April 2026 Cloud Access Service Release Notes
3 days ago

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

 

Credential Recovery Support for Multi-Credential Authenticators

CAS now supports credential recovery for authenticators that store multiple credential types for a single user on the same device. Examples include OTP and FIDO credentials in the RSA Authenticator app, SecurID OTP and FIDO credentials in the DS100, and HOTP and FIDO credentials in the iShield and Yubikeys. If you use supported combinations of FIDO and OTP authenticators, you can now replace your device through Credential Recovery self-service. This enhancement allows you to recover multiple credentials tied to a single device without manual intervention, reducing help desk dependency and associated administrative costs.

 

Configurable Live Verify Session Time Limit

The Live Verify configuration is now enhanced to allow the session time limit to be set from 5 to 15 minutes, in 1-minute increments, giving users additional time to successfully complete the verification process. The configured time limit applies to sessions initiated from the User Management page and via the API. To configure the time limit, navigate to Cloud Administration Console > My Account > Company Settings > Sessions & Authentication.

 

User-Initiated Unified Logout for My Page SSO Applications (General Availability) 

User-initiated Unified Logout is now supported for My Page SAML and OIDC SSO applications, allowing you to sign out of all active participating Unified Logout application sessions with a single action. CAS centrally manages active sessions, simplifying session management, improving security, and supporting compliance with industry standards.

  • To manage session lifetime for My Page, navigate to Cloud Administration Console > Access > My Page, select the Applications tab, and update the settings in the User Sessions section. The Session Duration setting in this section controls the session duration for all SAML and OIDC SSO applications managed by the My Page SSO Session Manager. In SAML, the session timeout is defined by the SessionNotOnOrAfter attribute. In OIDC, the session timeout is defined by the session_expiry claim in the ID token.
  • To configure Unified Logout for SAML applications, navigate to Cloud Administration Console > Applications > Applications, select the SAML application, and update the SAML Unified Logout Configuration section on the Connection Profile tab.
  • To configure Unified Logout for OIDC applications, navigate to Cloud Administration Console > Applications > Applications, select the OIDC application, and update the Unified Logout Configuration section on the Connection Profile tab.

Note: The My Page session duration centrally controls the session lifetime for both OIDC and SAML applications.

 

Common User Schema Preparation and Attribute Refresh Updates

CAS now automatically performs a Refresh Attributes action on all existing AD and LDAP identity sources to ensure the user schema (list of user attributes) is available in CAS. When creating a new AD or LDAP identity source, CAS attempts to automatically perform a Refresh Attributes action on the User Attributes tab in Cloud Administration Console > Users > Identity Sources, and the action must succeed before the identity source can be saved. If network, credential, or other issues prevent connection to the identity source, you must go to the Identity Source Details tab and resolve the issue.

Note: CAS will transition to a common user schema (a consistent set of user attributes) in a future release. This update prepares for that change by introducing enhancements to how Active Directory on-premises and LDAP identity sources are configured.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
MFA Agent for Microsoft Windows 
2.3.1/ 2.3.2 
May 2026No
Authenticator for iOS & Android 
4.4 June 2026No
RSA Authentication Manager 
8.7 SP1 
June 2026June 2027/ June 2028 

 

Fixed Issues

The following table lists the fixed issues for this release:

Fixed IssueDescription
NGX-222581Customer requests to CAS for administrative operations (for example, looking up a user or retrieving user devices) were intermittently blocked with a 429 response during periods of high load.
NGX-223465In IDR Audit Logging, when selecting the Output Type as Send to syslog, the Protocol selection is reversed. Selecting TCP applies UDP, and selecting UDP applies TCP
NGX-225890

Resolved an issue where users intermittently encountered "UNKNOWN USER" errors when one directory server was unavailable, even though other directory servers were healthy to serve the request. The identity router (IDR) now correctly continues validation against available directories, and customers need to publish the IDR to apply the fix. 

Known Issue

The following table lists the known issue in this release:

Known IssueDescription
NGX-226702When a network zone includes a trusted or restricted network with a blank CIDR and is used by application access policies evaluated via IDR, access may be incorrectly allowed or blocked respectively. This issue is fixed in the June release. For earlier releases, publishing resolves the issue.