February 2026 - Cloud Access Service 

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Expanded HOTP Hardware Authenticator Support

Support for HOTP hardware authenticators now includes devices seeded with SHA-256 or SHA-512, in addition to SHA-1. This enhancement increases compatibility with a wider range of authenticator models, including Thales SafeNet eToken PASS, SafeNet OTP 111, and SafeNet OTP 112. It also provides greater flexibility when selecting and deploying hardware authentication options while maintaining a secure, seamless sign-in experience.

RSA Cloud Access Service Now Supports FIDO Discoverable Credentials

Improved Identity Router (IDR) Connectivity with MFA/ REST Agent

The TCP agent in IDR is replaced with an MFA/REST agent, moving to a standardized REST/MFA architecture. This transition simplifies support, logging, metrics, and troubleshooting, while making upgrades and agent replacement easier. Standardizing the communication protocol across components also improves consistency, resulting in a more reliable and maintainable deployment experience. To apply this update, navigate to the Cloud Administration Console > Platform > Authentication Manager, then click Configure Connection.

Note: This migration is available if you have an existing TCP connection and the Identity Router (IDR) is upgraded to 12.24.0.0.10.

Coming Soon - (March Release)

RSA MFA Agent for UNIX 9.1 (Formerly RSA MFA Agent for PAM)

The RSA MFA Agent for PAM is now renamed RSA MFA Agent for UNIX to align with the naming conventions used across other RSA agents, such as RSA MFA Agent for Windows and RSA MFA Agent for macOS. This update improves consistency across platforms, making it easier to identify, deploy, and manage RSA MFA agents in various operating system environments.

The RSA MFA Agent for UNIX 9.1 includes the following features (Linux OS only):

• A consistent, secure, and simplified passwordless sign-in experience using one-time passwords (OTP) and emergency access codes.
• Passwordless authentication using mobile passkeys and biometric push notifications through the RSA Authenticator app for iOS and Android, in combination with the RSA MFA Agent for UNIX.
• Support for TLS 1.3 when connecting to CAS, providing faster connections and stronger protection against modern security threats.
• Code matching mode support for both Approve and Biometric push notifications, enhancing the verification process and reducing the risk of unauthorized access.

RSA MFA Agent 2.5 for Windows

• Native offline QR code–based passwordless authentication will enable users to authenticate without network connectivity or OTP entry.
  •  This requires RSA Authenticator 4.7 for iOS and Android.
• Support for Passwordless authentication methods in Authentication Manager (AM)/CAS Hybrid mode.
  • This requires RSA Authentication Manager 8.9. 
• Configurable proximity check will strengthen passwordless authentication by adding an extra layer of security, ensuring access is granted only when the authenticator is activated near the device.
  • This requires RSA Authenticator 4.7 for iOS and Android.
• The RSA MFA Agent for Windows now supports TLS 1.3 when communicating with RSA CAS or RSA Authentication Manager, enhancing overall security.
• Users can sign in securely without passwords by using one-time password (OTP) both online and offline, streamlining the authentication experience.

RSA Authenticator 4.7 for iOS and Android

• Redesigned notification experience providing users with more consistent and clearer presentation of information.
• Improved security by requiring biometric or device password authentication when registering new Cloud credentials. 
  • This only applies to Cloud credentials, not to AM-based credentials. For further details, see Coming Soon: RSA Authenticator 4.7 for iOS and Android.
• Proximity detection and offline QR code authentication support for passwordless methods with new versions of RSA Agents, such as RSA MFA Agent 2.5 for Windows.
• Location information in notifications.

Updates to FIDO and U2F Authentication Support

As part of the ongoing process to strengthen and simplify FIDO support, RSA is making the following changes:

• Users can no longer register new FIDO Universal 2nd Factor (U2F) authenticators. Existing U2F authenticators will continue to be supported for step-up authentication. 
  •  U2F authenticators cannot be used for passwordless authentication.
• Online FIDO2 registration during login is no longer supported. FIDO2 Authenticators can now only be registered though My Page.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issues

The following table lists the fixed issues for this release:

January 2026 - Cloud Access Service 

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Support for Signing Both SAML Response and Assertion in CAS

CAS now supports signing both the entire SAML response and the assertion within the response, enabling integration with protected resources that require dual-signature SAML validation. To enable this capability for My Page SSO or a relying party application, add a new application or edit an existing application in the Cloud Administration Console. In the SAML Response Protection section, select IdP signs entire SAML response and assertion within response.

FIDO Registration API Transaction ID Support

The FIDO Registration API now includes a Transaction ID, which is also captured in the corresponding user audit events. This enhancement improves visibility and traceability of FIDO registration activities. To view the Transaction ID in user audit logs, go to Cloud Administration Console > Users > User Event Monitor.

Identity Router REST API Configuration Network Zone Enhancements

You can now configure the Identity Router REST API in CAS with updated network zone settings, giving you more flexibility, consistency, and future-ready policy and configuration management. To select a network zone, go to Cloud Administration Console > My Account > Administrators, click Add an Administrator, and select a Network Zone in the API Configuration section.

Network Zone Support in Policies

You can now configure policies using network zone, replacing the legacy Trusted Network attribute to provide enhanced security and greater control. This update streamlines policy management and future-proofs access controls by enabling seamless migration and deprecation of outdated attributes. To set the Network Zone attribute, go to the Cloud Administration Console, create a new policy or edit an existing one, and in the Rule Sets section, choose Network Zone attribute from the Authentication Condition list. 

RADIUS Clients Report Now on RADIUS Page

The RADIUS Clients Report is now available on the RADIUS page, providing you with improved visibility into configured RADIUS clients and simplifying monitoring and management. To download the CSV report, go to Cloud Administration Console > Authentication Clients > RADIUS.

Identity Router (IDR) 12.24.0.0.10 Now Available

The IDR 12.24.0.0.10 release is now available. We recommend that all customers upgrade to this version.

Note: The Identity Router appliance runtime has been upgraded from Java 8 to Java 11 to align with current long-term support standards and enhance security. 

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Coming Soon 

RSA Authenticator 4.7 for iOS and Android (January-February)

• Redesigned notification experience providing users with more consistent and clearer presentation of information.
• Improved security by requiring biometric or device password authentication when registering new Cloud credentials.
  • This only applies to Cloud credentials, not to Authentication Manager (AM)-based credentials. For further details, see : https://community.rsa.com/s/article/Coming-Soon-RSA-Authenticator-4-7-for-iOS-and-Android.
• FIPS 140-3 certified cryptographic modules
• Proximity detection and offline QR code authentication support for passwordless methods with forthcoming versions of RSA Agents.

RSA Authentication Manager V8.9 (January)

• Administrator SDK qualified with JDK 11 and JDK 17
• BSAFE 7 upgrade (FIPS 140-3 certified)
• RSA Agent passwordless authentication methods support when deployed in AM /CAS hybrid mode

RSA MFA Agent V2.1 for macOS (January)

• Passwordless authentication methods are supported in AM/CAS hybrid mode through the RSA MFA Agent for macOS, enabling seamless passwordless authentication across hybrid deployments. 
  • This requires RSA Authenticator V4.7 for iOS and Android.
• Support for FIDO2 security keys is now available.
  • Users can now use FIDO2 security keys for passwordless authentication.

RSA MFA Agent V2.5 for Windows (February)

• Native offline QR code–based passwordless authentication will enable users to authenticate without network connectivity or OTP entry; this will require RSA Authenticator v4.7 for iOS and Android.
• Passwordless authentication methods will be supported in AM/CAS Hybrid Mode via the RSA MFA Agent for Windows, enabling seamless passwordless authentication across hybrid deployments.
  • This will require RSA Authentication Manager 8.9.
• Configurable proximity checks will strengthen passwordless authentication by adding an extra layer of security, ensuring access is granted only when the authenticator is activated near the device.
  • This will require RSA Authenticator v4.7 for iOS and Android.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

Known Issue

The following table lists the known issue in this release:

December 2025 - Cloud Access Service

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Improved Search in User Management

The User Management page in the Cloud Administration Console now includes enhanced search capabilities. You can search for users by first name, last name, or a combination of both, even when the user’s email address does not contain personally identifiable information (PII). You can also search using Mobile Lock ID for greater flexibility. These improvements provide a more efficient and accurate search experience, making it easier to find and manage user accounts across the system. To access the User Management page, go to Cloud Administration Console > Users > Management.

Enhanced User Interface for Bulk User Maintenance

The Bulk User Maintenance page now features a modern, more intuitive interface that provides a faster, more responsive, and consistent administrative experience.. This update streamlines navigation, improves usability, and ensures smoother interactions across all bulk user operations, enabling you to manage large user sets more efficiently and with greater confidence. To access the Bulk User Maintenance page, go to Cloud Administration Console > Users > Bulk User Maintenance.

Enhanced Role Management in My Page Access Control

The Access Control screen in My Page is enhanced to give application owners and managers greater control over role assignments. Application owners and managers can now use the Access Control tab in My Page to manage role assignments more effectively, enabling more efficient management of user access and ensuring that role assignments remain accurate and up to date. To access the Modify User Role screen, go to My Page > Access Control.

Governance & Lifecycle Connection to CAS

Governance & Lifecycle Connection to CAS is now available with an easy, wizard-based setup that streamlines configuration and enhances information sharing to strengthen your identity posture management. The Cloud Administration Console now includes a Governance & Lifecycle page under the Platform menu, providing the Registration Code and Registration URL to integrate with CAS.

New FIDO Management API Client Type

The API Client now includes a new FIDO Management API client type in the Client Type dropdown, enabling more flexible, service-driven authenticator enrollment workflows. The FIDO Management API assumes the caller has already validated the user, allowing you to register a user’s authenticator without requiring an active end-user session. This capability supports call-center and bulk issuance flows, automated enrollment processes, and help-desk–initiated actions. With this enhancement, you can trigger authenticator enrollments directly from your help desk or automation tools, streamline onboarding and recovery, and maintain user productivity during incidents or migrations. In the Cloud Administration Console, you can add the "FIDO Management API" client type via Platform > API Access Management > Add API Client.

Coming Soon - Deprecation of TCP Connection Between CAS and AM

RSA announces the upcoming deprecation of the TCP Agent connection between CAS and AM. If your environment is configured to connect to AM through Cloud Administration Console > Platform > Authentication Manager > Connection to Authentication Manager, you will need to update your configuration after the upcoming IDR release. This integration will transition to the Authentication Manager REST Agent, replacing the existing TCP Agent connection. At this time, no immediate action is required. Detailed instructions and timelines will be shared prior to the deprecation to guide you through the transition and ensure uninterrupted connectivity between CAS and AM.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

Known Issue

The following table lists the known issue in this release:

November 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Update the affected service URLs immediately. For more information, see the Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access through non-company specific URLs is not yet blocked, however, when it is blocked, it can potentially result in loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Logging in to the Cloud Administration Console via password or third-party IdP.
• Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event from the Cloud Administration Console in Platform > Admin Event Viewer.

Identity Router (IDR) 12.23.0.0.11 Now Available

The IDR 12.23.0.0.11 release is now available. We recommend that all customers upgrade to this version.

This release includes the following updates:

• Fixed an issue affecting the IDR SSH login feature, which is used by RSA Support for troubleshooting purposes.

Note: This issue did not impact the core functionality of the IDR.

• Fixed multiple security vulnerabilities.

Customers can wait for the scheduled upgrade or choose to upgrade at their own discretion.

Identity Router Update Schedule

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Coming Soon - Deprecation of TCP Connection Between Cloud Access Service (CAS) and AM

RSA announces the upcoming deprecation of the TCP Agent connection between CAS and AM. If your environment is configured to connect to AM through Cloud Administration Console > Platform > Authentication Manager > Connection to Authentication Manager, an update will be required after the upcoming IDR release. This integration will transition to the Authentication Manager REST Agent, replacing the existing TCP Agent connection. At this time, no immediate action is required. Detailed instructions and timelines will be shared prior to the deprecation to guide you through the transition and ensure uninterrupted connectivity between CAS and AM.

Cloud Access Service Updates

My Page UI Now Supports Arabic RTL

The My Page user interface has been enhanced to improve usability and accessibility for Arabic-speaking users. Arabic content now displays from right to left (RTL), ensuring a more natural and intuitive reading experience. This enhancement provides a localized interface aligned with Arabic language standards, resulting in a smoother and more consistent user experience.

Export Admin Users Report via Cloud Administration Console or API

You can now export a comprehensive report of all administrative users directly from the Cloud Administration Console or retrieve it programmatically through the REST API. This report includes Admin Names, Admin Emails, Role, Status, Created At, Updated At, and last Login Time. This enhancement enables organizations to prove access, validate least privilege, and maintain continuous compliance evidence without relying on screenshots or manual exports.
To download the CSV report, go to Cloud Administration Console > My Account > Administrators > Admin Users Reports. You can also download this report through Cloud Administration Console > Users > Reports > Admin Users. 

Enhanced All Users Report

The All Users report is now enhanced to include the exact Last Successful Authentication Date and the Last Successful Authentication Method for every user. This update provides greater accuracy and visibility into user activity, helping you identify dormant accounts and maintain audit-ready reporting. To download the CSV report, go to Cloud Administration Console > Users > Reports > All Users. 

Enhanced Visibility with New RADIUS Clients Report

The RADIUS Clients report is introduced in the Cloud Access Service to provide deeper visibility into RADIUS client configurations and authentication activity. This report enables you to audit, optimize, and troubleshoot RADIUS integrations by consolidating detailed client information, including IP Address, Type, Authentication Configuration, Last Modified Date, and additional data fields. This enhancement improves operational efficiency, strengthens compliance reporting, and simplifies authentication management across environments. To download the CSV report, go to Cloud Administration Console > Users > Reports > Radius Clients. 

Enhanced Passkey Support Across Domains

The FIDO authentication is now enhanced by enabling multiple custom FIDO Relying Party (RP) IDs per account. A passkey registered on one approved domain can now be used to sign in across other authorized domains, delivering a seamless and secure multi-domain experience while preserving FIDO’s domain binding and privacy protections (FIDO Related Origins). To add one or more domains, go to Cloud Administration Console > Access > FIDO Authentication > FIDO Relying Party Domain(s).

Default Network Zone Configuration

A default option for network zones is now introduced, allowing you to designate any network zone as the default. The default network zone automatically applies to all APIs, AM, SCIM, and IDR configurations that either do not specify a network zone or rely on the default setting. You can change or select a different default network zone at any time, and updates will only affect configurations that use the default zone. You can now set any network zone as the default in the Cloud Administration Console.

Note: A System Default Zone is automatically created to allow all IP addresses. Once a network zone is set as the default, it cannot be deleted unless another network zone is designated as the default.

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• Apple iOS Native VPN (RADIUS)
• BeyondTrust Password Safe (SAML)
• Broadcom Symantec PAM (SAML)
• FireMon Policy Manager (SAML)

• Updated Integrations for ID Plus

• AuthenTrend ATKey (FIDO)
• CyberArk PAM plug-in (AM)
• HPe Aruba ClearPass (RADIUS)
• Prove SMS Gateway (AM)

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issues

The following table lists the fixed issues for this release: 

Known Issue

The following table lists the known issue in this release:

October 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

For more information on upgrading components, please refer to the latest published advisory: REMINDER: 1 WEEK LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION. 

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Logging in to the Cloud Administration Console via password or third-party IdP.
• Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform >  Admin Event Viewer.

Identity Router (IDR) 12.23.0.0.11 Now Available

The IDR 12.23.0.0.11 release is now available. We recommend that all customers upgrade to this version.

This release includes:

• Fixed the issue affecting the IDR SSH login feature, which is used by RSA Support for troubleshooting purposes.

Note: This issue did not impact the core functionality of the Identity Router (IDR).

• Fixed multiple security vulnerabilities.

Customers can wait for the scheduled upgrade or choose to upgrade on their own discretion.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Cloud Access Service Updates

Updated Subprocessor List

The list of subprocessors used by RSA has been updated to reflect the latest changes. For more information, see RSA Subprocessor Information. 

New Column in Hardware OTP Credential Information Report: Last Successful Authentication

The Hardware OTP Credential Information report now includes a new column, Last Successful Authentication. This column shows the last time a hardware OTP credential is used for authentication. The update helps you track credential usage, strengthen security by identifying inactive credentials, and simplify audit readiness.
To generate the report, go to Users > Reports > Hardware OTP Credential Information > Generate.

New Controls for Online Emergency Access Code Duration Settings

Super Administrators can now manage Online Emergency Access Code duration settings at the account level. Super Administrators can allow administrators to override these settings or lock them to prevent changes. These controls give Super Administrators greater flexibility, strengthen security, and ensure consistent policy enforcement across your organization.
To configure this feature, go to Cloud Administration Console > My Account > Company Settings > Sessions & Authentication > Emergency Access Codes.
If Lock Online Emergency Access Code settings is disabled, administrators can manage online Emergency Access Code duration in the Cloud Administration Console > Users > Management > Emergency Access Code.

Enhanced Network Zone Configuration for Identity Router (IDR) Clusters

We have enhanced network zone management so you not only have the option to apply restricted networks from the IDR Network Zone across all IDRs, but you can also configure network zones for individual IDR clusters. This enhancement gives you more granular control, improves security, and provides greater flexibility so you can choose the approach that best fits your needs.
To access this feature, navigate to Cloud Administration Console > Platform > Clusters, then edit an existing cluster or add a new one, and go to the Network Zones section.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

September 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

For more information on upgrading components, please refer to the latest published advisory: 6 WEEKS LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION. 

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Logging in to the Cloud Administration Console via password or third-party IdP.
• Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform >  Admin Event Viewer.

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

New Export Capability for Event Monitors

You can now export event logs directly from the User Event Monitor, System Event Monitor, and Admin Event Monitor in the Cloud Administration Console. This enhancement allows you to generate structured CSV reports with just a few clicks, making it easier to analyze activity, support compliance efforts, and streamline audit reporting. 

• For the Admin and System Event Monitor: navigate to Cloud Administration Console > Platform > Admin Event Monitor / System Event Monitor , then click Generate Report.
• For the User Event Monitor: navigate to Cloud Administration Console > Users >User Event Monitor , then click Generate Report.

Simplify User Deprovisioning with Lifecycle Management

You can now enable, disable, or delete user access to applications provisioned through the Cloud Administration Console, giving managers and application owners greater control over access governance. These actions are available in My Page > My Users Access, providing improved visibility and flexibility when managing user permissions. To activate these capabilities, ensure the "Delete Action" is enabled and that the appropriate access control settings are configured through Cloud Administration Console > Application Catalog > Fulfillment. The availability of enable/disable options may vary depending on the selected Fulfillment Configuration Type, and all access changes will be reflected accordingly on My Page.

Create and Update Local Users Through the Manage Local User API

You can now use the Manage Local User API to create and update users in the local identity store, enabling automation of user lifecycle management. This enhancement supports seamless integration with existing workflows and ensures that actions align with the Cloud Administration Console permissions. The API is secured with modern OAuth protection, ensuring secure and scalable access for administrative operations.

Enforce Managed Browser Access

You can now require users to access Microsoft Edge for Business resources only through managed browsers, ensuring that access is limited to trusted, compliant devices. By leveraging Microsoft Edge device signals, this feature verifies endpoint compliance before granting access to critical applications. This strengthens your Zero Trust security posture by combining identity verification with device trust without complexity. To access this feature, navigate  to Cloud Administration Console > Access > Managed Browser. You can then use the "Managed Browser" attribute within an Access Policy to enforce browser-based access controls. To configure the connector, see 

Configurable Periodic User Refresh for Inactive Accounts

You can now configure how often inactive accounts are refreshed from your on-prem directory (LDAP) in CAS. By default, up to 1,000 accounts unused in the past 30 days are refreshed daily. You can lower this threshold to as few as 7 days to better align with your security policies. To configure this feature go to Cloud Administration Console > Users > Bulk Maintenance.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Coming Soon 

The following section outlines the upcoming features planned for the October release.

RSA MFA Agent for macOS 2.0 Expands Passwordless Authentication

RSA MFA Agent for macOS 2.0 introduces expanded support for passwordless primary authentication methods and enhanced resiliency features.

New passwordless authentication methods include:

• Mobile Passkey, using the RSA Authenticator app v4.6+ for iOS or Android (no Bluetooth required)
• QR Code Authentication
• Biometric Authentication

• Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• • Articulate Reach (SCIM)
  • HP Aruba ClearPass (SAML)
  • Microsoft Edge for Business Browser (RSA Device Trust Connector)
  • Rapid7 (SAML)

• Updated Integrations for ID Plus

• • CyberArk PAM Vault (Radius)
  • CyberArk PAM PVWA (Radius)

Fixed Issues

The following table lists the fixed issues for this release: 

August 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

Refer to the following advisories for details on upgrading the components:

• RSA Authentication Manager (AM) and RSA Authenticator for iOS and Android
• RSA Prime
• RSA Agents

Infinispan Upgrade in Identity Router (IDR) 12.23.0.0.X Requires Cluster-Wide Version Consistency

Note: This upgrade affects proxied applications on the IDR SSO Portal that store your credentials. 

The upcoming Identity Router (IDR) 12.23.0.0.X release, as outlined in the Identity Router Update Schedule and Versions table, includes a critical Infinispan upgrade. During the upgrade process, if IDRs within a cluster are running different versions, they will continue to serve requests; however, keychain synchronization may be temporarily impacted. These functions will automatically resume once all IDRs in the cluster have been upgraded to the same version. Before performing an in-place upgrade, RSA strongly recommends creating a snapshot of the virtual machine for VMware and Hyper-V-based routers, or of the storage volume for AWS-based routers to ensure recovery options are available if needed. 

Notes: 

• All IDRs in a cluster must run the same version to prevent replication disruptions.

• If you plan to add a new IDR using the 12.23.0.0.X template while other IDRs in the cluster are still on 12.22.0.0.X, you must first upgrade all existing IDRs to version 12.23.0.0.X before introducing the new node.

• Backup files created with earlier versions will not be restorable after upgrading to 12.23.0.0.X.

• RSA strongly recommends creating new backups immediately after completing the upgrade.

• Keychain replication does not apply to Embedded IDRs, as they do not support the IDR SSO Portal. Therefore, this update does not apply to AM Embedded IDRs.

• Backups apply specifically to the HTTP Federation (Fed) application in the IDR SSO Portal.

This action is essential to maintain cluster stability, ensure successful replication, and avoid potential service issues.

Identity Router Update Schedule and Versions

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Log in to the Admin Console via password or third-party IDP.
• Access the Admin REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IDP login and Admin API access. You can view this event in the Admin Event Viewer.

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Improved Support for SAML Certificate Rotation

You can now load up to two SAML signing certificates per application in CAS, ensuring seamless transitions when certificates expire. CAS automatically switches to the other certificate, maintaining secure and uninterrupted access for your applications. Managing certificates is now easier through the Cloud Administration Console, where you can view, import, and update them. This feature is available for both My Page SSO and Relying Party applications. 

• To use this feature for an SSO application, navigate to Cloud Administration Console > Applications > Application Catalog / My Applications, select a SAML application, and on the Connection Profile page, upload certificate from the  Message Protection section.
• To use this feature for a Relying Party application, navigate to Cloud Administration Console > Authentication Clients > Relying Parties, select an application, and on the Connection Profile page, upload certificate from the  Message Protection section.

Copy SAML Metadata URL

You can now copy the SAML metadata URL directly from your configured applications, making it faster to share metadata with services that require a direct URL instead of uploading files. This enhancement simplifies your SAML setup process and saves time. This feature is available for both My Page SSO and Relying Party applications. 

• To access this feature for an SSO application, go to Cloud Administration Console > Applications > My Applications, select a configured SAML SSO application, and from the dropdown, select Copy Metadata URL.
• To access this feature for a Relying Party application, navigate to Cloud Administration Console > Authentication Clients > Relying Parties, select a configured SAML Relying Party application, and from the dropdown, select Copy Metadata URL.

RSA SecurID Access Admin REST API 2.8.0 Now Available

RSA SecurID Access Admin REST API version 2.8.0 is now available with the updates on OAuth API access support. You can download the updated API package from the ID Plus Admin REST API Download page.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

July 2025 - Cloud Access Service

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Terminology Update: Cloud Authentication Service Renamed to Cloud Access Service

The "Cloud Authentication Service" has been renamed to "Cloud Access Service". This terminology change reflects the platform's expanded capabilities and aligns with upcoming improvements. You may still see both names in the product interface and documentation as we gradually roll out this update.

Improved TransactionID with Timeout MFA Event for Step-Up Authentication

The TransactionID feature has been updated to include a Timeout MFA event for step-up authentication scenarios. If a user completes primary authentication but then closes the browser or abandons the process before finishing step-up authentication, a Timeout MFA event is triggered. This event is logged after the configured timeout period (15 minutes by default), helping to reduce open-ended authentication threads in the logs and enhancing visibility into incomplete authentication attempts. You can find the new Timeout MFA event in the Cloud Administration Console under Users > User Event Monitor.

Controlling Certificate-Based Authentication in Windows Agent

The Certificate Authority (CA) service now supports certificate-based authentication (CBA) for Windows MFA Agents integrated with Microsoft Entra ID, giving you greater control and visibility over certificate lifecycle management. With this enhancement, you can view and revoke certificates issued by the the CA service from the Cloud Administration Console. In Users > Management, search for a user, and then you will find the Agent Passwordless Login Certificates section to revoke certificates associated with that user.

Activity ID for Improved Traceability

The audit logging capability has been enhanced with the Activity ID, allowing you to group user actions within a session for improved traceability and streamlined log analysis. This update supports more effective security auditing, faster troubleshooting, and better visibility into user activity patterns. You can view the Activity ID column in the Cloud Administration Console under Users > User Event Monitor, and it is also available via the public API.

Client Type Support for OAuth Configuration

The Cloud Administration Console now supports specifying client types when configuring OAuth clients. This enhancement helps administrators tailor OAuth configurations to meet specific application needs and security requirements. You can access this feature by navigating to Platform > API Access Management, making it easier to create and manage OAuth clients with precision.

User Recording Connection Method Toggle in HTTP Federation Proxy Application

The Use Recording connection method is no longer available for HTTP Federation (HFED) Proxy application configuration. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the Use Recording connection method will no longer be available for the new application added using HFED Proxy in the Cloud Administration Console under Applications > Application Catalog > Create From Template > HTTP Federation Proxy > Connection Method tab.

Coming Soon (July Release) 

The following section outlines the upcoming features planned for the July release.

RSA Authentication Manager 8.8 Support for Nutanix AHV

We are excited to announce that RSA Authentication Manager 8.8 will soon offer compatibility with the Nutanix AHV. This enhancement underscores our ongoing commitment to providing seamless, scalable solutions for hybrid and cloud-based environments.

RSA MFA Agent for Windows 2.4 Adds Expanded Passwordless Authentication Support

RSA MFA Agent for Windows 2.4 introduces expanded support for passwordless primary authentication methods across both Local Active Directory and Microsoft Entra ID deployments.

• Passwordless authentication methods now include:

• • FIDO Authentication, in two forms:
    • FIDO Security Key (already supported in previous version of MFA Agent for Windows, but only with Local AD Deployment)
    • Mobile Passkey (Requires RSA Authenticator V4.6 for iOS and Android, released in July 2025)
  • QR Code Authentication
  • Biometric Authentication.

To enable passwordless authentication on machines protected by the RSA MFA Agent for Windows and integrated with Microsoft Entra ID, a certificate must be deployed to the endpoint. To streamline this process, RSA introduces an automated certificate provisioning mechanism that simplifies setup and ensures secure deployment. Additionally, to provide more granular control, two new authentication methods are available for configuration within Assurance Levels, enabling the use of the following passwordless authentication methods:

• • Agent QR Code
  • Agent Device Biometric

• Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.
• Passwordless authentication will be added in future releases to other RSA MFA Agents.

RSA Authenticator 4.6 for iOS and Android

The following sections highlight the new features planned for the July release of RSA Authenticator 4.6: 

Streamlined Credential Registration in RSA Authenticator App 

Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.

Enhanced Mobile Lock Notifications in RSA Authenticator App 

When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency. 

In-App Upgrade Notification in RSA Authenticator App 

Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.

Expanded Credential Support in RSA Authenticator App 

Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys. 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Operating System (OS) Update for Embedded Identity Router

RSA released an updated Identity Router (IDR) version 12.22.x with the SLES 15 SP6 operating system (OS) image in November 2024, available for both standalone and embedded deployments. However, embedded Identity Routers used with Authentication Manager are not eligible for an in-place upgrade to SLES 15 SP6.

Deployments of IDR version 12.21.x or earlier, which are based on SLES 12 SP5, will continue to receive software package updates. However, be aware that support for SLES 12 SP5-based IDRs will be phased out in the soon. New deployments of embedded IDR version 12.22.x or later will use the latest SLES 15 SP6-based image.

If you are using IDR on SLES 12 SP5, or if your IDR version is v12.21.x or earlier, you must update the IDR to the latest version as soon as possible. Use the new image available from the Cloud Administration Console to perform the update.

To view IDR version and operating system information, see View Identity Router Status in the Cloud Administration Console.

RSA strongly recommends that customers using Embedded IDRs migrate to SLES 15 SP6 based images. To do so, perform the following steps:

1. Remove the Embedded IDR from the Authentication Manager appliance. Refer to Remove the Embedded Identity Router from RSA Authentication Manager. 
2. Download and install the new IDR. Refer to step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.

Note: In step 1, regenerate the Registration Code from the existing IDR record. You do not need to create a new identity router record.

3. Register the new IDR with the existing record in the Cloud Administration Console. Refer to steps 3 to 9 of Step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.
4. In the Cloud Administration Console, click Publish Changes.

After the migration, verify that the new IDR is working as expected by checking the status in the Cloud Administration Console. Refer to View Identity Router Status.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• • Articulate Reach 360 (SAML)
  • Jamf Connect (OIDC)

• Updated Integrations for ID Plus

• • ADP Federated SSO (SAML)
  • Microsoft GitHub (SAML)
  • Okta SSO (SAML)
  • SAP NetWeaver (SAML)

Fixed Issues

The following table lists the issues that are fixed for this release: