RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App

Document created by RSA Information Design and Development on Aug 21, 2018Last modified by Joyce Cohen on Aug 23, 2019
Version 38Show Document
  • View in full screen mode

 

These release notes include product updates and bug fixes:

For additional information, see:

August 2019 - Cloud Authentication Service

The August 2019 release provides the following features and bug fixes.

Your Action Required: September 2019 Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will change on or after September 21, 2019. Your deployment must be able to connect to both new and old IP addresses by that date.

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. Check your firewall rules to ensure that they allow connections to both the new and old IP addresses. If you do not update your firewall rules, your identity routers will not be able to contact the Cloud Authentication Service and services will be disrupted. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

As part of these changes, the RSA SecurID Authenticate apps will communicate with the Cloud Authentication Service on different IP addresses. Over the next month, your RSA SecurID Authenticate users must update to version 3.x or later of the apps to prevent issues with activities that require contacting the Cloud Authentication Service, such as device registration and adding additional companies.

Generate a Device Registration Code for Users

Help Desk Administrators can use the Cloud Administration Console to generate a one-time numeric device registration code and provide it to users who need to register iOS, Android, and Windows devices with the RSA SecurID Authenticate App. This capability will help your company move closer towards meeting requirements for National Institute of Standards and Technology (NIST) Identity Assurance Level 2. To learn how to use this feature, see Manage Users for the Cloud Authentication Service - Generate a Device Registration Code.

Improved Single Sign-On Option When Adding a Service Provider

To improve usability, when you add a service provider and select RSA SecurID Access to manage all authentication, you can now select a Cloud identity provider to provide the primary authentication. This is useful for providing single sign-on from RSA SecurID Access or third-party portals or links.

Improvements and Additional Configuration Options for My Page

You can now provide single sign-on to RSA SecurID Access My Page when users access My Page through the RSA SecurID Access Application Portal, a third-party portal where My Page is configured, or directly through the My Page URL.

Additionally, to increase flexibility, RSA SecurID Access My Page now contains the following configuration options:

  • Logout URL to redirect users to a specific URL after they sign out of My Page.

  • Error URL to redirect users to a specific URL after they encounter an error.

  • Assertion Consumer Service value for copying into your identity provider configuration settings if you are configuring My Page for single sign-on in an unsolicited response flow (for example, when users access My Page through a third-party portal).

For more information, see Manage RSA SecurID Access My Page.

Additional Deployment Option for RSA SecurID Authenticate for Windows

Generally, users install RSA SecurID Authenticate for Windows from the Microsoft Store. If your users cannot use the Microsoft Store, you can use Deployment Image Servicing and Management (DISM) to deploy the app from a command-line tool. After the app is deployed, users can then complete RSA SecurID Authenticate device registration.

For more information, see Deploying the RSA SecurID Authenticate for Windows App Using DISM.

Send Us Your Feedback

Do you have thoughts on RSA SecurID Access that you want to tell us? Are you finding what you need in the documentation on RSA Link? It is easier than ever to send us your feedback.

We can't wait to hear from you!

Fixed Issues

Fixed IssueDescription
NGX-33217Publishing in a cluster with a Global Server Load Balancer (GSLB) resulted in a HTTP status code 503 error for some customers. The documentation has been clarified to explain that if you use GSLBs, configure them to wait for seven minutes before they switch to another cluster. This guidance is now documented in Publishing Changes to the Identity Router and Cloud Authentication Service.

August 14, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.3 for iOS contains bug fixes.

Fixed Issue

Fixed IssueDescription
NGX-33118RSA SecurID Authenticate for iOS no longer freezes on the splash screen when receiving notifications.

July 2019 - Cloud Authentication Service (Identity Router)

The July 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

DateDescription
July 27, 2019Updated identity router software is available to all customers.
September 7, 2019Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
October 12, 2019If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment TypeVersion
On-premises2.7.0.0.5
Amazon Cloud

RSA_Identity_Router-2.7.0.0.5

Urgent: Upcoming Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in September 2019. Your deployment must be able to connect to both new and old IP addresses in September 2019.

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. Check your firewall rules to ensure that they allow connections to both the new and old IP addresses. If you do not update your firewall rules, your identity routers will not be able to contact the Cloud Authentication Service and services will be disrupted. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

As part of these changes, the RSA SecurID Authenticate apps will communicate with the Cloud Authentication Service on different IP addresses. Over the next few months, your RSA SecurID Authenticate users must update to the latest versions of the apps to prevent issues with activities that require contacting the Cloud Authentication Service, such as device registration and adding additional companies. In the future, RSA will provide a specific date when all users must be on the latest versions of the apps.

My Page Improves Secure Registration for FIDO Tokens

Users can register FIDO Tokens in a more secure environment using RSA SecurID Access My Page. My Page allows you to protect FIDO registration with an access policy that you can align with your company’s existing policies. After you enable My Page registration for FIDO Tokens, the FIDO Token registration process that occurs during user authentication automatically becomes disabled. Users can also use My Page to delete their FIDO Tokens. For more information, see Device Registration.

Automatic Push Notifications for Users Who Access RADIUS-Based Applications

The user experience for accessing RADIUS-based applications has been improved. You can ensure that the Cloud Authentication Service always sends automatic push notifications for Approve or Device Biometrics when your deployment is configured as follows:

  • The RADIUS client is configured to apply an access policy for additional authentication without primary (for example, password) validation.

  • Approve or Device Biometrics is available in the access policy protecting the resource the user is attempting to access.

Previously, automatic push notifications were not available when only the access policy was applied for additional authentication without primary validation. For more information, see RADIUS for the Cloud Authentication Service Overview.

Identity Confidence Analytics Report for Troubleshooting User Authentication Issues

You can view up-to-date identity confidence analytics by generating a report in the Cloud Administration Console. The report, provided in a graphical, easy-to-read format, displays the number of times users attempted to access resources that are protected by access policies that contain the identity confidence attribute. The report can include all users in your company or only individual users within a specified timeframe. This report is particularly useful to Help Desk Administrators when they assist users who, for example, may have to authenticate at a high assurance level because their identity confidence scores are low. For more information, see Condition Attributes for Access Policies - Identity Confidence Analytics Report.

Identity Router Improvements

The following features require you to update your identity router software.

Identity Router Setup Made Easier

Identity router setup has been simplified for identity routers deployed in the VMware and Hyper-V environments. The proxy interface, which is not required for non-SSO deployments, is disabled by default in the Identity Router Setup Console. You can enable it as needed for SSO deployments.

Note:  This enhancement affects only identity routers you deploy in the future. It does not affect identity routers already configured.

For more information, see Identity Router Network Interfaces and Default Ports.

Improved Status Indicators for Identity Routers

You can quickly identify potential problems that might occur when you set up and monitor identity routers using the improved status indicators in the Cloud Administration Console. The Platform > Identity Routers list page provides more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity. For more information, see View Identity Router Status in the Cloud Administration Console.

Improved Proxy Management for Identity Routers

More flexible deployment options are available to you for identity routers. Identity routers now support transparent, explicit, and man-in-the-middle proxy configurations. The identity router informs you if a non-RSA SSL proxy certificate is configured, and allows you to temporarily accept the certificate and proceed while you work with your network IT to whitelist the URL. For more information, see Connect the Identity Router to the Cloud Administration Console.

RSA SecurID Authentication API Enhancements

The RSA SecurID Authentication API contains new methodIDs for SMS and Voice Tokencodes to promote consistency with other authentication methods. For more information, see RSA SecurID Authentication API Developer's Guide.

Fixed Issues

Fixed IssueDescription
NGX-33346If you have configured My Page to use a Cloud identity provider, users can now use the SAMAccountName attribute as the user ID when registering devices.
NGX-17148

If an IWA user attempted to access the application portal when IWA connector server was down, the user received a connection timeout error rather than a message indicating unsuccessful authentication. To mitigate this, you can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests avoid a single point of failure. For more information, see Integrated Windows Authentication.

NGX-17276Previously, the Disabled option on the Basic Information page in the application configuration wizard did not disable applications that were configured to use SAML or HTTP Federation. This issue has been fixed. Beginning in July 2019, all applications that were previously configured as disabled will be unavailable to users and will not appear in the application portal and will not be available through deep linking.
NGX-29977You can now access the Cloud Administration Console using an email address containing a plus sign (+). Previously, this operation failed intermittently.
NGX-32525Documentation update clarifies when location is collected from users and administrators.
NGX-31946The Cloud Administration Console now displays the correct number of active user sessions. Previously, for some customers who used rich clients, the number of active sessions increased until the identity router was restarted.
NGX-31068

The publish status is displayed correctly in the Cloud Administration Console after you add and associate a profile for the RADIUS client. Previously, the status was Changes Pending even when no changes were pending.

NGX-30235

RADIUS profiles now allow multi-valued LDAP attributes to be mapped to the "Class" attribute. Each value of the multi-valued LDAP attribute will create a separate "Class" RADIUS attribute.

July 8, 2019 - RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 3.0 for Android contains the following updates:

  • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Users must keep the app open during the update process, which can take up to a few minutes to complete. Subsequent actionable notifications work as expected.

This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

June 2019 - Cloud Authentication Service

Extend Cloud Authentication Service Authentication Methods to Windows Computers with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.1 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve or Authenticate Tokencode.

  • Authenticate with the same registered device for both online and offline Windows sign-in.

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

More Options for Customizing My Page

To improve the user experience, you can now customize My Page in the following ways:

Urgent: Upcoming Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in September 2019. Your deployment must be able to connect to both new and old IP addresses in September 2019.

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. If you do not update your firewall rules with the new IP addresses, your identity routers will not be able to contact the Cloud Authentication Service and services will be disrupted. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

As part of these changes, the RSA SecurID Authenticate apps will communicate with the Cloud Authentication Service on different IP addresses. Over the next few months, your RSA SecurID Authenticate users must update to the latest versions of the apps to prevent issues with activities that require contacting the Cloud Authentication Service, such as device registration and adding additional companies. In the future, RSA will provide a specific date when all users must be on the latest versions of the apps.

Clear the userParameters Attribute Checkbox in the Identity Source Configuration

If the userParameters attribute is selected for synchronization in your identity source configuration, RSA recommends that you clear the checkbox. Selecting this attribute occasionally prevents identity source synchronization.

Fixed Issues

IssueDescription
NGX-24290

If a user locks his or her LDAP password, the User Management page for that user now shows a message indicating that the user's password is locked and what time it will unlock.

NGX-31821RSA SecurID Authenticate 3.0.1 for iOS users no longer displays an incorrect error that the user already has a registered device.

NGX-31158

The top-level domain part of the protected domain name can now accept up to 33 characters.
NGX-29843When you add a RADIUS profile, you can now only map supported attributes.
NGX-29702The system now prevents an administrator from accidentally updating an identity router multiple times within a short period of time, which could cause the application portal sign-in to stop working.
NGX-29547The Cloud Administration Console and associated documentation were updated to clarify that when adding an application bookmark, you can allow all authenticated users to access the bookmark or select a policy that limits access to a subset of users.

June 10, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.2 for iOS resolves NGX-31886. With this fix, the Authenticate Tokencode will no longer display as zeroes for a small percentage of users who update to this app from version 2.2.

All Authenticate for iOS users should update to this version. This release requires iOS 11.

The small percentage of users who have updated to app version 3.0.1 and still experience this issue must do the following:

  1. Delete the device in My Page, or have an administrator delete the user's device in the Cloud Administration Console.
  2. Delete the Authenticate app on the mobile device.
  3. Install the Authenticate app from the App Store.
  4. Re-register the app with RSA SecurID Access.

May 29, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.1 for iOS resolves the following issues:

  • NGX-31260- Users who update to the latest app version now receive notifications for the Approve authentication method.
  • NGX-31263- Users who update to the latest app version no longer need to re-register their devices with RSA SecurID Access.

This version of the app requires iOS 11.

May 2019 - Cloud Authentication Service

Urgent: Upcoming Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in August 2019. Your deployment must be able to connect to both new and old IP addresses in August 2019.

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. If you do not update your firewall rules with the new IP addresses, your identity routers will not be able to contact the Cloud Authentication Service and services will be disrupted. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

RSA SecurID Authenticate App Improvements Require Users to Update Before June 15, 2019

There are new versions for RSA SecurID Authenticate for iOS, Android, and Windows, described below. To prevent issues with device registration and adding additional companies, users must update to these versions or higher before June 15, 2019.

  • RSA SecurID Authenticate 3.0.3 for Windows contains bug fixes.

  • RSA SecurID Authenticate 3.0 for iOS and Android contain the following updates:

    • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

    • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

    • Bug fixes.

    After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Subsequent actionable notifications work as expected.

    This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

Improved Reporting of Users' Identity Confidence Scores Benefits Help Desk Administrators and Users

The User Event Monitor will report detailed information about users’ identity confidence scores. This information includes the user’s overall identity confidence score and tenant level confidence threshold, as well as the user's separate scores for device confidence, behavior confidence, and location confidence. Help Desk administrators can make use of this information when they assist users who are challenged for additional authentication factors or are unable to access protected resources. For more information, see Condition Attributes for Access Policies - Identity Confidence.

Fixed Issues

IssueDescription
NGX-27407

Previously, if a user waited too long to complete additional authentication when accessing My Page, a User Session Expired message displayed, and the user had to cut and paste a URL to return to My Page. This problem has been fixed. Now, the user can provide additional authentication and then return to My Page by clicking a button, or the user will be automatically redirected to My Page after 20 seconds of inactivity.

NGX-26573Previously, generating a report listing all synchronized users took progressively longer over time. Performance has been significantly improved.

NGX-16693

NGX-17168

Previously, in the Cloud Administration Console, the dashboard incorrectly displayed the number of active sessions for identity routers. This problem has been fixed and the dashboard now displays the correct number of sessions.
NGX-20399Previously, if users' email addresses changed in identity sources, the users had to re-register their devices with the RSA SecurID Authenticate app. Email address changes are now handled seamlessly by the Authenticate app, and users do not need to re-register.

 

April 2019 - Cloud Authentication Service

Send Emails to Users When They Register or Delete Devices

To help increase security, you can configure the Cloud Authentication Service to automatically send confirmation email to users in the following situations:

  • A user completes RSA SecurID Authenticate device registration.

  • A user adds an additional company in the RSA SecurID Authenticate app.

  • A user deletes a company in the RSA SecurID Authenticate app.

  • A user deletes an RSA SecurID Authenticate registered device.

You configure these options in My Account > Company Settings> Device Registration & Deletion Emails. For instructions, see Configure Device Registration and Deletion Emails.

Pagination for RADIUS Profiles in the Cloud Administration Console

Pagination now makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page. Expand each profile to see details, dissociate, or delete the profile. Profiles disappear from the list when you dissociate or delete them. For instructions on configuring RADIUS profiles, see Configure a RADIUS Profile for the Cloud Authentication Service.

Upcoming Cloud Authentication Service IP Address Changes

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in August 2019. RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

Fixed Issues

IssueDescription
NGX-25560If you manage the RSA SecurID Authenticate for Android app with an Enterprise Mobility Management (EMM) solution, the Email Logs button now works in the app.
NGX-26628

Previously, a user who had repeatedly attempted to register the same device unsuccessfully might not be able to register the device at all. This problem has been fixed - the user can now register the device.

NGX-28022Documentation for creating a custom portal has been updated to include the missing information.

NGX-28076

NGX-28338

User who previously could not be synchronized due to case change in attribute value can now be synchronized correctly.

March 2019 - Cloud Authentication Service (Identity Router)

The March 2019 release includes the following features and bug fixes.

Identity Router Update Versions and Schedule

The latest identity router software versions are:

Deployment TypeVersion
On-premises2.6.0.0.11
Amazon Cloud

RSA_Identity_Router-2.6.0.0.12

Identity routers will be updated to these versions according to the following schedule.

DateDescription
March 23, 2019Updated identity router software is available to all customers.
May 25, 2019Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
June 22, 2019If you postponed the default date, this is the last day when updates can be performed.

Identity Router Replication Improvements Require Simultaneous Updates for All Clusters

RSA SecurID Access has significantly improved the replication of critical data across identity routers for SSO Agent deployments. This critical data includes user profiles (keychains), user sessions, and cookies used for LDAP connections.

To take advantage of this new functionality, you must update all of your identity routers within a cluster at the same time and update all clusters at the same time. Perform simultaneous updates to avoid breaking inter- and intra-cluster keychain replication. After updates are complete, you will not be able to restore backup files created using the previous version. RSA recommends that you create backups immediately after performing the update.

Just-in-Time Synchronization Automatically Enabled for New Customers Beginning March 2019

Just-in-time synchronization is now automatically enabled for all customers who deploy the Cloud Authentication Service after the March 2019 release is available. Before March 2019, you needed to contact RSA Customer Support to enable this feature. Now Super Admins can enable it in the Cloud Administration Console on the My Account > Company Settings > Company Information tab without contacting Customer Support. If you are an existing customer and just-in-time synchronization was enabled prior to March 2019, it remains enabled until you choose to disable it.

Just-in-time synchronization ensures that the identity source in the Cloud Authentication Service is updated every time a user attempts to register a device using the RSA SecurID Authenticate app or access a protected resource using additional authentication after the LDAP password is validated. When this feature is enabled, you never need to add user records through manual or scheduled synchronization. For more information, see Identity Sources for the Cloud Authentication Service.

Identify High Risk Users and Restrict Access to Protected Resources

You can control whether users who are identified as high risk can access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Use the Add/Remove High Risk User API to identify high risk users within the Cloud Authentication Service. Access policies provide a new condition attribute, High Risk User List, so that you can configure authentication requirements for high risk users. You can also use the Retrieve High Risk User List API to retrieve a list of all users identified as high risk. For more information, see:

If your company deploys RSA NetWitness Respond Version 11.3 or later, use that product instead of the APIs to obtain the same benefits. For instructions, see NetWitness Respond Configuration Guide for Version 11.3.

Control Cloud Access for Cloud Administration REST APIs Using Role Permissions

You can ensure that each Administration API has permission to access appropriate information in the Cloud Authentication Service by assigning an administrative role to each API key. The API uses the key in the request. By default, all Administration API keys generated before March 2019 default to the Help Desk Administrator role. The new Add/Remove High Risk User API and Retrieve High Risk User List API require keys assigned to the Super Admin role. For more information, see Using the Cloud Administration REST APIs.

FIDO Token Authentication Method Available on Multiple Browsers

The FIDO Token authentication method is now available on more browsers (including mobile browsers) and supports the FIDO 2 authentication standard. For a list of supported browsers, see Cloud Authentication Service User Requirements.

Emergency SSH and Debug Logging Helps You Resolve Identity Router Connectivity Issues

If the identity router is unable to connect to the Cloud Authentication Service (for example, during setup), you can use the Identity Router Setup Console to enable these emergency troubleshooting features:

  • Secure Shell (SSH) to access the command line

  • Emergency debug logging

After troubleshooting is completed and the identity router is connected to the Cloud Authentication Service, you can disable these features and use the Cloud Administration Console for future troubleshooting. For more information, see Troubleshoot Identity Router Issues.

Support for Multiple RADIUS Profiles

You can create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. Custom profiles increase flexibility because you can associate multiple profiles with a single client or the same profile with multiple clients. This feature allows you to implement strong, policy-based granular controls (for example, for Active Directory groups) for users and administrators who access RADIUS-based applications. For more information, see Configure a RADIUS Profile for the Cloud Authentication Service.

Enhanced Status Indicators for Identity Routers

Status indicators for the identity router have been improved and expanded, making it easier for you to troubleshoot problems with identity router services, as well as connectivity problems between identity routers and the Cloud Authentication Service. You can view detailed status information for each identity router in the Cloud Administration Console on the Platform > Identity Router page. For more information, see View Identity Router Status in the Cloud Administration Console.

Reminder: Users Must Update Their RSA SecurID Authenticate for Android Apps by March 31, 2019

To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Fixed Issues

NGX-18781. Previously, after you modified cluster relationships and published the changes, all identity routers in the clusters were restarted and the publish operation did not complete. The restart no longer occurs and publishing completes as expected.

NGX-21183. When you use the Identity Router VM Console to update network settings or recommit changes, static routes that were configured in the Cloud Administration Console are no longer deleted from the identity router.

 

February 2019 - Cloud Authentication Service

The February 2019 release includes the following features and bug fixes.

Note:  The current version of the identity router, v2.5.0.0.5, was not updated in this release.

Disaster Recovery Environment for the EMEA and AUS Regions

The disaster recovery environment for the Cloud Authentication Service is now available for the EMEA and AUS regions. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. RSA recommends that you test access to this environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.

On-Demand Access to Uptime Status of Cloud Services

You can now monitor the current and historical uptime of the Cloud Authentication Service and the Cloud Administration Console on a service status page. This page includes current service availability, recent uptime percentage, and historical uptime percentage. For more information, see Monitor Uptime Status for the Cloud Authentication Service.

Receive Frequent Updates on Cloud Authentication Service Availability with Health Check API

If you want to receive frequent updates on the Cloud Authentication Service availability, you can use the Health Check API to integrate with your application monitoring product. For more information, see RSA SecurID Access Health Check API.

Updated RSA SecurID Authenticate Apps Simplify Device Registration with EMM Technology

RSA SecurID Authenticate 2.3.0 for Android and RSA RSA SecurID Authenticate 2.2.0 for iOS now support simplifying device registration with Enterprise Mobility Management (EMM) technology that supports the AppConfig Community standards, such as VMWare AirWatch. With this functionality, you can help reduce the costs of device registration in your company by automatically downloading the app to users' devices and optionally configuring the Company ID and Email Address values. For more information, see Deploying the RSA SecurID Authenticate App in EMM Environment.

These app releases also contain bug fixes.

Users Must Update Their RSA SecurID Authenticate for Android App by March 31, 2019

To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Fixed Issues

NGX-21223. If you update the protected domain name after it has been initially configured on the My Account > Company Settings > Company Information page in the Cloud Administration Console, authentication no longer fails when users who access the RSA SecurID Application Portal attempt to open a Microsoft Office 365 application.

February 5, 2019 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.2.1 for Android resolves an issue with app instability on Samsung devices running Android 9 Pie. Samsung users should upgrade to this app version.

January 2019 - Cloud Authentication Service

RSA SecurID Authenticate for Android Now Uses Updated Push Notification Service

To align with the Google migration to Firebase Cloud Messaging (FCM), RSA SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

New Administration APIs Expand Integration of Help Desk Functions Into Your Existing Tool Framework

RSA SecurID Access added four new Administration APIs to help you expand the integration of Help Desk functions into your existing enterprise service desk tools. These APIs can be used to synchronize a user between an identity source and the Cloud Authentication Service, update a user's Enabled/Disabled status, find a user by searching for a string in the user's email address, and mark an inactive user as pending deletion or remove the marked deletion status. Also, the Retrieve Authentication Audit Logs API now supports filtering authentication audit logs using a specified date range. For more information, see:

Improved Look and Feel of End-User Authentication Experience

To increase the usability on mobile browsers, the look and feel of the end-user authentication experience has been improved. One key change is the checkbox that displayed the contents of fields (for example, a passcode or tokencode field) has been replaced with a visibility toggle. For a list of supported browsers, see Cloud Authentication Service User Requirements.

Ability to Control If Users Can Delete Devices in My Page

To help improve security and increase flexibility, you can now specify if you want users to delete their devices in My Page. You configure this option in the Cloud Administration Console in Platform > My Page.

Support for Active Directory 2019

The Cloud Authentication Service now supports Active Directory 2019 as an identity source.

Disaster Recovery Environment Available for US Region

RSA maintains a disaster recovery environment for the Cloud Authentication Service. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. The disaster recovery environment is currently available for the US region. RSA recommends that you test access to the disaster recovery environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.

Fixed Issues

NGX-22022. Previously, when you used the Cloud Administration Console to add a SAML application, on the Connection Profile page, the Identity Provider URL field was not automatically populated if one identity router in the cluster was inactive. Now, if high availability is enabled for the cluster, the Identity Provider URL includes the load balancer name. If high availability is disabled, the URL includes the identity router hostname.

NGX-21728. Previously, some blocks of user data were too large to be successfully synchronized to the Cloud Authentication Service. The service has been modified to accept larger blocks of user data, so this problem no longer occurs.

NGX-21682. RSA SecurID Access has updated the list of country codes it supports for SMS Tokencode and Voice Tokencode authentication.

NGX-21553. Previously, authentication failed after an administrator re-mapped identity source attributes after the initial mapping. This problem has been corrected and mapping changes are now handled as expected.

NGX-21286. Previously, a misleading message indicating successful synchronization appeared in the administration audit logs after an administrator initiated identity source synchronization. The message has been corrected to reflect what actually happened: <Administrator_name> manually initiated synchronization for <identity source>.

NGX-20908. Previously, in certain deployments, after an administrator attempted to delete or edit and save an access policy, a publish operation succeeded to the identity routers but failed to the Cloud Authentication Service. This problem has been fixed.

November 2018 - Cloud Authentication Service

Deploy Identity Routers in the Cloud Using Amazon Web Services

You can now deploy the identity router in the Amazon Web Services (AWS) Elastic Compute Cloud (EC2), thus reducing or eliminating the on-premises footprint of RSA SecurID Access. You have the flexibility to choose a cloud-only or hybrid-cloud deployment. For example, in a hybrid-cloud deployment, the identity router in the AWS cloud can connect to on-premises components such as RSA Authentication Manager or your LDAP directory server. You use an Amazon Machine Image (AMI) that you access with your AWS account to deploy the identity router in the cloud. For more information, see Amazon Web Services Identity Router Deployment Models.

Users Can Delete Registered Devices in My Page

To increase user self-service capabilities and reduce administrative support costs, My Page now allows users to delete their current registered devices. When users get new devices (for example, mobile phones) they can first delete their current devices in My Page and then complete registration on the new devices—all without administrative assistance.

New Administration APIs Available to Integrate Help Desk Functions Into Your Existing Tool Framework

RSA SecurID Access provides new Administration APIs to help you integrate RSA SecurID Access Help Desk functions into your existing enterprise service desk tools. The new APIs support the ability to retrieve user and device details, unlock tokencodes, delete user devices, update SMS Tokencode and Voice Tokencode phone numbers, and retrieve authentication audit logs for specific users. For more information, see Using the Cloud Administration REST APIs.

Improved Documentation for Configuring High Availability Deployments

You will find it easier to configure high availability for different types of deployment using improved documentation on RSA Link. High availability increases the likelihood that an identity router will be available to process authentication requests when one or more identity routers in the same cluster are down. High availability also improves performance by ensuring that requests are distributed evenly among identity routers. For instructions, see Configure High Availability for Cloud Authentication Service Deployments.

Updated RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.1.0 for iOS and RSA SecurID Authenticate 2.1.0 for Android contain bug fixes.

Fixed Issues

NGX-19853. When you disable a user, the RSA SecurID Authenticate for iOS and Android apps no longer delete the user's company in the app.

NGX-19870. When an automatic Integrated Windows Authentication (IWA) identity provider is configured in your deployment and users try to open the application portal URL in a browser, the portal sign-in page used to appear instead of the portal landing page that lists the applications. This problem has been fixed and now the portal landing page appears.

NGX-20598. Previously, when you attempted to add a location to the Trusted Location page using an address, certain addresses did not appear in the Bing maps suggestion list. Now you can use the Search button to find addresses that do not appear in this list.

October 2018 - Cloud Authentication Service

Easier Direct-to-Cloud Integration for Key Apps

To provide easier direct-to-cloud integration, you can now protect Workday, ServiceNow, and Microsoft Office 365 without needing to use the SSO Agent. For instructions, see the following:

Updated RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 2.0.2 for Android contains bug fixes.

Fixed Issues

NGX-17695. Previously, in some SSO Agent deployments, the publishing status indicator displayed “Changes Pending” when there were no updated settings to be published. This problem no longer occurs.

NGX-19930. The Identity Router Setup Console Network Diagnostics page no longer reports that the identity router failed to connect to two URLs used for software updates. The problem is corrected if you publish after the cloud or identity router upgrade is performed.

October 15, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.0.1 for iOS is qualified with iOS 12 and contains bug fixes.

September 27, 2018 - RSA SecurID Authenticate Apps

RSA SecurID Authenticate 2.0.1 for Android contains bug fixes.

September 2018 - Cloud Authentication Service

The September 2018 release of the Cloud Authentication Service includes the following features and updates:

My Page - User Portal for Easy Device Registration

To enhance the security of device registration while minimizing user friction, this release introduces RSA SecurID Access My Page, a new web-based portal that uses multifactor authentication and QR or limited one-time-use numeric registration codes to complete device registration. See how this works.

If you are currently using the RSA SecurID Authenticate Device Registration access policy, be aware that the name and purpose of this policy will change in the September release to help control migration to My Page. The policy will be renamed to Device Registration Using Password and will allow you to control who can use password as the registration code. If necessary, update the policy configuration to align with your company needs.

Note that if you want to continue using a password to complete device registration, your users can enter their passwords as the registration code.

Updated RSA SecurID Authenticate Apps for My Page and Android 9 Pie Qualification

RSA SecurID Authenticate 2.0.0 for iOS, RSA SecurID Authenticate 2.0.0 for Android, and RSA SecurID Authenticate 3.0.0 for Windows 10 contain the following updates:

  • Updated device registration flow to work with RSA SecurID Access My Page. To register a device, iOS and Android users scan a QR code or enter a limited one-time-use numeric registration code. Windows 10 users enter a limited one-time-use numeric registration code.

    Users only need to register a device if they are a new user, adding a new company, or switching a device. Existing users do not need to re-register.

  • If you require users to enter a PIN or Device Biometrics to view the Authenticate Tokencode, the process to reset a PIN has changed. iOS users will first be prompted for the device passcode. Android users will first be prompted for device credentials. Windows 10 users must first delete all the companies that protect the Authenticate Tokencode and then re-register those companies.

  • The RSA SecurID Authenticate for Android app is qualified with Android 9 Pie.

  • Bug fixes.

RSA SecurID Access User Event Log API

You can use the User Event Log API to export user audit logs from the Cloud Authentication Service. This feature improves auditing and security monitoring of end-user activity, which is useful for compliance audits, troubleshooting, risk assessment, and security information and event monitoring (SIEM) analysis. For more information, see RSA SecurID Access User Event Log API.

Preconfigured Access Policy with Contextual Risk-Based Analytics

To further assist new customers in getting up an running more quickly, an additional preconfigured access policy has been added to the initial three delivered in August 2018. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium edition customers.

Improved Logging for User Synchronization Events

Improved log messages for user synchronization events will make troubleshooting easier when users are automatically re-enabled or disabled in the Cloud Authentication Service, or when users are not found in the directory server during synchronization.

Fixed Issues

NGX-19192. In RADIUS and relying party deployments, the proxy server specified in the Identity Router Setup Console now handles traffic for authentication and product maintenance (such as cluster updates). In an SSO Agent deployment, the proxy server now handles traffic for product maintenance.

NGX-19829. Previously, you were unable to delete an identity source after you had visited the Clusters page. This problem has been fixed.

NGX-19798. In the Cloud Administration Console, the Device Enrollment policy is no longer included in the access policy count displayed on the Dashboard page. The Dashboard count includes your company’s custom access policies and preconfigured access policies.

To see release notes that were published for earlier releases, see Release Notes Archive | Cloud Authentication Service and RSA SecurID Authenticate Apps.

 

 

 

 

 

We want your feedback! Tell us what you think of this page.

 

You are here

RSA SecurID Access Release Notes for the Cloud Authentication Service and RSA Authenticate App

Attachments

    Outcomes