June 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Emergency Access Codes Now Support One-Time Use

Emergency Access Code (EAC) functionality is now enhanced with support for single-use expiration. This improvement reduces exposure and helps minimize the risk of unauthorized access during critical support scenarios. With the new setting, EACs expire immediately after a single use, an upgrade from the previous minimum expiration period of one day. Help Desk Administrators can configure one-time use EACs in the Cloud Administration Console under Users > Management, while Super Administrators can define the default tenant wide behavior via Company Settings > Sessions & Authentication > Emergency Access Codes.

Enhanced Control: Restrict RSA Authenticator App Usage According to Operating System 

Administrators can now restrict the use of the RSA Authenticator app according to operating system, to help organization enforce internal compliance policies. This feature is available in the Cloud Administration Console under Access > My Page > My Authenticators > Configuration.

Improved Access Visibility for Managers and Application Owners

Managers and Application Owners can now easily view their team members and the applications they have access to via the new My Users Access tab, located under My Page > My Users Access. This enhancement improves transparency and simplifies access oversight, helping organizations ensure users have appropriate access levels while supporting stronger governance and compliance practices.

Improved Password Spray Attack Detection and Notification Visibility

Password Spray Attack detection now includes the tenant name and URL in email notifications sent to Client Administrators. Additionally, filtering has been enhanced to event code search in Cloud Administration Console > Users > User Event Monitor, making it easier to identify and investigate suspicious activity. These updates enhance visibility into potential threats, streamline incident response, and strengthen your organization’s ability to detect and mitigate password based attacks. Super Administrators can configure notification settings by navigating to Cloud Administration Console > My Account > Company Settings > Email Notifications > Anomaly Detection (Password Spraying).

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

RSA Authentication Agents 8.0.x for IIS and Apache No Longer Available for Download

Coming Soon (July Release) 

The following section outlines the upcoming features planned for the July release. 

Upcoming Identity Router Update Requirement

• IDRs running versions 12.21.x or 12.22.x (earlier than 12.22.0.0.32) are automatically upgraded. However, IDRs on versions prior to 12.21.x are excluded from this automatic upgrade, as they are no longer supported and require manual intervention.
• For customers currently on version 12.21.x, this upgrade also includes an operating system update. Please refer to the Upgrade Guide for detailed steps and prerequisites.
• The upcoming automatic upgrade for IDR follows a different process from standard upgrades. You will not have the option to reschedule or select an alternate upgrade date. To apply the update earlier than the scheduled rollout, you can manually upgrade the IDR at any time. Ensure upgrading the IDR at any time before July 12, 2025.

RSA Authenticator V4.6 for iOS and Android

Streamlined Credential Registration in RSA Authenticator App 

Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.

Enhanced Mobile Lock Notifications in RSA Authenticator App 

When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency. 

In-App Upgrade Notification in RSA Authenticator App 

Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.

Expanded Credential Support in RSA Authenticator App 

Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys. 

Expanded Passwordless Authentication Methods in RSA MFA Agent for Windows

The upcoming RSA MFA Agent for Windows v2.4, targeted for release in the July/August 2025 timeframe, introduces expanded support for passwordless authentication across both Local Active Directory and Microsoft Entra ID deployments. This includes: 

• FIDO Security Key (now extended to Entra ID; previously supported only with Local AD)

• Mobile Passkey, used with RSA Authenticator app v4.6 for iOS and Android (scheduled for July 2025 release)

• QR Code Authentication

• Biometric Notification

To enable these capabilities:

• The CAS June release introduces three new authentications methods for administrators to configure:

  • QR Code (RSA Agent)

  • Device Biometrics (RSA Agent)

  • Mobile Passkey (RSA Agent)

• The CAS July release will include Certificate Authority (CA) services to enable certificate-based passwordless authentication for Entra ID deployments.

Note: The two CAS features mentioned above will be seamlessly enabled before the CAS July release for ID Plus E2 and E3 subscriptions. Customers with ID Plus E1 subscriptions will require an add-on to enable these.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus
  • CrowdStrike Falcon Identity Protection (REST)
  • Microsoft GitHub (SCIM)
  • WSO2 (SAML)

• Updated Integrations for ID Plus
  • Omnissa Horizon Connection Server (RADIUS)
  • Omnissa UAG (RADIUS)

May 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Improved Security for IDR and CAS Communication

Security has been enhanced for connections between Identity Routers (IDRs) and the Cloud Authentication Service (CAS). Through the Cloud Administration Console, a network zone can be assigned to a cluster, ensuring that only IDRs within a trusted configured network zone are allowed to pull configurations from CAS. This feature is accessible via the Cloud Administration Console > Platform > Clusters. To monitor communication status, administrators can view the connection state (Active or Blocked) under Platform > Identity Router.

Live Verification Enhancements

Help Desk Live Verification can now be accessed through an API, enabling seamless integration into your existing systems and workflows. This update allows administrators to trigger bi-directional authentication using any registered MFA authenticator directly through API calls without exposing any credentials during the verification process.

Note: The user interface now supports localization in 10 languages, offering a more flexible and accessible experience for end users.

Streamlined Passwordless Identity Verification

You can now confidently verify user identities without requiring passwords. The user enrollment and credential recovery experience has been simplified and enhanced with new passwordless verification options on RSA My Page. This update delivers stronger security, reduced user friction, and a smoother overall experience. The new workflow supports both environments with or without an identity verification system. To access this feature, navigate to Access > Policies > My Page Enrollment / Recovery > Rule Sets > Identity Verification in the Cloud Administration Console.

Improved FIDO Authenticator Support for Custom Domains in CAS

Authentication requests from Microsoft Entra to CAS via external authentication method now fully support all types of FIDO authenticators registered to custom domains. This enhancement ensures a smoother, more secure login experience for your users. 

Note: This functionality is not currently supported in Firefox, as the browser does not support FIDO's Related Origin Request (ROR) feature.

Coming Soon: Support for Agent Passwordless Authentication Methods in Policy Configuration (July) 

We’ve introduced new authentication method options within the Primary Authentication policy configuration to support upcoming agent-based passwordless authentication methods and help organizations proactively align with modern authentication strategies. Administrators can now preconfigure these methods by navigating to Cloud Administration Console > Access > Policies > Add a Policy > Primary Authentication. While these options are now visible in the policy setup, they will only take effect once the corresponding agents are updated to support them and the required licensing is in place.

RSA Authenticator App Updates

Stay Secure: Mandatory RSA Authenticator App Upgrade by October 2025

To ensure users continue enjoying a secure and seamless login experience, all RSA mobile application users must upgrade to the latest version of the RSA Authenticator app for iOS and Android by October 2025. Starting with the CAS October 2025 release, all versions of the RSA Authenticate app for iOS and Android and versions of RSA Authenticator apps for iOS and Android  prior to V4.5 will no longer support modern multi-factor authentication (MFA) methods, such as push notifications. To make this transition easier, users of these apps will begin receiving  clear upgrade notifications via the web interface following a successful authentication through CAS. For more details, see Time is Running Out – Users Must Migrate from the Legacy RSA Authenticate App. Check the following screenshots of the upgrade notices for both app types. 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated. 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

• Cerby (SAML & SCIM)
• Sophos XGS4500 Firewall (Radius)

Updated Integrations for ID Plus

• CyberArk PVWA (SAML)
• Fortra GoAnywhere MFT (SAML)
• ID Dataweb (OIDC)
• Microsoft ADFS (SAML)
• Microsoft Sharepoint On-prem (SAML)

Fixed Issues

The following table lists the issue that is fixed for this release:
 

April 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Deprecated the User Recording Connection Method in HTTP Federation Proxy Application

The User Recording connection method has been deprecated and is unavailable by default for HTTP Federation (HFED) Proxy applications. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the User Recording connection method will no longer be available for the new application added using HFED Proxy (Cloud Administration Console > Applications > Application Catalog > Create From Template > HTTP Federation Proxy > Connection Method tab).

Refined Design for Application Download on My Page

The "Installing Authenticator App" page on My Page has been revamped for better visual clarity and a more intuitive user experience.

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed.

Coming Soon: Upgrade Seamlessly to the Latest RSA Authenticator App (May 2025 Release)

Users still relying on the legacy RSA Authenticate App (no longer supported) for web-based authentication will be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator App. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

March 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Enhanced Security for SCIM Clients and Authentication Manager (AM) Communication with CAS

We have expanded administrator capabilities for configuring communication between SCIM clients and CAS, as well as AM and CAS. This update enhances security by allowing administrators to control IP filtering for SCIM identity sources and all versions of AM. Administrators can now allow or deny specific IP addresses under Network Zones, improving access control and reducing security risks.

Secure RSA Authentication APIs Using OAuth 2.0

We extend OAuth 2.0 support to Authentication APIs, providing secure, token-based access to the Cloud Authentication APIs. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. Administrators can now configure OAuth clients for accessing Authentication APIs in the Cloud Administration Console, under Platform > API Access Management.  

Unified API Access Management for Improved Visibility

Administrators now have enhanced visibility into Administration and Authentication Legacy API Keys, along with OAuth clients, in a single, streamlined view. These can now be accessed under Platform > API Access Management (formerly API Key Management), simplifying management and control.

Custom Disclaimer Text for My Page Authentication Screens

Administrators can now tailor authentication experiences by adding custom disclaimer text for end users. This text will be displayed underneath the authentication screens. This update provides greater flexibility and customization, allowing organizations to display important legal or informational disclaimers directly within the authentication flow. Administrators can configure this setting in the Cloud Administration Console by navigating to Access > My Page > Customization tab.

Identity Routers (IDRs) Now Supported on Microsoft Azure

RSA Identity Router (IDR) can now be deployed in the Microsoft Azure environment. This new capability extends our existing support for Amazon Web Services (AWS), VMware, Hyper-V and Authentication Manager embedded deployments, offering even greater flexibility and choice with seamless integration of IDRs into your Azure environment. Deploying IDR within your Azure environment helps drive efficiency and security in your digital transformation journey. In the Cloud Administration Console, administrators can download the virtual hardware disk (VHD) image for Azure by navigating to Platform > Identity Routers.

Secure User Verification for Help Desk Calls

Administrators can now verify user identities during live help desk calls using any registered multi-factor authentication (MFA) authenticator. This ensures a secure and seamless verification process without exposing sensitive credentials and prevents unauthorized access while maintaining a smooth user experience.  The feature is managed through the Live Verification Policy, which is available in the Cloud Administration Console under Policies.

Improved Access Policy Visibility

On Cloud Administration Console > Applications screen, administrators can now view the Access Policy Type, enabling more proactive management of cloud application policies. Additionally, we have expanded capabilities to enhance the user experience. When a policy is assigned, the Primary Authentication option under Policies is now grayed out. However, administrators can view a link showing where the policy is applied, making it easier to enable or disable as needed.

RSA Authentication Manager Releases Documentation Update

Currently, AM patches for AM and WebTier have separate Read-Me documents for each patch. To enhance accessibility and convenience for customers, a unified approach will be introduced, consolidating all patch-related information into a single Read-Me document. Starting with AM 8.8, patch releases will feature a comprehensive, updated Read-Me document covering all patches, WebTier updates, and hotfixes. This consolidated document will provide details on both new and previous updates, installation instructions, new features, and resolved issues, ensuring that all relevant information is available in one place.

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November announcement (RSA-Release-Notes-Cloud-Authentication-Service-and-RSA-Authenticators), non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IDPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed.

Coming Soon: Upgrade Seamlessly to the Latest RSA Authenticator App (April 2025 Release)

Users still relying on the legacy RSA Authenticate App (no longer supported) for web-based authentication will be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator App. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

• 15Five (SCIM)
• Okta Agent (RADIUS)

Updated Integrations for ID Plus

• F5 Big-IP APM (SAML)

Fixed Issues

The following table lists the issues that are fixed for this release:
 

February 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Enable/Disable Resynchronization of OTP Hardware Authenticators

In the Cloud Administration Console (Access > My Page), administrators can now enable or disable resync of OTP authenticators. This feature allows users with out-of-sync OTP authenticators to resync their device with the Cloud Authentication Service particularly in cases where authentication fails due to clock drift (for example, from extreme temperatures) or when multiple consecutive OTPs are generated without use. Unauthenticated users who cannot sign into My Page can access a sync URL, enter the authenticator's serial number, and provide two consecutive OTPs to synchronize their device and regain access to their application.

Administration Event Monitor for Role Management

In the Cloud Administration Console, administrators can now track the creation, editing, and deletion of roles for the Fulfillment service through the Admin Event Monitor. The event description provides detailed information on the creation, editing, or deletion of roles.

Disable Anomaly Detection Email Notifications

Email notifications about suspicious authentication attempts, which help customers mitigate password spray attacks, were previously sent automatically to Super Administrators. Now, administrators can disable these notifications by clearing the new Anomaly Detection checkbox under Company Settings > Email Notifications in the Cloud Administration Console. This gives administrators the option to enable or disable these notifications as needed. 

New MFA Authentication Logs in the Cloud Administration Console

When multifactor authentication (MFA) occurs between the Authentication Manager and the Cloud Authentication Service, the Cloud Administration Console now provides new verbose logs in the User Event Monitor. These events track the initiation, success, and failure of MFA authentications through this hybrid deployment, offering administrators more detailed insights into the authentication process, including when MFA is initiated, successfully completed, or fails.

Local Groups Public API 

Local Groups Public API seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users and add them to groups either individually or bulk.

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set-up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

Coming Soon: Migration Prompt for RSA Authenticate App Users (March 2025 Release)

As communicated in previous advisories, the RSA Authenticate app on iOS, Android, Windows, and macOS is no longer supported. Users of this app must upgrade to the RSA Authenticator app, which provides a migration path for existing credentials.
While many initial users of the RSA Authenticate app have seamlessly completed this upgrade, a significant number of users are still relying on the RSA Authenticate app for authentication. To drive migration, a new feature will be introduced in the March 2025 release, where users attempting to authenticate with the RSA Authenticate app will receive a prompt notifying them that the app is no longer supported and providing clear instructions for upgrading to the RSA Authenticator app.

Identity Router Update Schedule and Versions

The new identity router software versions are:
 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

•  Nutanix Prism Central
• OpenText EnCase
• Salesforce CRM as SCIM Server
• SkyHigh Security (End User)

Updated Integrations for ID Plus

• AWS including session tags
• Citrix Cloud
• Citrix Netscaler
•  Fortinet FortiClient
• Microsoft SharePoint (Online)
•  PingFederate
•  RSA G&L

Fixed Issues

The following table lists the issues that are fixed for this release:
 

January 2025 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Cloud Administration Console Notifications for Password Spray Attack Detection

In the Cloud Administration Console, on-screen notifications have been added to help administrators detect and respond more quickly to potential password spray attacks. These enhancements enable faster identification of suspicious authentication attempts, especially when the user ID does not match any known users, signaling possible malicious activity. Administrators can now more effectively assess and mitigate threats.

Secure My Page SSO Applications with Access Policy 2.0

Administrators are now required to assign only Access Policy 2.0 to My Page SSO applications, both when adding new applications and when editing existing ones. When adding a new My Page SSO application, the User Access tab will only display Access Policy 2.0 options. Additionally, when editing existing applications, administrators need to select 2.0 Access Policy for authentication, as 1.0 policies can no longer be edited.

When accessing an SSO application secured by a 2.0 access policy, users will no longer be prompted to authenticate with the My Page policy, only the 2.0 policy for that application. However, they will still need to complete the My Page policy when accessing the My Page Application Portal, launching Identity Router (IDR) SSO Portal applications, or visiting preexisting SSO applications protected by 1.0 policies.

These updates streamline access management by ensuring that all My Page SSO applications are protected by Access Policy 2.0, enhancing application security.

Note: Bookmark applications still use 1.0 policies.

Manage User Groups in the Cloud Administration Console

In the Cloud Administration Console (under Users > Groups), administrators can now create and manage Local Groups. Local Groups seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users individually and add them to groups for bulk user additions.

Enhanced My Page Applications Access Management

In the Cloud Administration Console, administrators can now assign specific access levels based on individual user attributes for application provisioning. This feature offers enhanced flexibility, customization, and more granular access management. Within the Fulfillment tab, administrators can now assign role/group permissions based on the available user attributes. The Fulfillment service provisions the application with the assigned roles/groups, ensuring that users are granted the appropriate privileges based on their needs.

Secure RSA Cloud Administration APIs Using OAuth 2.0

The RSA Cloud Administration APIs now support the OAuth 2.0 authorization framework, providing secure, token-based access to the Administration APIs. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. In the Cloud Administration Console, under Platform > API Key Management, administrators can now configure Administration API clients. OAuth 2.0 supports client authentication before issuing access tokens. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access.

Secure Access to Audit Logs for All Customers

With the support of OAuth 2.0 and granular permissions, all customers can now securely access all system-level audit logs, regardless of their ID Plus plan. This update enhances control for administrators, ensuring compliance requirements are met while offering secure and flexible access to audit logs.

Look and Feel Updates for the Cloud Administration Console

RSA is gradually updating the design of the Cloud Administration Console (for example, the header) as part of its ongoing effort to enhance the user experience.

Arabic Now Supported on My Page and Authentication Workflows

Users can now access RSA-protected resources with Arabic language support, including My Page, authentication workflows, email templates, and My Page Help.

Roles History Link Now Available on My Page

In the Request details pane, the Roles History link is now available on My Page, allowing requestors and approvers to track all changes made to a role during the request process.

Upgrade Seamlessly to the Latest RSA Authenticator App

Users still relying on the legacy RSA Authenticate app (no longer supported) for web-based authentication will now be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator app. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

RSA Authenticator 4.5.2 for iOS and Android – Coming Soon 

• Threat Detection for Android Rooted Devices: The RSA Authenticator app for Android now strengthens security by blocking usage on rooted devices, aligning with the protection available on the iOS version. With enhancements that extend beyond Google’s standard APIs, RSA is delivering a robust solution that ensures compliance, provides administrators with actionable insights, and minimizes the risk of false positives.
• RSA Authenticator App Now Supports Arabic: The RSA Authenticator app for iOS and Android is now available in Arabic, featuring full content translation and a right-to-left design for an intuitive user experience. This update ensures seamless accessibility for Arabic-speaking users, reflecting RSA’s commitment to global usability. 

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

RSA MFA Agent Support for macOS Sequoia 15.2

We are pleased to announce that RSA has officially qualified RSA MFA Agent 1.4.2 support for macOS Sequoia 15.2. Customers can now safely upgrade their macOS machines to Sequoia 15.2 and continue to use RSA MFA Agent 1.4.2 for secure user authentication and login.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New Integrations for ID Plus

• Skyhigh Security
• Skyhigh Security SWG
• Zimperium zConsole

Updated Integrations for ID Plus

• Check Point Gateway
• Fortigate VPN
• Microsoft NPS
• OneLogin
• SonicOS
• Zoho ME ADSelfService Plus

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Known Issues

The following table lists the known issues in this release:
 

January 2025 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Cloud Administration Console Notifications for Password Spray Attack Detection

In the Cloud Administration Console, on-screen notifications have been added to help administrators detect and respond more quickly to potential password spray attacks. These enhancements enable faster identification of suspicious authentication attempts, especially when the user ID does not match any known users, signaling possible malicious activity. Administrators can now more effectively assess and mitigate threats.

Secure My Page SSO Applications with Access Policy 2.0

Administrators are now required to assign only Access Policy 2.0 to My Page SSO applications, both when adding new applications and when editing existing ones. When adding a new My Page SSO application, the User Access tab will only display Access Policy 2.0 options. Additionally, when editing existing applications, administrators need to select 2.0 Access Policy for authentication, as 1.0 policies can no longer be edited.

When accessing an SSO application secured by a 2.0 access policy, users will no longer be prompted to authenticate with the My Page policy, only the 2.0 policy for that application. However, they will still need to complete the My Page policy when accessing the My Page Application Portal, launching Identity Router (IDR) SSO Portal applications, or visiting preexisting SSO applications protected by 1.0 policies.

These updates streamline access management by ensuring that all My Page SSO applications are protected by Access Policy 2.0, enhancing application security.

Note: Bookmark applications still use 1.0 policies.

Manage User Groups in the Cloud Administration Console

In the Cloud Administration Console (under Users > Groups), administrators can now create and manage Local Groups. Local Groups seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users individually and add them to groups for bulk user additions.

Enhanced My Page Applications Access Management

In the Cloud Administration Console, administrators can now assign specific access levels based on individual user attributes for application provisioning. This feature offers enhanced flexibility, customization, and more granular access management. Within the Fulfillment tab, administrators can now assign role/group permissions based on the available user attributes. The Fulfillment service provisions the application with the assigned roles/groups, ensuring that users are granted the appropriate privileges based on their needs.

Secure RSA Cloud Administration APIs Using OAuth 2.0

The RSA Cloud Administration APIs now support the OAuth 2.0 authorization framework, providing secure, token-based access to the Administration APIs. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. In the Cloud Administration Console, under Platform > API Key Management, administrators can now configure Administration API clients. OAuth 2.0 supports client authentication before issuing access tokens. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access.

Secure Access to Audit Logs for All Customers

With the support of OAuth 2.0 and granular permissions, all customers can now securely access all system-level audit logs, regardless of their ID Plus plan. This update enhances control for administrators, ensuring compliance requirements are met while offering secure and flexible access to audit logs.

Look and Feel Updates for the Cloud Administration Console

RSA is gradually updating the design of the Cloud Administration Console (for example, the header) as part of its ongoing effort to enhance the user experience.

Arabic Now Supported on My Page and Authentication Workflows

Users can now access RSA-protected resources with Arabic language support, including My Page, authentication workflows, email templates, and My Page Help.

Roles History Link Now Available on My Page

In the Request details pane, the Roles History link is now available on My Page, allowing requestors and approvers to track all changes made to a role during the request process.

Upgrade Seamlessly to the Latest RSA Authenticator App

Users still relying on the legacy RSA Authenticate app (no longer supported) for web-based authentication will now be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator app. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

RSA Authenticator 4.5.2 for iOS and Android – Coming Soon 

• Threat Detection for Android Rooted Devices: The RSA Authenticator app for Android now strengthens security by blocking usage on rooted devices, aligning with the protection available on the iOS version. With enhancements that extend beyond Google’s standard APIs, RSA is delivering a robust solution that ensures compliance, provides administrators with actionable insights, and minimizes the risk of false positives.
• RSA Authenticator App Now Supports Arabic: The RSA Authenticator app for iOS and Android is now available in Arabic, featuring full content translation and a right-to-left design for an intuitive user experience. This update ensures seamless accessibility for Arabic-speaking users, reflecting RSA’s commitment to global usability. 

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

RSA MFA Agent Support for macOS Sequoia 15.2

We are pleased to announce that RSA has officially qualified RSA MFA Agent 1.4.2 support for macOS Sequoia 15.2. Customers can now safely upgrade their macOS machines to Sequoia 15.2 and continue to use RSA MFA Agent 1.4.2 for secure user authentication and login.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New Integrations for ID Plus

• Skyhigh Security
• Skyhigh Security SWG
• Zimperium zConsole

Updated Integrations for ID Plus

• Check Point Gateway
• Fortigate VPN
• Microsoft NPS
• OneLogin
• SonicOS
• Zoho ME ADSelfService Plus

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Known Issues

The following table lists the known issues in this release:
 

November 2024 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Streamlined IP Address Management with Network Zones

Administrators can now create their own trusted and restricted IP lists. A network zone contains a range of IP addresses for trusted and restricted networks, strengthening security by controlling network traffic across CAS APIs, CAS Access Policies, and the Identity Router (IDR). These configurations are located on the page previously known as Trusted Networks, which has been renamed to Networks. This feature effectively helps protect against malicious activities, including password spraying.

 In the Cloud Administration Console, two pre-configured Network Zones are now available. The Access Policy Network Zones are used in access policies that define authentication conditions based on trusted networks. The IDR Network Zones consist of restricted networks that block unauthorized traffic directed to the IDR and are specifically utilized by the IDR. Additionally, administrators can now manage custom network zones for Authentication and Administration API Keys, ensuring that only trusted clients can access critical services.

RADIUS Client Code Matching Configuration

For  RADIUS clients that do not support challenge-response (required for code matching), administrators can now disable the Allow code matching option for specific customers. By default, the Allow code matching option is enabled, ensuring compatibility with clients that support push notification methods. However, for RADIUS clients that do not support challenge-response, disabling this option ensures they are limited to non-push authentication methods when Strict Code Matching is enforced.

iShield Key 2 OATH HOTP OTP Support Now Available

RSA is introducing the new RSA iShield Key Series, powered by Swissbit. Administrators can now upload RSA/Swissbit OATH OTP seeds through the Cloud Administration Console and select "RSA/Swissbit" as the manufacturer. Additionally, when a Swissbit iShield Key 2 is registered as an OATH HOTP OTP hardware authenticator in the Cloud Authentication Service, users can easily register the device via the My Page > My Authenticators section.

Strict Code Matching Enforcement in the Cloud Administration Console

Authentications may use an Authentication Agent or Authentication application that does not support Code Matching. In these cases, users could still use push notification methods even if code matching was enabled. A new setting, Strict Code Matching Enforcement, is now available to administrators. This option is disabled by default to avoid disrupting the current user authentication flow.

When the Strict Code Matching Enforcement option is enabled, users will only be able to use push notification methods if both the Authentication Agent and Authentication application used support the configured Code Matching method. If not, users will be prompted to use one of the other available authentication methods based on the configured policy.

Request Access to Applications and View Your Requests on My Page

Users can now request access to applications directly from My Page, either from the Application Catalog or from applications displayed on My Page that have not yet been provisioned.  Application requests can go through an approval process with options for no approval, manager approval, application owner approval, or both.  Once access is approved, users will be granted the necessary permissions. Additionally, users can view, track, and cancel their access requests as needed. Approvers can also view and manage pending action items directly from My Page. To enable users to request access, administrators can now activate the Fulfillment service in the Cloud Administration Console. Administrators can configure the approval process and set the fulfillment type (LDAP, SCIM, or Entra ID).

User Event Monitor Enhancements and Rate Limiting

To improve the efficiency of user event logging, rate limiting has been implemented to summarize certain user events when the activity exceeds a defined threshold. Rate limiting applies to "user not found" attempts. When the Cloud Authentication Service detects patterns where rate limiting is applied, administrators will receive an email notification alerting them to relevant events.

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality. For example, URLs such as https://access.securid.com or https://na2.access.securid.com  will no longer be valid. To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

IDR SLES Upgrade (12.22.0)

• AES128-SHA
• AES128-SHA256
• AES256-SHA
• AES256-SHA256

RADIUS Authentication Rate Limiting for Failed Login Attempts

Rate limiting has been implemented for RADIUS authentication to address consecutive authentication failures.  This feature helps detect and prevent certain types of potential attacks by temporarily blocking further attempts once a failure threshold is exceeded. 

Identity Router Update Schedule and Versions

The new identity router software versions are:
 

RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server – Coming Soon

The new RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server now deliver all the benefits of RSA MFA Agents. New features include seamless CAS support, REST API integration, and support for a variety of MFA authentication methods, such as:

• Approve
• Biometrics
•  Authenticate OTP
• QR Code
• SecurID OTP
• SMS & Voice OTP
• Emergency Access Code

In addition, the new agents support load balancing, extended failover mechanisms, enhanced reporting capabilities, and multiple language support.
UI updates and third-party library upgrades are also included.
The RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server will be available for download through the RSA ID Plus Downloads page.
Note: Primary support for RSA Authentication Agent 8.0.x for Web for IIS and Apache will end in March 2026.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Fixed Issues

The following table lists the issues that are fixed for this release: