Publish Changes to the Cloud Authentication Service Without a Deployed Identity Router

Deploying on-premise identity routers (IDRs) is now optional. In the Cloud Administration Console, you can now publish your changes, and the settings will be synchronized with the Cloud Authentication Service without a registered IDR.

Reset Your Users’ Passwords

If users do not remember their current password, they can contact their IT administrator for a password reset. In the Cloud Administration Console, you can now generate a reset code and share it with users to enter a one-time password (OTP) and reset their passwords. You can reset a user's password by sending a password reset email to the user's email address. The password reset feature is available for ID Plus E2 and E3 subscriptions.

View Pending Changes Before Publishing

Before publishing your changes, you now have visibility into pending changes made by you and other administrators. In the Cloud Administration Console, you can now view a list of pending changes and their details. You can get an overview of who changed what and when for the last 90 days.

Manage the Entire User Life Cycle Using SCIM APIs

You can now use the SCIM operations to search, create, modify, or delete users in the Unified Directory. The SCIM API allows you to search for users, and you can use the search endpoints to filter the rows in the result.

Set Up Initial Passwords for Users in the Unified Directory

You can now control the settings of the initial user passwords for identity sources in the Unified Directory. When creating a user in the Cloud Administration Console, you can provide an initial password or generate it using the Cloud Authentication Service. You can add users' email addresses, and the Cloud Authentication Service will email initial passwords to them.

RSA My Page Supports Single Sign-On to OpenID Connect (OIDC) Applications

RSA My Page now supports single sign-on (SSO) to OpenID Connect (OIDC) applications. Users can sign into My Page and access all OIDC applications, with the same authentication and assurance levels, without the need to re-login. Administrators can define the scopes and claims for applications in the Cloud Administration Console. Users can then consent to the permissions requested by an application. The consent form has been enhanced for better usability and user experience.

Changes to OpenID Connect (OIDC) Relying Party Claims

Please note the following changes to claims that can be used for adding OpenID Connect (OIDC) Relying Party:

• Claim names do not allow the following forbidden characters: " (double-quote), \ (backslash), ' (single-quote), and whitespace. Those characters will be removed automatically during the upgrade to the June release.

• All claims marked as Essential are linked to the scope “openid” and the Essential flag is removed. The scope “openid” provides the same functionality as the Essential flag and is linked to all OIDC relying parties that have at least one Essential claim.

• Claims with the same name across all OIDC relying parties are synchronized to the one that is edited last. This is required to move the claims into their centralized definitions that the June release is going to introduce. For example, if the claim “a” exists in the OIDC relying party “RP1” and in the OIDC relying party “RP2”, the copy that was edited last is used to synchronize the definition into both relying parties.

• Claim names have become case-sensitive to match the official OIDC specifications.

Removal of Error URL from Single Sign-On Settings When Using a Cloud Identity Provider

When users encounter an error during authentication, they will no longer be navigated to the error URL configured in the My Page settings. Users remain on the RSA authentication pages. In a future release, the optional Error URL field will be removed from the SSO Portal Settings in the Cloud Administration Console.

Removal of a Primary Authentication Option When Configuring a SAML Service Provider

When adding or editing the authentication details of a SAML relying party, the Determined by Service Provider at Run Time option has been removed from the Primary Authentication Method list. This option is no longer available for primary authentication when configuring a service provider.

Authentication Manager 8.7 SP1 Supports VMware ESXi 8.0

Authentication Manager 8.7 SP1 can now be deployed on VMware ESXi 8.0 (VMware vSphere Hypervisor 8.0). For more information on deployment, see RSA Authentication Manager 8.7 SP1 Setup and Configuration Guide.

Upcoming End of Primary Support (EOPS) Details

The following table provides a summary view of the RSA products reaching the end of support within the next six months:

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the RSA Community.

• Dell EMC Unisphere for PowerMax (new) – support for Authentication Manager using RSA MFA API (REST).

• Federated Directory (new) – support for the Cloud Authentication Service using SAML.

• IBM Hardware Management Console (new) – support for Authentication Manager using RADIUS.

• Salesforce (update) – updated support for the Cloud Authentication Service using SAML.