RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App

Document created by RSA Information Design and Development on Aug 21, 2018Last modified by Joyce Cohen on Mar 25, 2020
Version 59Show Document
  • View in full screen mode

 

These release notes include product updates and bug fixes:

For additional information, see:

  • RSA SecurID Access Product Release Notes, a portal to all release notes for the Cloud Authentication Service, RSA Authentication Manager, authentication agents, and token authenticators.

  • RSA Link, to access all RSA SecurID Access product documentation.

March 2020 - Cloud Authentication Service

Update Your IP Addresses to Connect to the Cloud Authentication Service

RSA SecurID Access is not releasing new features in March 2020. Instead, be reminded that you must update your firewall to allow your identity routers and user web browsers to connect to new IP addresses for the Cloud Authentication Service and Cloud Administration Console. These changes are required by our Cloud service provider. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

RegionNew IP Addresses

ANZ

20.37.53.30, 20.39.99.202

Completed on March 20, 2020, 14:00 GMT (10:00 EDT)

EMEA51.105.164.237, 52.155.160.141Friday, April 3, 5:00 PM EDT

US

52.188.41.46, 52.160.192.135

Saturday, April 11

These dates and IP addresses are also published here.

It is important to know:

  • During the maintenance window for this upgrade, authentication services will continue, but you may lose audit data and new device registrations. For example, lost data may include browsers that were "remembered" during maintenance and user actions on My Page. Users who register devices during this time must re-register.

  • No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. If you use any third-party tools, such as Pingdom, to monitor your deployment, you might want to temporarily disable alerts during the migration.

March 19, 2020 - RSA SecurID Authenticate for Android

RSA SecurID Authenticate 3.3 for Android includes enhanced compliance checks to ensure the device is not rooted before allowing use of the app. The app previously checked for compliance during registration. The app now checks for compliance whenever users open the app (for example, to complete registration or an authentication request) and in interactive notifications for Approve. If the Authenticate app detects that a device is rooted, the app displays a "Device Not Compliant" message and prevents use of the app.

If your users are using rooted devices, instruct your users to unroot their devices, re-install the RSA SecurID Authenticate app (if necessary), and complete registration again with the app.

March 9, 2020 - RSA Security Key Utility

RSA announces the release of RSA Security Key Utility, a Windows utility that you deploy on users' Windows machines to manage user verification for FIDO2-certified security keys. Users can use the utility to manage a PIN for the security key or reset the key.

RSA Security Key Utility works with any FIDO2-certified USB security key. For system requirements, installation instructions, and more, see Using RSA Security Key Utility.

You can provide the following video to your users to demonstrate how to create and reset a PIN using the utility. The video is also available in the user help:

February 2020 - Cloud Authentication Service

Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes

On February 18, 2020, Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA SecurID Access users. However, there is a possibility that users who have version 80 and authenticate to the RSA SecurID Access Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This does not affect deployments that use RADIUS or relying parties. If this issue affects your users, you might need to take further action. For instructions, see Immediate Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes.

Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020)

To align with changes required by our Cloud service provider, Microsoft Azure, the RSA SecurID Access Cloud Authentication Service and Cloud Administration Console IP addresses will change in March 2020. RSA recommends that you make any necessary firewall changes to allow your identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

RegionNew IP Addresses

Date

ANZ

20.37.53.30, 20.39.99.202

March 20, 2020

EMEA51.105.164.237, 52.155.160.141March 20,2020

US

52.188.41.46, 52.160.192.135

March 21, 2020

Note:  No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

To test access to the new IP addresses, see Test Access to Cloud Authentication Service.

These dates and IP addresses are also published here.

Support for Windows Hello and Android Phone as FIDO Authenticators

The Cloud Authentication Service supports Windows Hello and Android phone as FIDO authenticators. Users must register these authenticators in My Page and not during first-time authentication to an application. You must enable registration for these authenticators in My Page. For more information, see FIDO Authenticators.

New Terminology for Authenticators and Devices

With the support of the FIDO platform authenticators Windows Hello and Android phone, terminology is changing in the Cloud Administration Console and product documentation to address authenticators that are not necessarily devices.

The following changes have been made in the documentation:

  • Authenticator is the new general term for something that a user authenticates with. As part of this change, device registration has been changed to authenticator registration. For example, "Users must complete authenticator registration to access protected applications."

  • Device will continue to be used in situations specific to the RSA SecurID Authenticate app. For example, "An individual user can use the RSA SecurID Authenticate app on a single registered device."

  • The FIDO terminology has changed for end users in My Page, browser-based authentication prompts, and help. In the past, users selected FIDO Token in My Page or More Options, for example. Now users select security key, Windows Hello, or Android phone, depending on what your organization has instructed them to register and use.

    All FIDO authenticators are still managed by the FIDO Token authentication method in the Cloud Administration Console.

The Cloud Administration Console text will be updated in a future release.

New Identity Source Attribute – Alternate Username

A new user identifier, Alternate Username, is available as an identity source attribute. Customers with relying parties such as Azure Active Directory can use any attribute, such as UPN, that is suitable for use as the SecurID Access username. For configuration instructions, see Add an Identity Source for the Cloud Authentication Service.

Cloud Administration API Retrieves Device Registration Codes

A new API allows users to securely register their devices within custom help desk and self-service portals. The API generates one-time device registration codes. For more information, see Cloud Administration Retrieve Device Registration Code API.

Fixed Issues

Fixed IssueDescription
NGX-38913Previously, customers with the RSA SecurID Access Base or Enterprise Edition were unable to use access policies that contained condition attributes that are supported for those editions. This problem has been resolved.
NGX-38902Previously, under certain conditions, some users continued to appear on the Users > Management page in the Cloud Administration Console and in synchronized user reports after their identity source had been deleted from the customer's deployment. This problem no longer occurs.

 

February 3, 2020 - RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 3.2 for Android contains bug fixes.

January 2020 - Cloud Authentication Service

FIDO2 Certification for Cloud Authentication Service

The Cloud Authentication Service is now a FIDO2 Certified Server. The certification demonstrates compliance with the FIDO specification and ensures compatibility with any FIDO-certified security key.

As part of this certification, the Cloud Authentication Service checks the integrity of the security key response message during registration. If the response message is modified on its way to the Cloud Authentication Service, the registration is unsuccessful.

Additionally, the Cloud Authentication Service verifies the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS). The Cloud Authentication Service rejects MDS-listed keys if detected as counterfeit or compromised.

Jailbreak Detection for RSA SecurID Authenticate for iOS

RSA SecurID Authenticate 3.2 for iOS contains the following updates:

  • Compliance checks to ensure the device is not jailbroken before allowing use of the app. If the Authenticate app detects that a device is jailbroken, the app displays a "Device Not Compliant" message and prevents use of the app. This message displays when users open the app (for example, to complete device registration or an authentication request) and in interactive notifications for Approve.

    If your users are using jailbroken devices, they will no longer be able to use the app. Instruct your users to restore their devices, and then complete device registration again with the RSA SecurID Authenticate app.

  • Bug fixes.

Security Fix for Integrated Windows Authentication Connector Requires Manual Update

A password is now required to protect the Issuer Signing Certificate file (.pfx) when you install the Integrated Windows Authentication (IWA) Connector. If your company installed the Connector prior to the January 2020 release, RSA recommends that you install the latest version of the Connector (1.6) with the certificate file password. For instructions, see Install the Integrated Windows Authentication Connector.

Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020)

To align with changes required by our Cloud service provider, Microsoft Azure, the RSA SecurID Access Cloud Authentication Service and Cloud Administration Console IP addresses will change in March 2020. RSA recommends that you make any necessary firewall changes to allow your identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

RegionNew IP Addresses

Date

ANZ

20.37.53.30, 20.39.99.202

March 20, 2020

EMEA51.105.164.237, 52.155.160.141March 20,2020

US

52.188.41.46, 52.160.192.135

March 21, 2020

Note:  No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

To test access to the new IP addresses, see Test Access to Cloud Authentication Service.

These dates and IP addresses are also published here.

Known Issue

Known IssueDescription
NGX-38913

Problem: Customers with the RSA SecurID Access Base or Enterprise Edition cannot use access policies that contain condition attributes that are supported for those editions.

Workaround: If you have the Base or Enterprise Edition, do not use conditional attributes in access policies until after this issue is fixed.

 

November 2019 - Cloud Authentication Service (Identity Router)

The November 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

DateDescription
12/4/19Updated identity router software is available to all customers.
1/25/2020Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
2/22/2020If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment TypeVersion
On-premises2.8.0.0.5
Amazon Cloud

RSA_Identity_Router 2.8.0.0.6

RADIUS Support for Emergency Tokencode

Emergency Tokencode is supported for thick RADIUS clients and for Cisco Adaptive Security Appliance (ASA). RADIUS users who forget or misplace their registered devices can access protected SaaS and web applications using Emergency Tokencode by selecting it from the list of available authentication options. You can also customize your Cisco ASA to accept Emergency Tokencode.

Note:  If you are planning to use Emergency Tokencode, perform the customization before you update the identity router.

For instructions, see Customize the RSA SecurID Access Web Interface for a Cisco Adaptive Security Appliance.

SAML Configuration Improvements

The following configuration improvements affect SAML-enabled web applications when the Cloud Authentication Service is the identity provider:

  • You can require the identity provider to send AuthnContextClassRef in the SAML response as PasswordProtectedTransport to indicate that the password exchange must use a secure transport method. Currently, AuthnContextClassRef is sent as Password.

  • You can configure multivalued attributes to send each value in a separate attributeValue element. Currently, these values are separated by commas.

For instructions, see Configure Advanced Settings for a SAML Connection.

Customizable Attribute Mappings for Active Directory Identity Sources

You are now allowed to customize the default attribute mappings for Active Directory identity sources. For more information, see Directory Server Attributes Synchronized for Authentication.

Improved Documentation for Access Policies

RSA Link now provides complete documentation describing how to use operators when specifying LDAP attributes in access policies. For more information, see Operators for Using LDAP Attributes in Access Policies.

Fixed Issues

Fixed IssueDescription
NGX-37423

When the Cloud identity provider was configured for RSA SecurID Access manages all authentication with Password as the primary authentication method, iOS auto-populated the password field with a suggested strong password and forced the user to choose a password. This problem no longer occurs and users are simply prompted to enter the email address and password.

NGX-37397

Previously, in environments that used the SSO Agent with a load balancer, when the load balancer checked the identity router health status and no alternate Cloud Authentication Service IPs were reachable, the identity router status servlet reported the identity router as unhealthy. As a result, load balancer stopped sending traffic to the identity router. This problem has been fixed.

NGX-37059

Previously, when domain certificates that had been uploaded to the Cloud Authentication Service expired, administrators were unable to navigate to other console pages, including the Authentication API Keys. Now, a warning message appears when certificates expire and navigation to other pages is allowed.

NGX-35793Approve authentication through the MFA Agent was failing because inactive notifications were being sent to the user's device. This problem has been fixed.
NGX-34903In some deployments, users were able to access SAML and Windows O365 applications directly with an expired LDAP password. Now, users are prompted to change their passwords when the option to allow password change is enabled.
NGX-34426

Previously, a security vulnerability was found in a version of jQuery-ui included in the identity router. The jQuery-ui was upgraded to a newer version to address this vulnerability.

NGX-33608The security vulnerability affecting session fixation for the identity router setup console and web portal was fixed.

Known Issues

Known IssueDescription
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for RSA SecurID Access.

NGX-38137

Problem: Multifactor authentication fails when a company (deployment) has the following configuration settings:

  • The RSA Setup Administrator selected Allow access to Authenticate Tokencode, Approve, Device Biometrics and FIDO Token for the company.

  • The resource is protected by a preconfigured access policy.

Authentication fails with the message "No challenge methods found for given policy."

Workaround: Use a custom access policy.

 

November 14, 2019 - RSA SecurID Authenticate for Windows 10 App

RSA SecurID Authenticate 3.2 for Windows 10 allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes.

 

October 2019 - Cloud Authentication Service

The October 2019 release includes the following features and benefits.

Enable Password-Less Authentication Using FIDO2 Tokens When Authenticating to Service Providers

You can now specify FIDO Token as a primary authentication option when configuring service providers. To authenticate with this option, a user must have a FIDO2 token that requires multifactor authentication on the token (such as PIN or biometric), the user must set up the token multifactor authentication, and the user must register the FIDO Token in My Page. For more information, see Cloud Authentication Service User Requirements.

Add Your Own Customized Logos to User Authentication Pages

You will be able to customize pages used for additional authentication by adding your own logo when you configure RSA SecurID Access My Page. For instructions, see Manage RSA SecurID Access My Page.

User Event Log API Provides Details on Users' Identity Confidence Scores

The Cloud Administration User Event Log API will return the overall identity confidence score, including threshold and category scores (behavior, location and device) for users. Previously this information was exposed only in the User Event Monitor. Through the API, you can now export user risk information to any Security Information and Event Management (SIEM) platform for further analysis. For more information, see Cloud Administration User Event Log API.

Full Support for Adding 10 Accounts in RSA SecurID Authenticate App Releases

RSA SecurID Authenticate 3.1 for iOS allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes. A November release of RSA SecurID Authenticate for Windows will allow a user to add up to 10 different accounts.

RSA is aware of the current iOS 13 issue in which the Touch ID screens do not display when a user is trying to authenticate with Touch ID on some devices. For example, this issue is noticed in the Authenticate app when a user is authenticating with a fingerprint to view the Authenticate Tokencode or to access an application.

Users should update to iOS 13.1.3 to resolve this issue. In the meantime, users can continue to use Touch ID in the Authenticate app by placing their fingers on the Home button when they would usually see the Touch ID screens. Touch ID is working in the background, so placing their fingers on the Home button completes the authentication request.

More Flexibility with New "Determined by Service Provider" Primary Authentication Option When Adding a Service Provider

To provide more flexibility when configuring authentication for a service provider, if you select the option to have RSA SecurID Access manage all authentication, you can now select the Determined by Service Provider at Run Time option to specify primary authentication in the RequestedAuthnContext attribute. For more information, see Add a Service Provider.

Expanded Cloud Authentication Service Authentication Methods and Improved Productivity and Security with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.2 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve, Authenticate Tokencode, RSA SecurID Token, Device Biometrics, SMS Tokencode, Voice Tokencode and Emergency Tokencode.

  • Seamless authentication using the same registered authentication device for both online and offline Windows sign-in.

  • Online emergency access to Windows computers when users misplace or lose their authenticators (RSA SecurID Authenticate device or RSA SecurID hardware token).

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

  • Many features to improve productivity and security during Windows sign-in.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

Fixed Issues

Fixed IssueDescription
NGX-33732

Previously, a customer was unable to export a large number of user event logs using the Cloud Administration User Event Log API. This problem has been fixed.

NGX-34352Previously, when a new customer used a Firefox or Microsoft Edge browser to sign in to the Cloud Administration Console for the first time, the license did not display correctly. This problem has been fixed.
NGX-36891

Previously, you were not permitted to save a relying party configuration with an ACS URL of more than 100 characters. The limit has been increased to 4000 characters.

Known Issue

Known IssueDescription
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for RSA SecurID Access.

September 2019 - Cloud Authentication Service

Cloud Authentication Service Phased Update Process

Cloud Authentication Service updates will be rolled out in phases for each region (ANZ, EMEA, US) between October 9-17, 2019. RSA will notify you before your region is updated.

Emergency Access Enhancements

To enhance emergency access capabilities, Emergency Tokencode will be available for users who forget or misplace their registered devices. After you generate the tokencode in the Cloud Administration Console, the user can select Emergency Tokencode during the next authentication. For more information, see Supported Authentication Methods - Emergency Tokencode.

Note:  In the September release, this feature is supported for SaaS and web applications only. Support for RADIUS applications is expected to be available in a future release.

Performance and Reliability Improvements

To help improve performance and reliability, the components responsible for backend communication in the Cloud will be updated.

Planned Update to Cloud Authentication Service IP Address Rescheduled

For more information on this update, see the RSA Link notification.

October 1, 2019 - RSA SecurID Authenticate for Android

RSA SecurID Authenticate 3.1 for Android allows an individual user to add up to 10 different accounts (formerly called companies) in the app. Also, this release is qualified with Android 10.

September 18, 2019 - RSA SecurID Authenticate for iOS

RSA SecurID Authenticate 3.0.4 for iOS is qualified with iOS 13 and resolves NGX-34252, an issue with the Authenticate Tokencode display on iOS 13.

September 5, 2019 - RSA SecurID Authenticate for Windows 10

RSA SecurID Authenticate 3.1.1 for Windows contains the following updates:

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate app continues to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

With this release, RSA SecurID Authenticate for Windows no longer supports Windows Mobile devices.

August 2019 - Cloud Authentication Service

The August 2019 release provides the following features and bug fixes.

Generate a Device Registration Code for Users

Help Desk Administrators can use the Cloud Administration Console to generate a one-time numeric device registration code and provide it to users who need to register iOS, Android, and Windows devices with the RSA SecurID Authenticate App. This capability will help your company move closer towards meeting requirements for National Institute of Standards and Technology (NIST) Identity Assurance Level 2. To learn how to use this feature, see Manage Users for the Cloud Authentication Service - Generate a Device Registration Code.

Improved Single Sign-On Option When Adding a Service Provider

To improve usability, when you add a service provider and select RSA SecurID Access to manage all authentication, you can now select a Cloud identity provider to provide the primary authentication. This is useful for providing single sign-on from RSA SecurID Access or third-party portals or links.

Improvements and Additional Configuration Options for My Page

You can now provide single sign-on to RSA SecurID Access My Page when users access My Page through the RSA SecurID Access Application Portal, a third-party portal where My Page is configured, or directly through the My Page URL.

Additionally, to increase flexibility, RSA SecurID Access My Page now contains the following configuration options:

  • Logout URL to redirect users to a specific URL after they sign out of My Page.

  • Error URL to redirect users to a specific URL after they encounter an error.

  • Assertion Consumer Service value for copying into your identity provider configuration settings if you are configuring My Page for single sign-on in an unsolicited response flow (for example, when users access My Page through a third-party portal).

For more information, see Manage RSA SecurID Access My Page.

Additional Deployment Option for RSA SecurID Authenticate for Windows

Generally, users install RSA SecurID Authenticate for Windows from the Microsoft Store. If your users cannot use the Microsoft Store, you can use Deployment Image Servicing and Management (DISM) to deploy the app from a command-line tool. After the app is deployed, users can then complete RSA SecurID Authenticate device registration.

For more information, see Deploying the RSA SecurID Authenticate for Windows App Using DISM.

Send Us Your Feedback

Do you have thoughts on RSA SecurID Access that you want to tell us? Are you finding what you need in the documentation on RSA Link? It is easier than ever to send us your feedback.

We can't wait to hear from you!

Fixed Issues

Fixed IssueDescription
NGX-33217Publishing in a cluster with a Global Server Load Balancer (GSLB) resulted in a HTTP status code 503 error for some customers. The documentation has been clarified to explain that if you use GSLBs, configure them to wait for seven minutes before they switch to another cluster. This guidance is now documented in Publishing Changes to the Identity Router and Cloud Authentication Service.

August 14, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.3 for iOS contains bug fixes.

Fixed Issue

Fixed IssueDescription
NGX-33118RSA SecurID Authenticate for iOS no longer freezes on the splash screen when receiving notifications.

July 2019 - Cloud Authentication Service (Identity Router)

The July 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

DateDescription
July 27, 2019Updated identity router software is available to all customers.
September 7, 2019Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
October 12, 2019If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment TypeVersion
On-premises2.7.0.0.5
Amazon Cloud

RSA_Identity_Router-2.7.0.0.5

My Page Improves Secure Registration for FIDO Tokens

Users can register FIDO Tokens in a more secure environment using RSA SecurID Access My Page. My Page allows you to protect FIDO registration with an access policy that you can align with your company’s existing policies. After you enable My Page registration for FIDO Tokens, the FIDO Token registration process that occurs during user authentication automatically becomes disabled. Users can also use My Page to delete their FIDO Tokens. For more information, see Device Registration.

Automatic Push Notifications for Users Who Access RADIUS-Based Applications

The user experience for accessing RADIUS-based applications has been improved. You can ensure that the Cloud Authentication Service always sends automatic push notifications for Approve or Device Biometrics when your deployment is configured as follows:

  • The RADIUS client is configured to apply an access policy for additional authentication without primary (for example, password) validation.

  • Approve or Device Biometrics is available in the access policy protecting the resource the user is attempting to access.

Previously, automatic push notifications were not available when only the access policy was applied for additional authentication without primary validation. For more information, see RADIUS for the Cloud Authentication Service Overview.

Identity Confidence Analytics Report for Troubleshooting User Authentication Issues

You can view up-to-date identity confidence analytics by generating a report in the Cloud Administration Console. The report, provided in a graphical, easy-to-read format, displays the number of times users attempted to access resources that are protected by access policies that contain the identity confidence attribute. The report can include all users in your company or only individual users within a specified timeframe. This report is particularly useful to Help Desk Administrators when they assist users who, for example, may have to authenticate at a high assurance level because their identity confidence scores are low. For more information, see Condition Attributes for Access Policies - Identity Confidence Analytics Report.

Identity Router Improvements

The following features require you to update your identity router software.

Identity Router Setup Made Easier

Identity router setup has been simplified for identity routers deployed in the VMware and Hyper-V environments. The proxy interface, which is not required for non-SSO deployments, is disabled by default in the Identity Router Setup Console. You can enable it as needed for SSO deployments.

Note:  This enhancement affects only identity routers you deploy in the future. It does not affect identity routers already configured.

For more information, see Identity Router Network Interfaces and Default Ports.

Improved Status Indicators for Identity Routers

You can quickly identify potential problems that might occur when you set up and monitor identity routers using the improved status indicators in the Cloud Administration Console. The Platform > Identity Routers list page provides more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity. For more information, see View Identity Router Status in the Cloud Administration Console.

Improved Proxy Management for Identity Routers

More flexible deployment options are available to you for identity routers. Identity routers now support transparent, explicit, and man-in-the-middle proxy configurations. The identity router informs you if a non-RSA SSL proxy certificate is configured, and allows you to temporarily accept the certificate and proceed while you work with your network IT to whitelist the URL. For more information, see Connect the Identity Router to the Cloud Administration Console.

RSA SecurID Authentication API Enhancements

The RSA SecurID Authentication API contains new methodIDs for SMS and Voice Tokencodes to promote consistency with other authentication methods. For more information, see RSA SecurID Authentication API Developer's Guide.

Fixed Issues

Fixed IssueDescription
NGX-33346If you have configured My Page to use a Cloud identity provider, users can now use the SAMAccountName attribute as the user ID when registering devices.
NGX-17148

If an IWA user attempted to access the application portal when IWA connector server was down, the user received a connection timeout error rather than a message indicating unsuccessful authentication. To mitigate this, you can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests avoid a single point of failure. For more information, see Integrated Windows Authentication.

NGX-17276Previously, the Disabled option on the Basic Information page in the application configuration wizard did not disable applications that were configured to use SAML or HTTP Federation. This issue has been fixed. Beginning in July 2019, all applications that were previously configured as disabled will be unavailable to users and will not appear in the application portal and will not be available through deep linking.
NGX-29977You can now access the Cloud Administration Console using an email address containing a plus sign (+). Previously, this operation failed intermittently.
NGX-32525Documentation update clarifies when location is collected from users and administrators.
NGX-31946The Cloud Administration Console now displays the correct number of active user sessions. Previously, for some customers who used rich clients, the number of active sessions increased until the identity router was restarted.
NGX-31068

The publish status is displayed correctly in the Cloud Administration Console after you add and associate a profile for the RADIUS client. Previously, the status was Changes Pending even when no changes were pending.

NGX-30235

RADIUS profiles now allow multi-valued LDAP attributes to be mapped to the "Class" attribute. Each value of the multi-valued LDAP attribute will create a separate "Class" RADIUS attribute.

July 8, 2019 - RSA SecurID Authenticate for Android App

RSA SecurID Authenticate 3.0 for Android contains the following updates:

  • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Users must keep the app open during the update process, which can take up to a few minutes to complete. Subsequent actionable notifications work as expected.

This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

June 2019 - Cloud Authentication Service

Extend Cloud Authentication Service Authentication Methods to Windows Computers with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.1 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve or Authenticate Tokencode.

  • Authenticate with the same registered device for both online and offline Windows sign-in.

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

More Options for Customizing My Page

To improve the user experience, you can now customize My Page in the following ways:

Clear the userParameters Attribute Checkbox in the Identity Source Configuration

If the userParameters attribute is selected for synchronization in your identity source configuration, RSA recommends that you clear the checkbox. Selecting this attribute occasionally prevents identity source synchronization.

Fixed Issues

IssueDescription
NGX-24290

If a user locks his or her LDAP password, the User Management page for that user now shows a message indicating that the user's password is locked and what time it will unlock.

NGX-31821RSA SecurID Authenticate 3.0.1 for iOS users no longer displays an incorrect error that the user already has a registered device.

NGX-31158

The top-level domain part of the protected domain name can now accept up to 33 characters.
NGX-29843When you add a RADIUS profile, you can now only map supported attributes.
NGX-29702The system now prevents an administrator from accidentally updating an identity router multiple times within a short period of time, which could cause the application portal sign-in to stop working.
NGX-29547The Cloud Administration Console and associated documentation were updated to clarify that when adding an application bookmark, you can allow all authenticated users to access the bookmark or select a policy that limits access to a subset of users.

June 10, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.2 for iOS resolves NGX-31886. With this fix, the Authenticate Tokencode will no longer display as zeroes for a small percentage of users who update to this app from version 2.2.

All Authenticate for iOS users should update to this version. This release requires iOS 11.

The small percentage of users who have updated to app version 3.0.1 and still experience this issue must do the following:

  1. Delete the device in My Page, or have an administrator delete the user's device in the Cloud Administration Console.
  2. Delete the Authenticate app on the mobile device.
  3. Install the Authenticate app from the App Store.
  4. Re-register the app with RSA SecurID Access.

May 29, 2019 - RSA SecurID Authenticate for iOS App

RSA SecurID Authenticate 3.0.1 for iOS resolves the following issues:

  • NGX-31260- Users who update to the latest app version now receive notifications for the Approve authentication method.
  • NGX-31263- Users who update to the latest app version no longer need to re-register their devices with RSA SecurID Access.

This version of the app requires iOS 11.

May 2019 - Cloud Authentication Service

RSA SecurID Authenticate App Improvements Require Users to Update Before June 15, 2019

There are new versions for RSA SecurID Authenticate for iOS, Android, and Windows, described below. To prevent issues with device registration and adding additional companies, users must update to these versions or higher before June 15, 2019.

  • RSA SecurID Authenticate 3.0.3 for Windows contains bug fixes.

  • RSA SecurID Authenticate 3.0 for iOS and Android contain the following updates:

    • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

    • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

    • Bug fixes.

    After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Subsequent actionable notifications work as expected.

    This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

Improved Reporting of Users' Identity Confidence Scores Benefits Help Desk Administrators and Users

The User Event Monitor will report detailed information about users’ identity confidence scores. This information includes the user’s overall identity confidence score and tenant level confidence threshold, as well as the user's separate scores for device confidence, behavior confidence, and location confidence. Help Desk administrators can make use of this information when they assist users who are challenged for additional authentication factors or are unable to access protected resources. For more information, see Condition Attributes for Access Policies - Identity Confidence.

Fixed Issues

IssueDescription
NGX-27407

Previously, if a user waited too long to complete additional authentication when accessing My Page, a User Session Expired message displayed, and the user had to cut and paste a URL to return to My Page. This problem has been fixed. Now, the user can provide additional authentication and then return to My Page by clicking a button, or the user will be automatically redirected to My Page after 20 seconds of inactivity.

NGX-26573Previously, generating a report listing all synchronized users took progressively longer over time. Performance has been significantly improved.

NGX-16693

NGX-17168

Previously, in the Cloud Administration Console, the dashboard incorrectly displayed the number of active sessions for identity routers. This problem has been fixed and the dashboard now displays the correct number of sessions.
NGX-20399Previously, if users' email addresses changed in identity sources, the users had to re-register their devices with the RSA SecurID Authenticate app. Email address changes are now handled seamlessly by the Authenticate app, and users do not need to re-register.

 

April 2019 - Cloud Authentication Service

Send Emails to Users When They Register or Delete Devices

To help increase security, you can configure the Cloud Authentication Service to automatically send confirmation email to users in the following situations:

  • A user completes RSA SecurID Authenticate device registration.

  • A user adds an additional company in the RSA SecurID Authenticate app.

  • A user deletes a company in the RSA SecurID Authenticate app.

  • A user deletes an RSA SecurID Authenticate registered device.

You configure these options in My Account > Company Settings> Device Registration & Deletion Emails. For instructions, see Configure Device Registration and Deletion Emails.

Pagination for RADIUS Profiles in the Cloud Administration Console

Pagination now makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page. Expand each profile to see details, dissociate, or delete the profile. Profiles disappear from the list when you dissociate or delete them. For instructions on configuring RADIUS profiles, see Configure a RADIUS Profile for the Cloud Authentication Service.

Fixed Issues

IssueDescription
NGX-25560If you manage the RSA SecurID Authenticate for Android app with an Enterprise Mobility Management (EMM) solution, the Email Logs button now works in the app.
NGX-26628

Previously, a user who had repeatedly attempted to register the same device unsuccessfully might not be able to register the device at all. This problem has been fixed - the user can now register the device.

NGX-28022Documentation for creating a custom portal has been updated to include the missing information.

NGX-28076

NGX-28338

User who previously could not be synchronized due to case change in attribute value can now be synchronized correctly.

To see release notes that were published for earlier releases, see Release Notes Archive | Cloud Authentication Service and RSA SecurID Authenticate Apps.

 

 

 

 

 

We want your feedback! Tell us what you think of this page.

 

You are here

RSA SecurID Access Release Notes for the Cloud Authentication Service and RSA Authenticate App

Attachments

    Outcomes