RSA September 2025 Release Announcements
6 months ago

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

 

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

For more information on upgrading components, please refer to the latest published advisory: 6 WEEKS LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION

 

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

  • Logging in to the Cloud Administration Console via password or third-party IdP.
  • Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform >  Admin Event Viewer.

 

 

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

 

New Export Capability for Event Monitors

You can now export event logs directly from the User Event MonitorSystem Event Monitor, and Admin Event Monitor in the Cloud Administration Console. This enhancement allows you to generate structured CSV reports with just a few clicks, making it easier to analyze activity, support compliance efforts, and streamline audit reporting. 

  • For the Admin and System Event Monitor: navigate to Cloud Administration Console > Platform Admin Event Monitor / System Event Monitor , then click Generate Report.
  • For the User Event Monitor: navigate to Cloud Administration Console > Users >User Event Monitor , then click Generate Report.

 

Simplify User Deprovisioning with Lifecycle Management

You can now enable, disable, or delete user access to applications provisioned through the Cloud Administration Console, giving managers and application owners greater control over access governance. These actions are available in My Page > My Users Access, providing improved visibility and flexibility when managing user permissions. To activate these capabilities, ensure the "Delete Action" is enabled and that the appropriate access control settings are configured through Cloud Administration Console > Application Catalog > Fulfillment. The availability of enable/disable options may vary depending on the selected Fulfillment Configuration Type, and all access changes will be reflected accordingly on My Page.

 

Create and Update Local Users Through the Manage Local User API

You can now use the Manage Local User API to create and update users in the local identity store, enabling automation of user lifecycle management. This enhancement supports seamless integration with existing workflows and ensures that actions align with the Cloud Administration Console permissions. The API is secured with modern OAuth protection, ensuring secure and scalable access for administrative operations.

 

Enforce Managed Browser Access

You can now require users to access Microsoft Edge for Business resources only through managed browsers, ensuring that access is limited to trusted, compliant devices. By leveraging Microsoft Edge device signals, this feature verifies endpoint compliance before granting access to critical applications. This strengthens your Zero Trust security posture by combining identity verification with device trust without complexity. To access this feature, navigate  to Cloud Administration Console > Access Managed Browser. You can then use the "Managed Browser" attribute within an Access Policy to enforce browser-based access controls. To configure the connector, see Microsoft Edge for Business - Device Trust Connector - RSA Ready Implementation Guide.

 

Configurable Periodic User Refresh for Inactive Accounts

You can now configure how often inactive accounts are refreshed from your on-prem directory (LDAP) in CAS. By default, up to 1,000 accounts unused in the past 30 days are refreshed daily. You can lower this threshold to as few as 7 days to better align with your security policies. To configure this feature go to Cloud Administration Console > Users Bulk Maintenance.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
MFA Agent for Microsoft Windows
2.3October 2025No

 

Subscribe to status.securid.com for the Cloud Access Service Status Updates

For information about all service incidents and scheduled maintenance windows for the Cloud Authentication Service, subscribe to https://status.securid.com.

 

Coming Soon 

The following section outlines the upcoming features planned for the October release.

 

RSA MFA Agent for macOS 2.0 Expands Passwordless Authentication

RSA MFA Agent for macOS 2.0 introduces expanded support for passwordless primary authentication methods and enhanced resiliency features.

New passwordless authentication methods include:

  • Mobile Passkey, using the RSA Authenticator app v4.6+ for iOS or Android (no Bluetooth required)
  • QR Code Authentication
    • Biometric Authentication
    Note:
    • Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.

     

    Third-Party Integrations from RSA Ready

    The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

    • New Integrations for ID Plus
      • Articulate Reach (SCIM)
      • HP Aruba ClearPass (SAML)
      • Microsoft Edge for Business Browser (RSA Device Trust Connector)
      • Rapid7 (SAML)
    • Updated Integrations for ID Plus
      • CyberArk PAM Vault (Radius)
      • CyberArk PAM PVWA (Radius)
    Announcement

    Related Articles

    Trending Articles

    Don't see what you're looking for?