Supports iOS 13 and iPadOS.

New minimum supported version is iOS 10.

Resolves issue SWTIPHONE-292, which prevented users from importing tokens distributed with file-basedprovisioning.

The file jcmandroidfips.raw was added.

The file jcm.jar was removed.

Qualifies OS 10.3.x.

Supports BlackBerry OS version 10.2.0.1155 or later.

Bug fixes.

Includes support for:

Windows Mobile 6.1

Dynamic Seed Provisioning

Fob-style software tokens

Additional customization options

Supports 64-bit Windows and Mac OS operating systems.

Allows 64-bit VPN applications to integrate with the 64-bit SecurID application.

Includes support for:

Additional operating systems

SecurID integration with additional VPN client applications

Additional logon methods with VPN client applications

Device binding enhancements

Additional customization policies

Additional web browser plug-ins

Logging enhancements

Improvements for screen readers

Token provisioning enhancements

New installation options

RSA SecurID 800 authenticator with RSA Smart Card Middleware.

Resolved issues with RSA SecurID 800 authenticator

Changed location for the Device Name and Device Serial Number registry entries.

When the application is installed in the default location on the local hard drive, then launching the application for the first time creates registry entries for the token storage device name and the device serial number.