Cloud Authentication Service Updates
The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).
Access Policy 2.0 Support for SAML Relying Parties
Access Policy 2.0 offers a comprehensive solution for authentication configuration, allowing administrators to define both primary and additional authentication methods within a single policy. In alignment with the process available for Single-Sign On (SSO) applications and RSA My Page, administrators now can utilize Access Policy 2.0 for SAML Relying Party apps with primary and additional authentication options managed by the Cloud Authentication Service (CAS).
In addition, when configuring or editing existing SAML Relying Party apps that are currently utilizing Access Policy 1.0, administrators can click the Generate a new 2.0 policy for me button on the Access > My Page > My Authenticators page to automatically generate a new 2.0 access policy for primary authentication.
New User Verification Method for My Page Enrollment
In the Cloud Administration Console, a new user verification method is now available. Administrators can use the “Password + Email Enrollment Code” method for the My Page Enrollment Policy. Administrators can configure the Enrollment Settings, specifying the attribute for the source of the email address and the validity duration of the code. Then, administrators need to update the My Page Enrollment Policy with the new verification method. Subsequently, users can initiate the self-enrollment process through RSA My Page, using their password along with the provided validation code.
Additionally, administrators can unlock Enrollment Codes for users from the Users > Management page if their codes were locked.
Introducing FIDO's Latest Terminology and Icons
RSA application screens now incorporate the latest terms and icons from the FIDO Alliance, streamlining the identification of FIDO credentials. These enhancements include using the term "FIDO Passkey" to identify all types of FIDO credentials and introducing new FIDO icons to represent a FIDO Passkey.
Mobile Lock Enhancements
When the Mobile Lock feature is enabled for the first time, it now uses a threat policy called "Default Monitoring", where enabled threats are not classified as "Critical". As a result, detected threats are then only reported in the Mobile Lock Console without blocking authentication for end-users. This allows organizations to enable Mobile Lock with the primary objective of assessing threats present within the users' mobile devices while not impacting users. Subsequently, organizations can make informed decisions about which threats should be considered critical enough to warrant blocking authentication.
Another threat policy named "Default Active" is also available as part of the initial Mobile Lock configuration. Enabling this threat policy instead of the current "Default Monitoring" will result in blocking authentication for a predefined set of critical threats.
Additionally, administrators can now configure Single Sign-On (SSO) for their Mobile Lock Console. For detailed instructions and further information, please refer to How to enable the SSO Configuration menu in the RSA Mobile Lock Console.
Enhanced Access and Configuration for Identity Verification Providers
In the Cloud Administration Console, administrators can now directly access the new Identity Verification Providers page from the Users menu, provided that they have the Identity Verification Provider license enabled. Administrators no longer need to navigate through Users > Identity Providers to add a User Verification Identity Provider. Instead, on the Identity Verification Providers page, administrators can add new connectors, making the management of Identity Verification Providers more efficient and much smoother.
Furthermore, the Attribute Mappings tab has been moved from the OIDC Settings page to the Identity Verification Providers page. The relocated Attribute Mappings tab retains its original functionality, allowing administrators to create, edit, and delete mappings as required. This relocation enhances efficiency in configuration management, providing a more intuitive experience for administrators.
Integrations with Microsoft Entra ID External Authentication Methods
Microsoft announced its plan to transition the External Authentication Methods (EAM) framework to Public Preview in May 2024. With the EAM framework entering Public Preview, administrators can anticipate greater flexibility and security when integrating external authentication methods with Microsoft services. Therefore, RSA now offers support for integrations with external authentication methods. Furthermore, in the Cloud Administration Console, "Microsoft Azure Active Directory" within the Relying Party Catalog has been renamed to "Microsoft Entra ID" in alignment with Microsoft terminology.
Enhanced Visibility and Navigation in the Cloud Administration Console
In the Cloud Administration Console, vertical scrolling previously caused administrators to lose sight of the page context and action buttons. To enhance user experience, an update has been made to keep the main header and side navigation tabs fixed, ensuring continuous visibility of the context. This enhancement enables administrators to access action buttons and view side navigation tabs without losing sight of the page content, resulting in a smoother user experience and improved accessibility to essential functions within the Cloud Administration Console.
Introducing "Need Help" Link for Failed OTP Step-Up Authentication
During web authentication, if a user encounters a failed one-time password (OTP) step-up authentication attempt, a "Need Help" link will appear on the authentication screen. This link provides guidance for users to use the appropriate method based on their registered OTP authenticators and configured assurance levels.
In the Cloud Administration Console, administrators can enable this hint text option from My Account > Company Settings > Sessions & Authentication.
Coming Next Month: RSA Authenticator V4.4 for iOS and Android
RSA Authenticator app V4.4 for iOS and Android is set for release next month with the following main new features:
- Enhanced security: Biometric Pushed Notification now supports Code Matching.
- Passkey support: The app can now be registered and used as a FIDO device-bound passkey.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authenticator for Windows | 6.1.2 | November 2024 | No |
| 6.1.1 | August 2024 | No | |
| RSA Authentication Manager | 8.6 | August 2024 | August 2025/August 2026 |
| SDK for iOS and Android | 3.1 | June 2024 | No |
| 2.5 (iOS) 2.8 (Android) | |||
| Authentication Agent for Microsoft Windows | 7.4.x | June 2024 | No |
| MFA Agent for Microsoft Windows | 2.1.x | June 2024 | No |
| Authentication Agent for PAM | 8.1.x | November 2024 | No |
| Authenticator App for iOS and Android | 4.2 | June 2024 | No |
Identity Router Update Schedule and Versions
This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
| AU: 6/25/2024 EU/IN/JP: 6/27/2024 NA: 6/28/2024 GOV: 6/28/2024 CA/SG: 6/28/2024 | Updated identity router software is available to all customers. |
| Default: Saturday 10/05/2024 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| Last: Sunday 10/27/2024 | If you postponed the default date, this is the last day when updates can be performed. |
The new identity router software versions are:
| Identity Router Deployment Type | Version |
|---|---|
| On-premises | 12.21.0.0 |
| Amazon Cloud | RSA_Identity_Router 12.21.0.0 |
Third-Party Integrations from RSA Ready
The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- BeyondTrust Privilege Remote Access (new) – new SAML support for the Cloud Authentication Service.
-
GitLab (update) – updated SAML support for the Cloud Authentication Service.
-
Microsoft Entra ID (update) – updated SAML support for the Cloud Authentication Service.
-
Mulesoft Anypoint Platform (update) – updated SAML support for the Cloud Authentication Service.
-
Netskope Security Cloud (new) – new SAML support for the Cloud Authentication Service.
-
PingFederate (update) – new OIDC support for the Cloud Authentication Service.
-
SAP Concur (update) – updated SAML support for the Cloud Authentication Service.
-
Salesforce Tableau (update) – updated SAML support for the Cloud Authentication Service.
-
SolarWinds Observability (new) – new SAML support for the Cloud Authentication Service.
-
Zendesk for Sales (new) – new SAML support for the Cloud Authentication Service.
Related Articles
Admin UI - Authentication Configuration Number of Views RSA August 2024 Release Announcements Number of Views Okta SSO - SAML Relying Party Configuration as a step-up for Okta applications - RSA Ready SecurID Access Implementation G… Number of Views FortiGate Firewall - SAML Relying Party Configuration Using Admin Access UI - RSA Ready Implementation Guide Number of Views Palo Alto NGFW 10.1.7 - SAML IDR SSO Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
