RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App

Document created by RSA Information Design and Development Employee on Aug 21, 2018Last modified by RSA Information Design and Development Employee on Sep 15, 2020
Version 77Show Document
  • View in full screen mode

These release notes include product updates and bug fixes.

For additional information, see:

  • RSA SecurID Access Product Release Notes, a portal to all release notes for the Cloud Authentication Service, RSA Authentication Manager, authentication agents, and token authenticators.

  • RSA Link, to access all RSA SecurID Access product documentation.

September 2020 - Cloud Authentication Service

Actions Required for Upcoming Identity Router and RSA SecurID Authenticate App Security Improvements

To strengthen the overall security of RSA SecurID Access, RSA is rolling out significant improvements that affect all identity routers and the RSA SecurID Authenticate app (iOS and Android). See this advisory for information on these improvements. To ensure uninterrupted service and avoid downtime, you must perform the following actions.

                            
ActionBegin ActionEnd Action
After RSA migrates database data to FIPS-supported algorithms, the Cloud Administration Console will display a Changes Pending message. Please ignore this message as a publish is not required. This status will disappear after your next regular publish.No customer action needed. EMEA and ANZ regions: 8/29/2020 US region: 9/12/2020  

You must upgrade RSA SecurID Authenticate 2.x for Android or iOS to the latest version by October 12, 2020. See this advisory for details.

ImmediatelyOctober 12, 2020

You must update all identity routers to the August release before the next identity router upgrade date (October 31, 2020):

  • For on-premises identity routers, apply version 2.10.0.0.5 or higher
  • For the Amazon Cloud, apply RSA_Identity_Router 2.10.0.0.6 or higher

After October 31, RSA SecurID Access will enforce TLS1.2 for all connections. Versions of TLS earlier than 1.2 will no longer work.

To ensure uninterrupted connectivity, make sure your identity routers are running the latest software version (12.10.0.8) prior to October 31. For instructions, see Update Identity Router Software for a Cluster.

If you are using a proxy server you must ensure it also supports TLS 1.2 and later.

Follow your normal upgrade schedule.October 31, 2020

Note:  A new identity router that takes advantage of hardened security and the latest operating system patches using SLES version 12 SP5 is coming in November. Watch future notifications for details.

Multiple Service Provider Connections Allow Flexible Access Policy Assignment

RSA improved integration options for customers with SAML-based applications who cannot use the SAML Authentication Context attribute to assign an access policy based on a condition such as the user group and/or resource being accessed. These customers now have increased flexibility when assigning policies by configuring multiple service provider (SP) connections, each with its own unique identifier. For more information, see Add a Service Provider.

Authenticate to Cloud Administration Console Through Third-Party Identity Provider

Customer administrators can now securely login to the Cloud Administration Console through federation by extending their identity provider (IdP). Administrators who are using a common access card (CAC) and personal identity verification (PIV) can continue to use the Federal IdP infrastructure to perform a federated login to the Cloud Administration Console. For instructions, see Configure Session and Authentication Method Settings.

Fixed Issues

                       
Fixed IssueDescription
NGX-50739

Previously, resetting an Active Directory password from the custom application portal using the resetpw API did not enforce the Active Directory password policy. This problem has been fixed.

NGX-50457The Cloud Administration User Event API produced incorrect output. In the row showing which authentication method was used to access an application, the Application column showed the type of device used to complete the authentication method rather than the actual application being accessed. This problem has been fixed and this column no longer shows the device type.
NGX-50062In the Cloud Administration Console, a customer was unable to successfully Publish Changes. Instead, the request continued to load and change to Publish Pending. This problem was traced to a misconfiguration issue. For instructions to prevent this problem from occurring, see Add an Identity Source for the Cloud Authentication Service.

August 2020 - Cloud Authentication Service (Identity Router)

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates will be released independently from Cloud Authentication Service updates.

                       
DateDescription

8/25/2020

Updated identity router software is available to all customers.

9/26/2020 (EMEA, ANZ)

10/3/2020 (US)

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
10/31/2020If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

                   
Deployment TypeVersion
On-premises2.10.0.0.5
Amazon Cloud

RSA_Identity_Router 2.10.0.0.6

Android and iOS Users Must Upgrade RSA SecurID Authenticate 2.x App the Latest Version by October 12, 2020

RSA is continually enhancing RSA SecurID Access by adding new features and keeping up-to-date with security best practices. To keep up with these changes, users with RSA SecurID Authenticate 2.x for Android or iOS must upgrade to the latest version available in the Apple App and Google Play stores by October 12, 2020. After this date, 2.x users will not be able to authenticate. RSA strongly recommends that you upgrade users as soon as possible to avoid any interruptions or downtime. For more information, see this advisory.

Integrate FIDO Authentication Using Cloud Administration API

The RSA Cloud Administration APIs now include support for FIDO. Customers and RSA Ready technology partners can enable their commercial and custom applications to enroll FIDO Tokens leveraging these APIs in addition to using RSA SecurID Access for FIDO-based authentication. For more information, see Cloud Administration FIDO Authenticator API.

Modernized RSA SecurID Access Application Portal

RSA has redesigned the RSA SecurID Access Application Portal with the same modern look-and-feel that users already see in the web authentication and My Page screens. Improvements include an updated visual design, accessibility improvements and improved ability to display custom customer logos. For example:

Delete RSA Authentication Manager Connection Information

If your Cloud Authentication Service deployment was integrated with RSA Authentication Manager and it allows users with RSA SecurID Tokens to access cloud-protected resources, you can now delete unused connections. Deleting prevents you from receiving unnecessary logging errors.

Note:  Use this feature only after you have updated the identity router software to version 2.10.0.0.5.

For more information, see Delete the Connection Between the Cloud Authentication Service and RSA Authentication Manager.

Fixed Issues

                                       
Fixed IssueDescription
NGX-50436In the Cloud Administration Console, informational text and online Help for High Availability Tokencode were corrected.
NGX-48685An identity router configured with one network interface was unable to connect to RSA Authentication Manager after reboot unless an administrator clicked Update IDR Setup Configuration on the Identity Router Setup page. This problem has been fixed.
NGX-48520In the Cloud Administration Console, the Last Used On field was removed from the User Management page because it did not apply to mobile devices.
NGX-47885 The browser autocomplete feature is no longer enabled for text fields on the RSA SecurID Access Application Portal and the Identity Router Setup Console.
NGX-46349

Previously, disabling Identity Confidence Collection in the Cloud Administration Console on the My Account > Company Settings > Company Information page broke access policies that used the Trusted Network conditional policy attribute and were used by applications configured for single sign-on (SSO). This problem has been fixed.

NGX-44842In the Cloud Administration Console, the user interface design and Help text have been improved to make it easier to configure user attributes when you add an identity source.
NGX-44332The identity router can now communicate with its software update repositories over TLSv1.2.

RSA SecurID Authenticate 3.3 App for Windows

RSA SecurID Authenticate 3.3 app contains modifications that are required for future app releases. To ensure that Windows users with earlier versions have the latest product improvements, these users must upgrade the app to version 3.3 to avoid re-registration.

July 2020 - RSA MFA Agent 2.0 for Microsoft Windows

RSA MFA Agent 2.0 for Microsoft Windows leverages the Cloud Authentication Service and RSA Authentication Manager 8.5 to provide strong multifactor authentication to users signing into Windows, both online and offline. The MFA Agent provides multiple authentication options for users, along with features that improve user productivity and security during Windows sign-in. This update contains many new features, including:

  • Authentication to both Cloud Authentication Service and RSA Authentication Manager 8.5. You can choose from the supported multifactor authentication options based upon your business needs.

  • Offline authentication available for both RSA Authentication Manager and Cloud Authentication Service users.

  • REST-based agent that addresses security and compliance needs with strong crypto algorithms.

  • Enhanced load balancing and failover with additional administrative controls and new options for customizing the user sign-in experience.

For complete information on new features, see RSA MFA Agent 2.0 for Microsoft Windows Release Notes.

RSA also offers an MFA Agent for the macOS. For complete documentation, see RSA MFA Agent 1.0 for macOS.

July 2020 - RSA SecurID Authenticate App for Android

RSA SecurID Authenticate 3.6 for Android app now supports face recognition. Devices must meet the Android security specifications and have a strong rating to allow use of Biometric authentication (face recognition and fingerprint) within the Authenticate app. For example, the Pixel 4 device supports strong facial recognition technology. See https://source.android.com/security/biometric/measure for more information. Users should check with their device vendors to confirm if their devices are compatible.

This release also contains miscellaneous bug fixes and improvements.

July 2020 - Cloud Authentication Service

New API Provides License and Usage Information

RSA is providing a new API to help you integrate your existing tools and gain visibility into your company’s license and usage information, which is important for planning and budgeting your future license upgrades. The Cloud Administration Retrieve License Usage API allows administrators to access the number of MFA licenses used, the number of users with third-party FIDO authenticators, and the total number of SMS and Voice Tokencodes sent for the current month. You can use this data for external trending analysis. For more information, see Cloud Administration Retrieve License Usage API.

Fixed Issues

                       
Fixed IssueDescription
NGX-48522

Under certain circumstances, users who authenticated through a relying party had to press the tab key twice in order to move the cursor to the password field. This problem has been fixed.

NGX-47434The documentation has been updated to indicate that users who sign in to My Page are automatically synchronized to the Cloud Authentication Service. For details, see Just-in-Time Synchronization.
NGX-44932Previously, there was no way to delete a certificate chain from the Company Settings > Company Information page. Now you can click Delete to delete the certificate chain.

June 29, 2020 - RSA SecurID Authenticate App for iOS and Android

RSA SecurID Authenticate 3.5 app for iOS and Android contains miscellaneous fixes and improvements. On Android devices, this update is qualified with Android OS 6.x and later.

Authenticate Key Technical Preview

The app includes Authenticate Key, a FIDO-based authenticator that can be used for primary and additional authentication. This is a Technical Preview feature that is disabled by default. If you are interested in enabling this feature, contact RSA.

Fixed Issues

                       
Fixed IssueDescription
NGX-40499The copyright for the Authenticate app has been updated to 2020.
NGX-40276

Removing PIN protection from the iOS app in a registered device with multiple PIN protected accounts no longer causes other PIN-protected accounts to re-lock immediately after authentication.

NGX-44181An Android device that had not been jailbroken incorrectly displayed a noncompliance message. This problem has been fixed.

Known Issue

               
Known IssueDescription
NGX-48898

Problem: When users install the iOS app, a message indicates that Bluetooth must be turned on to use Authenticate Key.

Workaround: Users who do not plan to use Authenticate Key should ignore this message.

June 2020 Cloud Authentication Service

The June 2020 release includes the following features and benefits.

More Value for Enterprise and Premium Editions with YubiKey for RSA SecurID Access

Customers with RSA SecurID Access Enterprise or Premium Edition can now use YubiKey for RSA SecurID Access and other third-party FIDO authenticators without purchasing additional licenses. Previously, these customers had to purchase a separate MFA license for each user to use these authenticators. FIDO authenticators provide a positive user experience and help prevent man-in-the-middle and phishing attacks for FIDO-enabled authentication use cases.

RSA SecurID Authentication API Supports FIDO/FIDO2

The RSA SecurID Authentication API now supports FIDO/FIDO2 for authentication. Along with other RSA-supported MFA options, customers and RSA Ready technology partners can enable commercial and custom applications to use RSA SecurID Access for FIDO authentication. For more information, see RSA SecurID Authentication API Developer's Guide.

Easy Access to License and Usage Information

Customers can now easily access their current Cloud Authentication Service license and usage information in the Cloud Administration Console for compliance and operational needs. For more information, see Cloud Administration Console Dashboard.

Fixed Issues

                       
Fixed IssueDescription
NGX-47287

Certain client applications (for example, MS Office applications) that used older JavaScript engines displayed a script error during authentication. This issue has been resolved.

NGX-45622When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the RSA SecurID Authenticate app) are now able to successfully authenticate.
NGX-44853The documentation now explains that when you upload a company logo to My Page, that logo can also be used for the relying party sign-in page and on additional authentication screens presented to users. See Adding a Custom Logo to Your Cloud Authentication Service Deployment.

May 2020 - Cloud Authentication Service

The May 2020 release includes the following features and benefits.

Allow Emergency Tokencode to replace FIDO when FIDO is used for Primary Authentication

Users can use Emergency Tokencode to sign in when they misplace or lose their FIDO authenticator. Emergency Tokencode allows them to access SaaS and web applications that are protected using FIDO as a primary authentication method. For more information, see FIDO.

Securing the Password Reset Process for Administrators

Securely resetting Cloud Administration Console passwords is even better. Now, password resets must be completed within two hours of requesting the password reset link.

Fixed Issues

                       
Fixed IssueDescription
NGX-45653

Previously, the User Event Monitor email autocomplete did not show events for users with apostrophes in their email addresses, forcing users to enter the full email address with apostrophes in the filter box in order to see events. This problem has been fixed.

NGX-45485

When just-in-time synchronization was enabled, users who attempted to authenticate during an automatic or manual identity source synchronization might become disabled when they should have remained enabled. This problem no longer occurs.

NGX-22987Microsoft Azure Active Directory provided the email address instead of the UPN in authentication requests for guest users. This problem has been fixed. Now the Cloud Authentication Service takes the user identity from the email address if the UPN is omitted.

Known Issue

               
Known IssueDescription
NGX-45622

Problem: When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the RSA SecurID Authenticate app) are unable to successfully authenticate.

Workaround: Do not enter the space during authentication.

 

April 2020 - Cloud Authentication Service (Identity Router)

The April 2020 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

                       
DateDescription
April 28, 2020Updated identity router software is available to all customers.

July 11, 2020 (ANZ)

July 25, 2020 (EMEA, US)

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
August 15, 2020If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

                   
Deployment TypeVersion
On-premises2.9.0.0.4
Amazon Cloud

RSA_Identity_Router 2.9.0.0

Enterprise Edition Supports Additional Conditional Access Policy Attributes

Most access policy attributes that were previously available only to customers with Premium Edition are now available to all customers with Enterprise Edition. This feature provides Enterprise customers with greater flexibility in defining conditional access policies. For example, you can enforce different authentication requirements for trusted and untrusted locations. For the list of available attributes, see RSA SecurID Access Editions.

Support for Threat-Aware Authentication Extended in Cloud Administration API

RSA SecurID Access Threat Aware Authentication now supports additional customer scenarios in the Cloud Administration of High-Risk User API version 2. You can now manage high-risk users based on Primary Username and Alternate Username. See Cloud Administration Retrieve High-Risk User List API Version 2.

Note:  Primary Username temporarily still appears as SecurID Username in the Cloud Administration Console.

Data Collection for Identity Confidence and Location Can Be Disabled from the Cloud Administration Console

Data collection for identity confidence and location can now be disabled and re-enabled from the Cloud Administration Console. For more information, see Configure Company Information and Certificates and Condition Attributes for Access Policies.

Action Required If Identity Confidence Data Collection is Already Disabled for Your Deployment

If you previously disabled identity confidence data collection on the identity router with the assistance of RSA Customer Support, you must now use the Cloud Administration Console to disable this function. After you update your identity router software to the 2.9.0.0.4 version, data collection will be automatically enabled. To disable data collection, open the Cloud Administration Console and click My Account > Company Settings. In the Identity Confidence Collection field, click Disabled.

Editable Preconfigured Access Policies

All of the preconfigured access policies provided with RSA SecurID Access can now be edited for immediate customization.See Preconfigured Access Policies.

Delete a User Immediately Using New Cloud Administration API

Use the Cloud Administration Delete User Now API to delete a single disabled user from the Cloud Authentication Service and immediately remove all information and devices associated with the user. See Cloud Administration Delete User Now API.

Permissions List Available for RSA SecurID Authenticate and RSA SecurID Software Token Apps

You can download a list of all permissions associated with using the RSA SecurID Authenticate and RSA SecurID Software Token apps. Use this document to inform your users which permissions are optional and which are required. See RSA SecurID Authenticate and RSA SecurID Software Token App Permissions.

Additional Improvements

The April 2020 release contains the following additional improvements and changes:

  • Six new videos demonstrate how to configure the Cloud Authentication Service. See Cloud Authentication Service Videos.

  • All references to FIDO Token have been changed to FIDO in the documentation and user interface.

Fixed Issues

                                               
Fixed IssueDescription
NGX-41625

Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA SecurID Access users. However, there is a possibility that users who have version 80 and authenticate to the RSA SecurID Access Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This problem has been fixed. For more information, see https://community.rsa.com/docs/DOC-110956.

NGX-43410

Publishing configuration changes sometimes failed if the identity router was processing a RADIUS authentication request during the publish. This problem no longer occurs.

RSA recommends publishing during off-peak hours when there is less authentication traffic.

NGX-42825A customer's identity router registration failed at the final step "Checking for connection for authentication and product maintenance." This problem has been fixed.
NGX-42179On the identity router, some HTTP pages included unnecessary technical information. This problem no longer occurs.
NGX-41473

Email notifications configured in the Cloud Administration Console were being sent from an RSA account on behalf of emails domains that are unconfigured for this account. As a result, the notifications were blocked by SPAM filters. This problem has been fixed. The From email address has been changed to noreply@securid.com.

NGX-41467

When using change password functionality with a custom portal, the customer now receives the response in JSON format.

NGX-16781

Identity router problems occurred when the same resource was configured for multiple services. For example, if the DNS server was also the gateway, or if the DNS server and identity source used the same IP address. This problem has been fixed.

NGX-36432

The Identity Router Setup Console was incorrectly loaded in certain rare situations when unable to resolve the host name within the specified time. This problem has been fixed.

NGX-39900

NGX-41634

NGX-39859

NGX-39846

NGX-39088

NGX-39077

NGX-39081

Miscellaneous security vulnerabilities were fixed.

April 27, 2020 - RSA Security Key Utility Improvements

The RSA Security Key Utility version 1.1 has been updated to include:

  • Performance improvements.

  • User interface localized in Chinese, Portuguese, Japanese, French, Spanish, and German.

  • Documentation updates.

For downloads, see RSA Security Key Utility. For upgrade instructions, see Using RSA Security Key Utility.

March 2020 - Cloud Authentication Service

Update Your IP Addresses to Connect to the Cloud Authentication Service

RSA SecurID Access is not releasing new features in March 2020. Instead, be reminded that you must update your firewall to allow your identity routers and user web browsers to connect to new IP addresses for the Cloud Authentication Service and Cloud Administration Console. These changes are required by our Cloud service provider. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

                           
RegionNew IP Addresses

ANZ

20.37.53.30, 20.39.99.202

Completed on March 20, 2020

EMEA 51.105.164.237, 52.155.160.141 Friday, April 3, 5:00 PM EDT

US

52.188.41.46, 52.160.192.135

Saturday, April 11

These dates and IP addresses are also published here.

It is important to know:

  • During the maintenance window for this upgrade, authentication services will continue, but you may lose audit data and new device registrations. For example, lost data may include browsers that were "remembered" during maintenance and user actions on My Page. Users who register devices during this time must re-register.

  • No configuratiosn changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. If you use any third-party tools, such as Pingdom, to monitor your deployment, you might want to temporarily disable alerts during the migration.

March 19, 2020 - RSA SecurID Authenticate for Android

RSA SecurID Authenticate 3.3 for Android includes enhanced compliance checks to ensure the device is not rooted before allowing use of the app. The app previously checked for compliance during registration. The app now checks for compliance whenever users open the app (for example, to complete registration or an authentication request) and in interactive notifications for Approve. If the Authenticate app detects that a device is rooted, the app displays a "Device Not Compliant" message and prevents use of the app.

If your users are using rooted devices, instruct your users to unroot their devices, re-install the RSA SecurID Authenticate app (if necessary), and complete registration again with the app.

March 9, 2020 - RSA Security Key Utility

RSA announces the release of RSA Security Key Utility, a Windows utility that you deploy on users' Windows machines to manage user verification for FIDO2-certified security keys. Users can use the utility to manage a PIN for the security key or reset the key.

RSA Security Key Utility works with any FIDO2-certified USB security key. For system requirements, installation instructions, and more, see Using RSA Security Key Utility.

You can provide the following video to your users to demonstrate how to create and reset a PIN using the utility. The video is also available in the user help:

February 2020 - Cloud Authentication Service

Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes

On February 18, 2020, Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA SecurID Access users. However, there is a possibility that users who have version 80 and authenticate to the RSA SecurID Access Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This does not affect deployments that use RADIUS or relying parties. If this issue affects your users, you might need to take further action. For instructions, see Immediate Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes.

Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020)

To align with changes required by our Cloud service provider, Microsoft Azure, the RSA SecurID Access Cloud Authentication Service and Cloud Administration Console IP addresses will change in March 2020. RSA recommends that you make any necessary firewall changes to allow your identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

                            
RegionNew IP Addresses

Date

ANZ

20.37.53.30, 20.39.99.202

March 20, 2020

EMEA 51.105.164.237, 52.155.160.141 March 20,2020

US

52.188.41.46, 52.160.192.135

March 21, 2020

Note:  No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

To test access to the new IP addresses, see Test Access to Cloud Authentication Service.

These dates and IP addresses are also published here.

Support for Windows Hello and Android Phone as FIDO Authenticators

The Cloud Authentication Service supports Windows Hello and Android phone as FIDO authenticators. Users must register these authenticators in My Page and not during first-time authentication to an application. You must enable registration for these authenticators in My Page. For more information, see FIDO Authenticators.

New Terminology for Authenticators and Devices

With the support of the FIDO platform authenticators Windows Hello and Android phone, terminology is changing in the Cloud Administration Console and product documentation to address authenticators that are not necessarily devices.

The following changes have been made in the documentation:

  • Authenticator is the new general term for something that a user authenticates with. As part of this change, device registration has been changed to authenticator registration. For example, "Users must complete authenticator registration to access protected applications."

  • Device will continue to be used in situations specific to the RSA SecurID Authenticate app. For example, "An individual user can use the RSA SecurID Authenticate app on a single registered device."

  • The FIDO terminology has changed for end users in My Page, browser-based authentication prompts, and help. In the past, users selected FIDO Token in My Page or More Options, for example. Now users select security key, Windows Hello, or Android phone, depending on what your organization has instructed them to register and use.

    All FIDO authenticators are still managed by the FIDO Token authentication method in the Cloud Administration Console.

The Cloud Administration Console text will be updated in a future release.

New Identity Source Attribute – Alternate Username

A new user identifier, Alternate Username, is available as an identity source attribute. Customers with relying parties such as Azure Active Directory can use any attribute, such as UPN, that is suitable for use as the SecurID Access username. For configuration instructions, see Add an Identity Source for the Cloud Authentication Service.

Cloud Administration API Retrieves Device Registration Codes

A new API allows users to securely register their devices within custom help desk and self-service portals. The API generates one-time device registration codes. For more information, see Cloud Administration Retrieve Device Registration Code API.

Fixed Issues

                   
Fixed IssueDescription
NGX-38913Previously, customers with the RSA SecurID Access Base or Enterprise Edition were unable to use access policies that contained condition attributes that are supported for those editions. This problem has been resolved.
NGX-38902Previously, under certain conditions, some users continued to appear on the Users > Management page in the Cloud Administration Console and in synchronized user reports after their identity source had been deleted from the customer's deployment. This problem no longer occurs.

 

February 3, 2020 - RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 3.2 for Android contains bug fixes.

January 2020 - Cloud Authentication Service

FIDO2 Certification for Cloud Authentication Service

The Cloud Authentication Service is now a FIDO2 Certified Server. The certification demonstrates compliance with the FIDO specification and ensures compatibility with any FIDO-certified security key.

As part of this certification, the Cloud Authentication Service checks the integrity of the security key response message during registration. If the response message is modified on its way to the Cloud Authentication Service, the registration is unsuccessful.

Additionally, the Cloud Authentication Service verifies the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS). The Cloud Authentication Service rejects MDS-listed keys if detected as counterfeit or compromised.

Jailbreak Detection for RSA SecurID Authenticate for iOS

RSA SecurID Authenticate 3.2 for iOS contains the following updates:

  • Compliance checks to ensure the device is not jailbroken before allowing use of the app. If the Authenticate app detects that a device is jailbroken, the app displays a "Device Not Compliant" message and prevents use of the app. This message displays when users open the app (for example, to complete device registration or an authentication request) and in interactive notifications for Approve.

    If your users are using jailbroken devices, they will no longer be able to use the app. Instruct your users to restore their devices, and then complete device registration again with the RSA SecurID Authenticate app.

  • Bug fixes.

Security Fix for Integrated Windows Authentication Connector Requires Manual Update

A password is now required to protect the Issuer Signing Certificate file (.pfx) when you install the Integrated Windows Authentication (IWA) Connector. If your company installed the Connector prior to the January 2020 release, RSA recommends that you install the latest version of the Connector (1.6) with the certificate file password. For instructions, see Install the Integrated Windows Authentication Connector.

Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020)

To align with changes required by our Cloud service provider, Microsoft Azure, the RSA SecurID Access Cloud Authentication Service and Cloud Administration Console IP addresses will change in March 2020. RSA recommends that you make any necessary firewall changes to allow your identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

                            
RegionNew IP Addresses

Date

ANZ

20.37.53.30, 20.39.99.202

March 20, 2020

EMEA 51.105.164.237, 52.155.160.141 March 20,2020

US

52.188.41.46, 52.160.192.135

March 21, 2020

Note:  No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

To test access to the new IP addresses, see Test Access to Cloud Authentication Service.

These dates and IP addresses are also published here.

Known Issue

               
Known IssueDescription
NGX-38913

Problem: Customers with the RSA SecurID Access Base or Enterprise Edition cannot use access policies that contain condition attributes that are supported for those editions.

Workaround: If you have the Base or Enterprise Edition, do not use conditional attributes in access policies until after this issue is fixed.

 

November 2019 - Cloud Authentication Service (Identity Router)

The November 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

                       
DateDescription
12/4/19Updated identity router software is available to all customers.
1/25/2020Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
2/22/2020If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

                   
Deployment TypeVersion
On-premises2.8.0.0.5
Amazon Cloud

RSA_Identity_Router 2.8.0.0.6

RADIUS Support for Emergency Tokencode

Emergency Tokencode is supported for thick RADIUS clients and for Cisco Adaptive Security Appliance (ASA). RADIUS users who forget or misplace their registered devices can access protected SaaS and web applications using Emergency Tokencode by selecting it from the list of available authentication options. You can also customize your Cisco ASA to accept Emergency Tokencode.

Note:  If you are planning to use Emergency Tokencode, perform the customization before you update the identity router.

For instructions, see Customize the RSA SecurID Access Web Interface for a Cisco Adaptive Security Appliance.

SAML Configuration Improvements

The following configuration improvements affect SAML-enabled web applications when the Cloud Authentication Service is the identity provider:

  • You can require the identity provider to send AuthnContextClassRef in the SAML response as PasswordProtectedTransport to indicate that the password exchange must use a secure transport method. Currently, AuthnContextClassRef is sent as Password.

  • You can configure multivalued attributes to send each value in a separate attributeValue element. Currently, these values are separated by commas.

For instructions, see Configure Advanced Settings for a SAML Connection.

Customizable Attribute Mappings for Active Directory Identity Sources

You are now allowed to customize the default attribute mappings for Active Directory identity sources. For more information, see Directory Server Attributes Synchronized for Authentication.

Improved Documentation for Access Policies

RSA Link now provides complete documentation describing how to use operators when specifying LDAP attributes in access policies. For more information, see Operators for Using LDAP Attributes in Access Policies.

Fixed Issues

                                       
Fixed IssueDescription
NGX-37423

When the Cloud identity provider was configured for RSA SecurID Access manages all authentication with Password as the primary authentication method, iOS auto-populated the password field with a suggested strong password and forced the user to choose a password. This problem no longer occurs and users are simply prompted to enter the email address and password.

NGX-37397

Previously, in environments that used the SSO Agent with a load balancer, when the load balancer checked the identity router health status and no alternate Cloud Authentication Service IPs were reachable, the identity router status servlet reported the identity router as unhealthy. As a result, load balancer stopped sending traffic to the identity router. This problem has been fixed.

NGX-37059

Previously, when domain certificates that had been uploaded to the Cloud Authentication Service expired, administrators were unable to navigate to other console pages, including the Authentication API Keys. Now, a warning message appears when certificates expire and navigation to other pages is allowed.

NGX-35793Approve authentication through the MFA Agent was failing because inactive notifications were being sent to the user's device. This problem has been fixed.
NGX-34903In some deployments, users were able to access SAML and Windows O365 applications directly with an expired LDAP password. Now, users are prompted to change their passwords when the option to allow password change is enabled.
NGX-34426

Previously, a security vulnerability was found in a version of jQuery-ui included in the identity router. The jQuery-ui was upgraded to a newer version to address this vulnerability.

NGX-33608The security vulnerability affecting session fixation for the identity router setup console and web portal was fixed.

Known Issues

                   
Known IssueDescription
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for RSA SecurID Access.

NGX-38137

Problem: Multifactor authentication fails when a company (deployment) has the following configuration settings:

  • The RSA Setup Administrator selected Allow access to Authenticate Tokencode, Approve, Device Biometrics and FIDO Token for the company.

  • The resource is protected by a preconfigured access policy.

Authentication fails with the message "No challenge methods found for given policy."

Workaround: Use a custom access policy.

 

November 14, 2019 - RSA SecurID Authenticate for Windows 10 App

RSA SecurID Authenticate 3.2 for Windows 10 allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes.

 

October 2019 - Cloud Authentication Service

The October 2019 release includes the following features and benefits.

Enable Password-Less Authentication Using FIDO2 Tokens When Authenticating to Service Providers

You can now specify FIDO Token as a primary authentication option when configuring service providers. To authenticate with this option, a user must have a FIDO2 token that requires multifactor authentication on the token (such as PIN or biometric), the user must set up the token multifactor authentication, and the user must register the FIDO Token in My Page. For more information, see Cloud Authentication Service User Requirements.

Add Your Own Customized Logos to User Authentication Pages

You will be able to customize pages used for additional authentication by adding your own logo when you configure RSA SecurID Access My Page. For instructions, see Manage RSA SecurID Access My Page.

User Event Log API Provides Details on Users' Identity Confidence Scores

The Cloud Administration User Event Log API will return the overall identity confidence score, including threshold and category scores (behavior, location and device) for users. Previously this information was exposed only in the User Event Monitor. Through the API, you can now export user risk information to any Security Information and Event Management (SIEM) platform for further analysis. For more information, see Cloud Administration User Event Log API.

Full Support for Adding 10 Accounts in RSA SecurID Authenticate App Releases

RSA SecurID Authenticate 3.1 for iOS allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes. A November release of RSA SecurID Authenticate for Windows will allow a user to add up to 10 different accounts.

RSA is aware of the current iOS 13 issue in which the Touch ID screens do not display when a user is trying to authenticate with Touch ID on some devices. For example, this issue is noticed in the Authenticate app when a user is authenticating with a fingerprint to view the Authenticate Tokencode or to access an application.

Users should update to iOS 13.1.3 to resolve this issue. In the meantime, users can continue to use Touch ID in the Authenticate app by placing their fingers on the Home button when they would usually see the Touch ID screens. Touch ID is working in the background, so placing their fingers on the Home button completes the authentication request.

More Flexibility with New "Determined by Service Provider" Primary Authentication Option When Adding a Service Provider

To provide more flexibility when configuring authentication for a service provider, if you select the option to have RSA SecurID Access manage all authentication, you can now select the Determined by Service Provider at Run Time option to specify primary authentication in the RequestedAuthnContext attribute. For more information, see Add a Service Provider.

Expanded Cloud Authentication Service Authentication Methods and Improved Productivity and Security with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.2 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve, Authenticate Tokencode, RSA SecurID Token, Device Biometrics, SMS Tokencode, Voice Tokencode and Emergency Tokencode.

  • Seamless authentication using the same registered authentication device for both online and offline Windows sign-in.

  • Online emergency access to Windows computers when users misplace or lose their authenticators (RSA SecurID Authenticate device or RSA SecurID hardware token).

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

  • Many features to improve productivity and security during Windows sign-in.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

Fixed Issues

                       
Fixed IssueDescription
NGX-33732

Previously, a customer was unable to export a large number of user event logs using the Cloud Administration User Event Log API. This problem has been fixed.

NGX-34352Previously, when a new customer used a Firefox or Microsoft Edge browser to sign in to the Cloud Administration Console for the first time, the license did not display correctly. This problem has been fixed.
NGX-36891

Previously, you were not permitted to save a relying party configuration with an ACS URL of more than 100 characters. The limit has been increased to 4000 characters.

Known Issue

               
Known IssueDescription
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for RSA SecurID Access.

September 2019 - Cloud Authentication Service

Cloud Authentication Service Phased Update Process

Cloud Authentication Service updates will be rolled out in phases for each region (ANZ, EMEA, US) between October 9-17, 2019. RSA will notify you before your region is updated.

Emergency Access Enhancements

To enhance emergency access capabilities, Emergency Tokencode will be available for users who forget or misplace their registered devices. After you generate the tokencode in the Cloud Administration Console, the user can select Emergency Tokencode during the next authentication. For more information, see Supported Authentication Methods - Emergency Tokencode.

Note:  In the September release, this feature is supported for SaaS and web applications only. Support for RADIUS applications is expected to be available in a future release.

Performance and Reliability Improvements

To help improve performance and reliability, the components responsible for backend communication in the Cloud will be updated.

Planned Update to Cloud Authentication Service IP Address Rescheduled

For more information on this update, see the RSA Link notification.

October 1, 2019 - RSA SecurID Authenticate for Android

RSA SecurID Authenticate 3.1 for Android allows an individual user to add up to 10 different accounts (formerly called companies) in the app. Also, this release is qualified with Android 10.

For release notes prior to October 2019, see Release Notes Archive - Cloud Authentication Service and RSA SecurID Authenticate Apps.

 

 

 

You are here
RSA SecurID Access Release Notes for the Cloud Authentication Service and RSA Authenticate App

Attachments

    Outcomes