Release Notes Archive - Cloud Authentication Service and Authenticators (July 2025 - January 2025)
a year ago

July 2025 - Cloud Access Service

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

 

Terminology Update: Cloud Authentication Service Renamed to Cloud Access Service

The "Cloud Authentication Service" has been renamed to "Cloud Access Service". This terminology change reflects the platform's expanded capabilities and aligns with upcoming improvements. You may still see both names in the product interface and documentation as we gradually roll out this update.

 

Improved TransactionID with Timeout MFA Event for Step-Up Authentication

The TransactionID feature has been updated to include a Timeout MFA event for step-up authentication scenarios. If a user completes primary authentication but then closes the browser or abandons the process before finishing step-up authentication, a Timeout MFA event is triggered. This event is logged after the configured timeout period (15 minutes by default), helping to reduce open-ended authentication threads in the logs and enhancing visibility into incomplete authentication attempts. You can find the new Timeout MFA event in the Cloud Administration Console under Users User Event Monitor.

 

Controlling Certificate-Based Authentication in Windows Agent

The Certificate Authority (CA) service now supports certificate-based authentication (CBA) for Windows MFA Agents integrated with Microsoft Entra ID, giving you greater control and visibility over certificate lifecycle management. With this enhancement, you can view and revoke certificates issued by the the CA service from the Cloud Administration Console. In Users Management, search for a user, and then you will find the Agent Passwordless Login Certificates section to revoke certificates associated with that user.

 

Activity ID for Improved Traceability

The audit logging capability has been enhanced with the Activity ID, allowing you to group user actions within a session for improved traceability and streamlined log analysis. This update supports more effective security auditing, faster troubleshooting, and better visibility into user activity patterns. You can view the Activity ID column in the Cloud Administration Console under Users User Event Monitor, and it is also available via the public API.

 

Client Type Support for OAuth Configuration

The Cloud Administration Console now supports specifying client types when configuring OAuth clients. This enhancement helps administrators tailor OAuth configurations to meet specific application needs and security requirements. You can access this feature by navigating to Platform > API Access Management, making it easier to create and manage OAuth clients with precision.

 

User Recording Connection Method Toggle in HTTP Federation Proxy Application

The Use Recording connection method is no longer available for HTTP Federation (HFED) Proxy application configuration. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the Use Recording connection method will no longer be available for the new application added using HFED Proxy in the Cloud Administration Console under Applications Application Catalog Create From Template > HTTP Federation Proxy > Connection Method tab.

      

Coming Soon (July Release) 

The following section outlines the upcoming features planned for the July release.

 

RSA Authentication Manager 8.8 Support for Nutanix AHV

We are excited to announce that RSA Authentication Manager 8.8 will soon offer compatibility with the Nutanix AHV. This enhancement underscores our ongoing commitment to providing seamless, scalable solutions for hybrid and cloud-based environments.

 

RSA MFA Agent for Windows 2.4 Adds Expanded Passwordless Authentication Support

RSA MFA Agent for Windows 2.4 introduces expanded support for passwordless primary authentication methods across both Local Active Directory and Microsoft Entra ID deployments.

  • Passwordless authentication methods now include:
    • FIDO Authentication, in two forms:
      • FIDO Security Key (already supported in previous version of MFA Agent for Windows, but only with Local AD Deployment)
      • Mobile Passkey (Requires RSA Authenticator V4.6 for iOS and Android, released in July 2025)
    • QR Code Authentication
    • Biometric Authentication.

To enable passwordless authentication on machines protected by the RSA MFA Agent for Windows and integrated with Microsoft Entra ID, a certificate must be deployed to the endpoint. To streamline this process, RSA introduces an automated certificate provisioning mechanism that simplifies setup and ensures secure deployment. Additionally, to provide more granular control, two new authentication methods are available for configuration within Assurance Levels, enabling the use of the following passwordless authentication methods:

    • Agent QR Code
    • Agent Device Biometric
Notes:
  • Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.
  • Passwordless authentication will be added in future releases to other RSA MFA Agents.

 

RSA Authenticator 4.6 for iOS and Android

The following sections highlight the new features planned for the July release of RSA Authenticator 4.6: 


Streamlined Credential Registration in RSA Authenticator App 

Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.

Enhanced Mobile Lock Notifications in RSA Authenticator App 

When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency. 

 

In-App Upgrade Notification in RSA Authenticator App 

Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.

 

Expanded Credential Support in RSA Authenticator App 

Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys. 

 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

 

Operating System (OS) Update for Embedded Identity Router

RSA released an updated Identity Router (IDR) version 12.22.x with the SLES 15 SP6 operating system (OS) image in November 2024, available for both standalone and embedded deployments. However, embedded Identity Routers used with Authentication Manager are not eligible for an in-place upgrade to SLES 15 SP6.

Deployments of IDR version 12.21.x or earlier, which are based on SLES 12 SP5, will continue to receive software package updates. However, be aware that support for SLES 12 SP5-based IDRs will be phased out in the soon. New deployments of embedded IDR version 12.22.x or later will use the latest SLES 15 SP6-based image.

If you are using IDR on SLES 12 SP5, or if your IDR version is v12.21.x or earlier, you must update the IDR to the latest version as soon as possible. Use the new image available from the Cloud Administration Console to perform the update.

To view IDR version and operating system information, see View Identity Router Status in the Cloud Administration Console.

RSA strongly recommends that customers using Embedded IDRs migrate to SLES 15 SP6 based images. To do so, perform the following steps:

  1. Remove the Embedded IDR from the Authentication Manager appliance. Refer to Remove the Embedded Identity Router from RSA Authentication Manager. 
  2. Download and install the new IDR. Refer to step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.

Note: In step 1, regenerate the Registration Code from the existing IDR record. You do not need to create a new identity router record.

  1. Register the new IDR with the existing record in the Cloud Administration Console. Refer to steps 3 to 9 of Step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.
  2. In the Cloud Administration Console, click Publish Changes.

After the migration, verify that the new IDR is working as expected by checking the status in the Cloud Administration Console. Refer to View Identity Router Status.

 

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
MFA Agent for Microsoft Windows
2.3October 2025No

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

  • New Integrations for ID Plus
    • Articulate Reach 360 (SAML)
    • Jamf Connect (OIDC)
  • Updated Integrations for ID Plus
    • ADP Federated SSO (SAML)
    • Microsoft GitHub (SAML)
    • Okta SSO (SAML)
    • SAP NetWeaver (SAML)

Fixed Issues

The following table lists the issues that are fixed for this release: 
 

Fixed IssueDescription
NGX-196053Scheduled SFTP backups fail because the Password field is overwritten with the "Number of Backups to Keep for Selected Cluster" value after publishing the configuration.
NGX-194848Fulfillment failed due to invalid "Content-Type" Header in Articulate Reach 360 SCIM Integration. 
NGX-193935Administrators attempted to sign in to their respective tenants but encountered the error message: "Authentication failed. No more than three (3) active sessions per Admin are allowed."
NGX-193309FIDO authentication was not available as a step-up method during My Page login. 

June 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Emergency Access Codes Now Support One-Time Use

Emergency Access Code (EAC) functionality is now enhanced with support for single-use expiration. This improvement reduces exposure and helps minimize the risk of unauthorized access during critical support scenarios. With the new setting, EACs expire immediately after a single use, an upgrade from the previous minimum expiration period of one day. Help Desk Administrators can configure one-time use EACs in the Cloud Administration Console under Users > Management, while Super Administrators can define the default tenant wide behavior via Company Settings > Sessions & Authentication > Emergency Access Codes.

 

Enhanced Control: Restrict RSA Authenticator App Usage According to Operating System 

Administrators can now restrict the use of the RSA Authenticator app according to operating system, to help organization enforce internal compliance policies. This feature is available in the Cloud Administration Console under Access My Page My Authenticators Configuration.

 

Improved Access Visibility for Managers and Application Owners

Managers and Application Owners can now easily view their team members and the applications they have access to via the new My Users Access tab, located under My Page My Users Access. This enhancement improves transparency and simplifies access oversight, helping organizations ensure users have appropriate access levels while supporting stronger governance and compliance practices.

 

Improved Password Spray Attack Detection and Notification Visibility

Password Spray Attack detection now includes the tenant name and URL in email notifications sent to Client Administrators. Additionally, filtering has been enhanced to event code search in Cloud Administration Console > Users > User Event Monitor, making it easier to identify and investigate suspicious activity. These updates enhance visibility into potential threats, streamline incident response, and strengthen your organization’s ability to detect and mitigate password based attacks. Super Administrators can configure notification settings by navigating to Cloud Administration Console > My Account > Company Settings > Email Notifications > Anomaly Detection (Password Spraying).

 

 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

 

RSA Authentication Agents 8.0.x for IIS and Apache No Longer Available for Download

As announced in RSA Authentication Agent for Microsoft IIS and Apache EOPS advisory, RSA Authentication Agents 8.0.x for IIS and Apache are no longer available to download. Support for RSA Authentication Agents 8.0.x for IIS and Apache will continue till March 2026.

 

Coming Soon (July Release) 

The following section outlines the upcoming features planned for the July release. 

 

Upcoming Identity Router Update Requirement

  • IDRs running versions 12.21.x or 12.22.x (earlier than 12.22.0.0.32) are automatically upgraded. However, IDRs on versions prior to 12.21.x are excluded from this automatic upgrade, as they are no longer supported and require manual intervention.
  • For customers currently on version 12.21.x, this upgrade also includes an operating system update. Please refer to the Upgrade Guide for detailed steps and prerequisites.
  • The upcoming automatic upgrade for IDR follows a different process from standard upgrades. You will not have the option to reschedule or select an alternate upgrade date. To apply the update earlier than the scheduled rollout, you can manually upgrade the IDR at any time. Ensure upgrading the IDR at any time before July 12, 2025.

 

RSA Authenticator V4.6 for iOS and Android


Streamlined Credential Registration in RSA Authenticator App 

Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.

Enhanced Mobile Lock Notifications in RSA Authenticator App 

When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency. 

 

In-App Upgrade Notification in RSA Authenticator App 

Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.

 

Expanded Credential Support in RSA Authenticator App 

Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys. 

 

Expanded Passwordless Authentication Methods in RSA MFA Agent for Windows

The upcoming RSA MFA Agent for Windows v2.4, targeted for release in the July/August 2025 timeframe, introduces expanded support for passwordless authentication across both Local Active Directory and Microsoft Entra ID deployments. This includes: 

  • FIDO Security Key (now extended to Entra ID; previously supported only with Local AD)

  • Mobile Passkey, used with RSA Authenticator app v4.6 for iOS and Android (scheduled for July 2025 release)

  • QR Code Authentication

  • Biometric Notification

To enable these capabilities:

  • The CAS June release introduces three new authentications methods for administrators to configure:

    • QR Code (RSA Agent)

    • Device Biometrics (RSA Agent)

    • Mobile Passkey (RSA Agent)

  • The CAS July release will include Certificate Authority (CA) services to enable certificate-based passwordless authentication for Entra ID deployments.

Note: The two CAS features mentioned above will be seamlessly enabled before the CAS July release for ID Plus E2 and E3 subscriptions. Customers with ID Plus E1 subscriptions will require an add-on to enable these.


Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

ProductVersionEOPS DateExtended Support Level 1/Level 2
RSA Authentication Manager8.7May 2025May 2026 / May 2027
MFA Agent for Microsoft Windows
2.2.1June 2025No
2.3October 2025No
Authentication Agent for Epic Hyperdrive1.xJune 2025No
RSA Authenticator for iOS and Android4.3June 2025No

 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

  • New Integrations for ID Plus
    • CrowdStrike Falcon Identity Protection (REST)
    • Microsoft GitHub (SCIM)
    • WSO2 (SAML)
  • Updated Integrations for ID Plus
    • Omnissa Horizon Connection Server (RADIUS)
    • Omnissa UAG (RADIUS)

May 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Improved Security for IDR and CAS Communication

Security has been enhanced for connections between Identity Routers (IDRs) and the Cloud Authentication Service (CAS). Through the Cloud Administration Console, a network zone can be assigned to a cluster, ensuring that only IDRs within a trusted configured network zone are allowed to pull configurations from CAS. This feature is accessible via the Cloud Administration Console > Platform > Clusters. To monitor communication status, administrators can view the connection state (Active or Blocked) under Platform > Identity Router.

Live Verification Enhancements

Help Desk Live Verification can now be accessed through an API, enabling seamless integration into your existing systems and workflows. This update allows administrators to trigger bi-directional authentication using any registered MFA authenticator directly through API calls without exposing any credentials during the verification process.

Note: The user interface now supports localization in 10 languages, offering a more flexible and accessible experience for end users.

 

Streamlined Passwordless Identity Verification

You can now confidently verify user identities without requiring passwords. The user enrollment and credential recovery experience has been simplified and enhanced with new passwordless verification options on RSA My Page. This update delivers stronger security, reduced user friction, and a smoother overall experience. The new workflow supports both environments with or without an identity verification system. To access this feature, navigate to Access > Policies > My Page Enrollment / Recovery > Rule Sets > Identity Verification in the Cloud Administration Console.

 

Improved FIDO Authenticator Support for Custom Domains in CAS

Authentication requests from Microsoft Entra to CAS via external authentication method now fully support all types of FIDO authenticators registered to custom domains. This enhancement ensures a smoother, more secure login experience for your users. 

Note: This functionality is not currently supported in Firefox, as the browser does not support FIDO's Related Origin Request (ROR) feature.

 

Coming Soon: Support for Agent Passwordless Authentication Methods in Policy Configuration (July) 

We’ve introduced new authentication method options within the Primary Authentication policy configuration to support upcoming agent-based passwordless authentication methods and help organizations proactively align with modern authentication strategies. Administrators can now preconfigure these methods by navigating to Cloud Administration Console > Access Policies Add a Policy > Primary Authentication. While these options are now visible in the policy setup, they will only take effect once the corresponding agents are updated to support them and the required licensing is in place.

 

RSA Authenticator App Updates

Stay Secure: Mandatory RSA Authenticator App Upgrade by October 2025

To ensure users continue enjoying a secure and seamless login experience, all RSA mobile application users must upgrade to the latest version of the RSA Authenticator app for iOS and Android by October 2025. Starting with the CAS October 2025 release, all versions of the RSA Authenticate app for iOS and Android and versions of RSA Authenticator apps for iOS and Android  prior to V4.5 will no longer support modern multi-factor authentication (MFA) methods, such as push notifications. To make this transition easier, users of these apps will begin receiving  clear upgrade notifications via the web interface following a successful authentication through CAS. For more details, see Time is Running Out – Users Must Migrate from the Legacy RSA Authenticate App. Check the following screenshots of the upgrade notices for both app types. 

 

 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated. 


Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

ProductVersionEOPS DateExtended Support Level 1/Level 2
RSA Authentication Manager8.7May 2025May 2026 / May 2027
MFA Agent for Microsoft Windows2.2.1June 2025No
Authentication Agent for Epic Hyperdrive1.xJune 2025No
RSA Authenticator for iOS and Android4.3June 2025No

 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

  • Cerby (SAML & SCIM)
  • Sophos XGS4500 Firewall (Radius)

Updated Integrations for ID Plus

  • CyberArk PVWA (SAML)
  • Fortra GoAnywhere MFT (SAML)
  • ID Dataweb (OIDC)
  • Microsoft ADFS (SAML)
  • Microsoft Sharepoint On-prem (SAML)

 

Fixed Issues

The following table lists the issue that is fixed for this release:
 

Fixed IssueDescription
NGX-184837Resources that relied on the Cloud Administration API to check an authentication method’s lock status displayed incorrect information in certain scenarios where methods were automatically unlocked. 

April 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

 

Deprecated the User Recording Connection Method in HTTP Federation Proxy Application

The User Recording connection method has been deprecated and is unavailable by default for HTTP Federation (HFED) Proxy applications. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the User Recording connection method will no longer be available for the new application added using HFED Proxy (Cloud Administration Console > Applications Application Catalog Create From Template HTTP Federation Proxy Connection Method tab).

 

Refined Design for Application Download on My Page

The "Installing Authenticator App" page on My Page has been revamped for better visual clarity and a more intuitive user experience.

 

 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed.

 

Coming Soon: Upgrade Seamlessly to the Latest RSA Authenticator App (May 2025 Release)

Users still relying on the legacy RSA Authenticate App (no longer supported) for web-based authentication will be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator App. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

ProductVersionEOPS DateExtended Support Level 1/Level 2
RSA Authentication Manager8.7May 2025May 2026 / May 2027
MFA Agent for Microsoft Windows2.2.1June 2025No
Authentication Agent for Epic Hyperdrive1.xJune 2025No
RSA Authenticator for iOS and Android4.3June 2025No

 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Fixed IssueDescription
NGX-183758Email notifications for identity routers (IDRs) upgrade were sent incorrectly and prematurely due to flawed logic in determining when alerts should be triggered. 
NGX-180148File extension validation was not enforced during SID token file uploads, causing an unclear error message.
NGX-180082Connecting Authentication Manager to the Cloud Authentication Service wrongly triggered a publish Changes Pending status.

 

March 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

 

Enhanced Security for SCIM Clients and Authentication Manager (AM) Communication with CAS

We have expanded administrator capabilities for configuring communication between SCIM clients and CAS, as well as AM and CAS. This update enhances security by allowing administrators to control IP filtering for SCIM identity sources and all versions of AM. Administrators can now allow or deny specific IP addresses under Network Zones, improving access control and reducing security risks.

 

Secure RSA Authentication APIs Using OAuth 2.0

We extend OAuth 2.0 support to Authentication APIs, providing secure, token-based access to the Cloud Authentication APIs. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. Administrators can now configure OAuth clients for accessing Authentication APIs in the Cloud Administration Console, under Platform API Access Management.  

 

Unified API Access Management for Improved Visibility

Administrators now have enhanced visibility into Administration and Authentication Legacy API Keys, along with OAuth clients, in a single, streamlined view. These can now be accessed under Platform > API Access Management (formerly API Key Management), simplifying management and control.

 

Custom Disclaimer Text for My Page Authentication Screens

Administrators can now tailor authentication experiences by adding custom disclaimer text for end users. This text will be displayed underneath the authentication screens. This update provides greater flexibility and customization, allowing organizations to display important legal or informational disclaimers directly within the authentication flow. Administrators can configure this setting in the Cloud Administration Console by navigating to Access My Page > Customization tab.

 

Identity Routers (IDRs) Now Supported on Microsoft Azure

RSA Identity Router (IDR) can now be deployed in the Microsoft Azure environment. This new capability extends our existing support for Amazon Web Services (AWS), VMware, Hyper-V and Authentication Manager embedded deployments, offering even greater flexibility and choice with seamless integration of IDRs into your Azure environment. Deploying IDR within your Azure environment helps drive efficiency and security in your digital transformation journey. In the Cloud Administration Console, administrators can download the virtual hardware disk (VHD) image for Azure by navigating to Platform > Identity Routers.

 

Secure User Verification for Help Desk Calls

Administrators can now verify user identities during live help desk calls using any registered multi-factor authentication (MFA) authenticator. This ensures a secure and seamless verification process without exposing sensitive credentials and prevents unauthorized access while maintaining a smooth user experience.  The feature is managed through the Live Verification Policy, which is available in the Cloud Administration Console under Policies.

 

Improved Access Policy Visibility

On Cloud Administration Console > Applications screen, administrators can now view the Access Policy Type, enabling more proactive management of cloud application policies. Additionally, we have expanded capabilities to enhance the user experience. When a policy is assigned, the Primary Authentication option under Policies is now grayed out. However, administrators can view a link showing where the policy is applied, making it easier to enable or disable as needed.

 

RSA Authentication Manager Releases Documentation Update

Currently, AM patches for AM and WebTier have separate Read-Me documents for each patch. To enhance accessibility and convenience for customers, a unified approach will be introduced, consolidating all patch-related information into a single Read-Me document. Starting with AM 8.8, patch releases will feature a comprehensive, updated Read-Me document covering all patches, WebTier updates, and hotfixes. This consolidated document will provide details on both new and previous updates, installation instructions, new features, and resolved issues, ensuring that all relevant information is available in one place.

 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November announcement (RSA-Release-Notes-Cloud-Authentication-Service-and-RSA-Authenticators), non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IDPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed.

 

Coming Soon: Upgrade Seamlessly to the Latest RSA Authenticator App (April 2025 Release)

Users still relying on the legacy RSA Authenticate App (no longer supported) for web-based authentication will be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator App. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

ProductVersionEOPS DateExtended Support Level 1/Level 2
RSA Authentication Manager8.7May 2025May 2026 / May 2027
MFA Agent for Microsoft Windows2.2.1June 2025No
Authentication Agent for Epic Hyperdrive1.xJune 2025No
RSA Authenticator for iOS and Android4.3June 2025No

 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

  • 15Five (SCIM)
  • Okta Agent (RADIUS)

Updated Integrations for ID Plus

  • F5 Big-IP APM (SAML)

 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Fixed IssueDescription
NGX-180395When manually synchronizing an identity source, the status remained stuck on Sync in Progress indefinitely.
NGX-180630Users with an apostrophe in their last name did not synchronize from AM to CAS.
NGX-178547When a customer enabled the Message-Authenticator attribute under RADIUS, the button appeared blue (indicating it was enabled), but the label incorrectly displayed Disabled.
NGX-182075SP-initiated requests with multiple authentication contexts failed when migrating a SAML 2.0 app from an on-prem IDR to CAS. 
NGX-175387Audit logs did not clearly capture instances where users attempted to authenticate with QR Code without a registered mobile device. 
NGX-177010The RADIUS authentication threshold was not strictly enforced in some cases. 

 

February 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

 

Enable/Disable Resynchronization of OTP Hardware Authenticators

In the Cloud Administration Console (Access My Page), administrators can now enable or disable resync of OTP authenticators. This feature allows users with out-of-sync OTP authenticators to resync their device with the Cloud Authentication Service particularly in cases where authentication fails due to clock drift (for example, from extreme temperatures) or when multiple consecutive OTPs are generated without use. Unauthenticated users who cannot sign into My Page can access a sync URL, enter the authenticator's serial number, and provide two consecutive OTPs to synchronize their device and regain access to their application.


Administration Event Monitor for Role Management

In the Cloud Administration Console, administrators can now track the creation, editing, and deletion of roles for the Fulfillment service through the Admin Event Monitor. The event description provides detailed information on the creation, editing, or deletion of roles.

 

Disable Anomaly Detection Email Notifications

Email notifications about suspicious authentication attempts, which help customers mitigate password spray attacks, were previously sent automatically to Super Administrators. Now, administrators can disable these notifications by clearing the new Anomaly Detection checkbox under Company Settings > Email Notifications in the Cloud Administration Console. This gives administrators the option to enable or disable these notifications as needed. 


New MFA Authentication Logs in the Cloud Administration Console

When multifactor authentication (MFA) occurs between the Authentication Manager and the Cloud Authentication Service, the Cloud Administration Console now provides new verbose logs in the User Event Monitor. These events track the initiation, success, and failure of MFA authentications through this hybrid deployment, offering administrators more detailed insights into the authentication process, including when MFA is initiated, successfully completed, or fails.

 

Local Groups Public API 

Local Groups Public API seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users and add them to groups either individually or bulk.

 

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set-up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

 

Coming Soon: Migration Prompt for RSA Authenticate App Users (March 2025 Release)

As communicated in previous advisories, the RSA Authenticate app on iOS, Android, Windows, and macOS is no longer supported. Users of this app must upgrade to the RSA Authenticator app, which provides a migration path for existing credentials.
While many initial users of the RSA Authenticate app have seamlessly completed this upgrade, a significant number of users are still relying on the RSA Authenticate app for authentication. To drive migration, a new feature will be introduced in the March 2025 release, where users attempting to authenticate with the RSA Authenticate app will receive a prompt notifying them that the app is no longer supported and providing clear instructions for upgrading to the RSA Authenticator app.

Authenticate Migration Nudge.png 

 

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
 

DateDescription

 

ANZ: 01/06/2025

EU/IN/JP: 01/06/2025

NA/ GOV: 01/06/2025

CA/SG: 01/06/2025

 

Updated identity router software is available to all customers.
Default: Saturday 02/15/2025 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
Last: Saturday 03/08/2025

If you postponed the default date, this is the last day when updates can be performed.


The new identity router software versions are:
 

Identity Router Deployment Type  

Version
On-premises                                     12.22.0.0
Amazon Cloud   RSA_Identity_Router 12.22.0.0

 

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

ProductVersionEOPS DateExtended Support Level 1/Level 2
RSA Authentication Manager8.7May 2025May 2026 / May 2027
MFA Agent for Microsoft Windows2.2.1June 2025No
Authentication Agent for Epic Hyperdrive1.xJune 2025No
Authenticator for iOS & Android4.3June 2025No

 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

  •  Nutanix Prism Central
  • OpenText EnCase
  • Salesforce CRM as SCIM Server
  • SkyHigh Security (End User)

Updated Integrations for ID Plus

  • AWS including session tags
  • Citrix Cloud
  • Citrix Netscaler
  •  Fortinet FortiClient
  • Microsoft SharePoint (Online)
  •  PingFederate
  •  RSA G&L

 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Fixed IssueDescription
NGX-178316On Android devices, some users with RSA Authenticator app versions 4.2, 4.3, and 4.4 encountered error code 4013 when attempting to approve push notifications.
NGX-177668In the Cloud Administration Console, the Users Management page displayed the following message for users with US phone numbers using the '557' area code for SMS and Voice Tokencode methods:
"The phone number cannot be confirmed as valid. Try to obtain the correct information from the user. If the number was synchronized, have it corrected in the directory server."
NGX-176584Inconsistent Access Policy details were sometimes displayed on the Authentication tab of Relying Party configurations.

 

January 2025 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

 

Cloud Administration Console Notifications for Password Spray Attack Detection

In the Cloud Administration Console, on-screen notifications have been added to help administrators detect and respond more quickly to potential password spray attacks. These enhancements enable faster identification of suspicious authentication attempts, especially when the user ID does not match any known users, signaling possible malicious activity. Administrators can now more effectively assess and mitigate threats.

 

Secure My Page SSO Applications with Access Policy 2.0

Administrators are now required to assign only Access Policy 2.0 to My Page SSO applications, both when adding new applications and when editing existing ones. When adding a new My Page SSO application, the User Access tab will only display Access Policy 2.0 options. Additionally, when editing existing applications, administrators need to select 2.0 Access Policy for authentication, as 1.0 policies can no longer be edited.

When accessing an SSO application secured by a 2.0 access policy, users will no longer be prompted to authenticate with the My Page policy, only the 2.0 policy for that application. However, they will still need to complete the My Page policy when accessing the My Page Application Portal, launching Identity Router (IDR) SSO Portal applications, or visiting preexisting SSO applications protected by 1.0 policies.

These updates streamline access management by ensuring that all My Page SSO applications are protected by Access Policy 2.0, enhancing application security.


Note: Bookmark applications still use 1.0 policies.


Manage User Groups in the Cloud Administration Console

In the Cloud Administration Console (under Users Groups), administrators can now create and manage Local Groups. Local Groups seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users individually and add them to groups for bulk user additions.

 

Enhanced My Page Applications Access Management

In the Cloud Administration Console, administrators can now assign specific access levels based on individual user attributes for application provisioning. This feature offers enhanced flexibility, customization, and more granular access management. Within the Fulfillment tab, administrators can now assign role/group permissions based on the available user attributes. The Fulfillment service provisions the application with the assigned roles/groups, ensuring that users are granted the appropriate privileges based on their needs.


Secure RSA Cloud Administration APIs Using OAuth 2.0

The RSA Cloud Administration APIs now support the OAuth 2.0 authorization framework, providing secure, token-based access to the Administration APIs. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. In the Cloud Administration Console, under Platform > API Key Management, administrators can now configure Administration API clients. OAuth 2.0 supports client authentication before issuing access tokens. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access.


Secure Access to Audit Logs for All Customers

With the support of OAuth 2.0 and granular permissions, all customers can now securely access all system-level audit logs, regardless of their ID Plus plan. This update enhances control for administrators, ensuring compliance requirements are met while offering secure and flexible access to audit logs.

 

Look and Feel Updates for the Cloud Administration Console

RSA is gradually updating the design of the Cloud Administration Console (for example, the header) as part of its ongoing effort to enhance the user experience.


Arabic Now Supported on My Page and Authentication Workflows

Users can now access RSA-protected resources with Arabic language support, including My Page, authentication workflows, email templates, and My Page Help.


Roles History Link Now Available on My Page

In the Request details pane, the Roles History link is now available on My Page, allowing requestors and approvers to track all changes made to a role during the request process.

 

Upgrade Seamlessly to the Latest RSA Authenticator App

Users still relying on the legacy RSA Authenticate app (no longer supported) for web-based authentication will now be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator app. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

 

RSA Authenticator 4.5.2 for iOS and Android – Coming Soon 

Here’s an overview of the key updates in the upcoming RSA Authenticator 4.5.2 release:

  • Threat Detection for Android Rooted Devices: The RSA Authenticator app for Android now strengthens security by blocking usage on rooted devices, aligning with the protection available on the iOS version. With enhancements that extend beyond Google’s standard APIs, RSA is delivering a robust solution that ensures compliance, provides administrators with actionable insights, and minimizes the risk of false positives.
  • RSA Authenticator App Now Supports Arabic: The RSA Authenticator app for iOS and Android is now available in Arabic, featuring full content translation and a right-to-left design for an intuitive user experience. This update ensures seamless accessibility for Arabic-speaking users, reflecting RSA’s commitment to global usability. 

 

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

 

 

RSA MFA Agent Support for macOS Sequoia 15.2

We are pleased to announce that RSA has officially qualified RSA MFA Agent 1.4.2 support for macOS Sequoia 15.2. Customers can now safely upgrade their macOS machines to Sequoia 15.2 and continue to use RSA MFA Agent 1.4.2 for secure user authentication and login.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.3February 2025No
RSA Authentication Manager8.7May 2025May 2026 / May 2027
MFA Agent for Microsoft Windows2.2.1June 2025No
Authentication Agent for Epic Hyperdrive1.xJune 2025No
Authenticator for iOS & Android4.3June 2025No

 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New Integrations for ID Plus

  • Skyhigh Security
  • Skyhigh Security SWG
  • Zimperium zConsole

Updated Integrations for ID Plus

  • Check Point Gateway
  • Fortigate VPN
  • Microsoft NPS
  • OneLogin
  • SonicOS
  • Zoho ME ADSelfService Plus

 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Fixed IssueDescription

NGX-175733

A customer encountered an error message when attempting to run the 'All Users' report.

NGX-174744

After saving and editing a SAML application, the Include Certificate in Outgoing Assertion option remained unselected, even though it had been previously checked.

NGX-174547The Cloud Administration User Search API Version 1 returned an empty response when the search results were limited to a single page.
NGX-172870The admin-assisted enrollment email notification displayed the expiration date in UTC instead of showing the remaining time left. The email notification has now been updated to display the remaining time left, aligning with the self-service email notification format.

 

Known Issues

The following table lists the known issues in this release:
 

Known IssueDescription
NGX-176667

Problem: The Cloud Administration User Event Log API was implemented without the necessary validation for the maximum number of days a customer could retrieve in a single request.

Resolution: A maximum duration of 7 days for data retrieval will be enforced in an upcoming release. Affected customers may need to adjust their API usage now to avoid errors once the validation is implemented. 

NGX-177761

Problem: For a few customers, in the Cloud Administration Console (under Access Networks), "Access Policy Network Zones" and "IDR Network Zones" are incorrectly labeled as "Default Network Zone" and "IDR Network Zone," respectively. Additionally, the descriptions for both zones are missing.  

Resolution: This issue will be resolved for these customers in the upcoming February release.