March 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Granular Control for FIDO Authenticators
You can now precisely define which FIDO authenticators can be used for registration and authentication by enabling or disabling them based on various parameters. To define the FIDO authenticators, navigate to Cloud Administration Console > Access > FIDO Authentication.
Note: FIDO inline registration and registration of new U2F authenticators are no longer supported. Previously registered U2F authenticators can continue to be used for step-up authentication.
OAuth JWT Support
OAuth JWT support is now available to enhance the security of external identity source SCIM client connections to CAS. SCIM access can now be secured using OAuth-based authentication instead of legacy API keys, providing stronger protection and improved control over integrations. To configure this feature, navigate to Cloud Administration Console > Platform > API Access Management. To apply the configuration to a SCIM identity source, navigate to Cloud Administration Console > Users > Identity Sources.
API Enhancement: Additional User Identifier Support
The Cloud Administration Retrieve Device Registration Code API, Cloud Administration User Details API, and Cloud Administration Authenticator Details API Version 1 now support the username input parameter to identify the user being managed. This enhancement provides greater flexibility when integrating with systems that use usernames as the primary user identifier.
Identity Router (IDR) Portal SSO Enhancements
SAML applications available from CAS legacy IDR SSO portal now include the following security and usability improvements:
- The maximum character length for IDR SAML application names increased from 100 to 200 characters to make applications easier to identify.
- The LDAP/AD user search filter configured in each identity source can now be globally enabled in the IDR portal to exclude users from authenticating. The portal does not attempt password authentication against the identity source, preventing password strikes that could lock user accounts.
- SAML application configuration now supports attribute filters, allowing control over which user attributes are sent to each application and helping prevent over-granting of access permissions. You can configure these attribute filters on the Fulfillment tab while adding a SAML Direct application. To access this option, navigate to Cloud Administration Console > Applications > Application Catalog.
Note: Ensure that all Identity Router versions are later than 12.24.0.0.16. If you cannot view these features, contact customer support.
Access Discovery on My Page
My Page is now enhanced with access discovery, providing managers and application owners with a complete view of access across all accounts, including those outside the standard Lifecycle Management process. This enhancement eliminates critical security blind spots, enables proactive risk mitigation, and ensures accountability for every entitlement, regardless of how it was provisioned. To view this enhancement, navigate to My Page > Access Control.
Third-Party Integrations from RSA Ready
The following integrations are completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- New Integrations for ID Plus
- CrowdStrike Falcon Next-Gen SIEM (Authentication Manager Logs)
- Microsoft Sentinel Connector
- Microsoft Sentinel using Logic App
- SilverFort Bridge (SAML)
- Updated Integrations for ID Plus
- BeyondTrust Password Safe (RADIUS)
- Palo Alto Captive Portal (SAML)
- Palo Alto Cloud Identity Engine (SAML)
- Palo Alto NGFW Global Protect (RADIUS, SAML)
- Workday (SAML)
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| Authenticator for iOS & Android | 4.4 | June 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-219544 | My Page times out or returns a 403 Unauthorized error despite an active authenticated session. |
| NGX-216530 | ID Dataweb returns unexpected results for a specific ID Dataweb workflow. |
Known Issue
The following table lists the known issue in this release:
| Known Issue | Description |
|---|---|
| NGX-224338 | When creating a policy and adding a conditional rule using the Network Zone attribute, the disclaimer text referenced an incorrect IDR release version. Network Zone attribute support for WebPortal policy evaluation is available starting with IDR release 12.24.0.0.x. |
February 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Expanded HOTP Hardware Authenticator Support
Support for HOTP hardware authenticators now includes devices seeded with SHA-256 or SHA-512, in addition to SHA-1. This enhancement increases compatibility with a wider range of authenticator models, including Thales SafeNet eToken PASS, SafeNet OTP 111, and SafeNet OTP 112. It also provides greater flexibility when selecting and deploying hardware authentication options while maintaining a secure, seamless sign-in experience.
RSA Cloud Access Service Now Supports FIDO Discoverable Credentials
Users no longer need to enter a user ID during authentication with FIDO2 discoverable credentials. This reduces the number of steps required and simplifies the overall sign-in experience, enabling faster, more intuitive, and more secure access to protected resources.
Improved Identity Router (IDR) Connectivity with MFA/ REST Agent
The TCP agent in IDR is replaced with an MFA/REST agent, moving to a standardized REST/MFA architecture. This transition simplifies support, logging, metrics, and troubleshooting, while making upgrades and agent replacement easier. Standardizing the communication protocol across components also improves consistency, resulting in a more reliable and maintainable deployment experience. To apply this update, navigate to the Cloud Administration Console > Platform > Authentication Manager, then click Configure Connection.
Note: This migration is available if you have an existing TCP connection and the Identity Router (IDR) is upgraded to 12.24.0.0.10.
Coming Soon - (March Release)
RSA MFA Agent for UNIX 9.1 (Formerly RSA MFA Agent for PAM)
The RSA MFA Agent for PAM is now renamed RSA MFA Agent for UNIX to align with the naming conventions used across other RSA agents, such as RSA MFA Agent for Windows and RSA MFA Agent for macOS. This update improves consistency across platforms, making it easier to identify, deploy, and manage RSA MFA agents in various operating system environments.
The RSA MFA Agent for UNIX 9.1 includes the following features (Linux OS only):
- A consistent, secure, and simplified passwordless sign-in experience using one-time passwords (OTP) and emergency access codes.
- Passwordless authentication using mobile passkeys and biometric push notifications through the RSA Authenticator app for iOS and Android, in combination with the RSA MFA Agent for UNIX.
- Support for TLS 1.3 when connecting to CAS, providing faster connections and stronger protection against modern security threats.
- Code matching mode support for both Approve and Biometric push notifications, enhancing the verification process and reducing the risk of unauthorized access.
RSA MFA Agent 2.5 for Windows
- Native offline QR code–based passwordless authentication will enable users to authenticate without network connectivity or OTP entry.
- This requires RSA Authenticator 4.7 for iOS and Android.
- Support for Passwordless authentication methods in Authentication Manager (AM)/CAS Hybrid mode.
- This requires RSA Authentication Manager 8.9.
- Configurable proximity check will strengthen passwordless authentication by adding an extra layer of security, ensuring access is granted only when the authenticator is activated near the device.
- This requires RSA Authenticator 4.7 for iOS and Android.
- The RSA MFA Agent for Windows now supports TLS 1.3 when communicating with RSA CAS or RSA Authentication Manager, enhancing overall security.
- Users can sign in securely without passwords by using one-time password (OTP) both online and offline, streamlining the authentication experience.
RSA Authenticator 4.7 for iOS and Android
- Redesigned notification experience providing users with more consistent and clearer presentation of information.
- Improved security by requiring biometric or device password authentication when registering new Cloud credentials.
- This only applies to Cloud credentials, not to AM-based credentials. For further details, see Coming Soon: RSA Authenticator 4.7 for iOS and Android.
- Proximity detection and offline QR code authentication support for passwordless methods with new versions of RSA Agents, such as RSA MFA Agent 2.5 for Windows.
- Location information in notifications.
Updates to FIDO and U2F Authentication Support
As part of the ongoing process to strengthen and simplify FIDO support, RSA is making the following changes:
- Users can no longer register new FIDO Universal 2nd Factor (U2F) authenticators. Existing U2F authenticators will continue to be supported for step-up authentication.
- U2F authenticators cannot be used for passwordless authentication.
- Online FIDO2 registration during login is no longer supported. FIDO2 Authenticators can now only be registered though My Page.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authentication Agent for Web for IIS / Apache | 8.0.x | March 2026 | No |
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| Authenticator for iOS & Android | 4.4 | June 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-218208 | When accessing services from networks using Charter Communications public IP addresses, the customer encountered an authentication error, even though the Conditional Access in Rule Sets was configured correctly. |
| NGX-214221 | The Admin Users report displayed the role as Customer Super Administrator, which was inconsistent with the role name shown in the user interface (Super Administrator). |
| NGX-208730 | The Manager’s Email attribute was configured for users in the Unified Directory (UD); however, the Manager column in the All Users report remained blank. |
January 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Support for Signing Both SAML Response and Assertion in CAS
CAS now supports signing both the entire SAML response and the assertion within the response, enabling integration with protected resources that require dual-signature SAML validation. To enable this capability for My Page SSO or a relying party application, add a new application or edit an existing application in the Cloud Administration Console. In the SAML Response Protection section, select IdP signs entire SAML response and assertion within response.
FIDO Registration API Transaction ID Support
The FIDO Registration API now includes a Transaction ID, which is also captured in the corresponding user audit events. This enhancement improves visibility and traceability of FIDO registration activities. To view the Transaction ID in user audit logs, go to Cloud Administration Console > Users > User Event Monitor.
Identity Router REST API Configuration Network Zone Enhancements
You can now configure the Identity Router REST API in CAS with updated network zone settings, giving you more flexibility, consistency, and future-ready policy and configuration management. To select a network zone, go to Cloud Administration Console > My Account > Administrators, click Add an Administrator, and select a Network Zone in the API Configuration section.
Network Zone Support in Policies
You can now configure policies using network zone, replacing the legacy Trusted Network attribute to provide enhanced security and greater control. This update streamlines policy management and future-proofs access controls by enabling seamless migration and deprecation of outdated attributes. To set the Network Zone attribute, go to the Cloud Administration Console, create a new policy or edit an existing one, and in the Rule Sets section, choose Network Zone attribute from the Authentication Condition list.
RADIUS Clients Report Now on RADIUS Page
The RADIUS Clients Report is now available on the RADIUS page, providing you with improved visibility into configured RADIUS clients and simplifying monitoring and management. To download the CSV report, go to Cloud Administration Console > Authentication Clients > RADIUS.
Identity Router (IDR) 12.24.0.0.10 Now Available
The IDR 12.24.0.0.10 release is now available. We recommend that all customers upgrade to this version.
Note: The Identity Router appliance runtime has been upgraded from Java 8 to Java 11 to align with current long-term support standards and enhance security.
Identity Router Update Schedule and Versions
Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
|
ANZ: February 2, 2026 CND/ SGP: February 3, 2026 EU/ JPN: February 4, 2026 US/ GOV/ IN: February 5, 2026 | Updated identity router software is available to all customers. |
| Default: Saturday, March 14, 2026 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| Last: Saturday, April 25, 2026 |
If you postponed the default date, this is the last day when updates can be performed. |
Coming Soon
RSA Authenticator 4.7 for iOS and Android (January-February)
- Redesigned notification experience providing users with more consistent and clearer presentation of information.
- Improved security by requiring biometric or device password authentication when registering new Cloud credentials.
- This only applies to Cloud credentials, not to Authentication Manager (AM)-based credentials. For further details, see : https://community.rsa.com/s/article/Coming-Soon-RSA-Authenticator-4-7-for-iOS-and-Android.
- FIPS 140-3 certified cryptographic modules
- Proximity detection and offline QR code authentication support for passwordless methods with forthcoming versions of RSA Agents.
RSA Authentication Manager V8.9 (January)
- Administrator SDK qualified with JDK 11 and JDK 17
- BSAFE 7 upgrade (FIPS 140-3 certified)
- RSA Agent passwordless authentication methods support when deployed in AM /CAS hybrid mode
RSA MFA Agent V2.1 for macOS (January)
- Passwordless authentication methods are supported in AM/CAS hybrid mode through the RSA MFA Agent for macOS, enabling seamless passwordless authentication across hybrid deployments.
- This requires RSA Authenticator V4.7 for iOS and Android.
- Support for FIDO2 security keys is now available.
- Users can now use FIDO2 security keys for passwordless authentication.
RSA MFA Agent V2.5 for Windows (February)
- Native offline QR code–based passwordless authentication will enable users to authenticate without network connectivity or OTP entry; this will require RSA Authenticator v4.7 for iOS and Android.
- Passwordless authentication methods will be supported in AM/CAS Hybrid Mode via the RSA MFA Agent for Windows, enabling seamless passwordless authentication across hybrid deployments.
- This will require RSA Authentication Manager 8.9.
- Configurable proximity checks will strengthen passwordless authentication by adding an extra layer of security, ensuring access is granted only when the authenticator is activated near the device.
- This will require RSA Authenticator v4.7 for iOS and Android.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authentication Agent for Web for IIS / Apache | 8.0.x | March 2026 | No |
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| Authenticator for iOS & Android | 4.4 | June 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
Fixed Issue
The following table lists the fixed issue for this release:
| Fixed Issue | Description |
|---|---|
| NGX-214049 | The SMS Phone Number(s) and Voice Phone Number(s) fields were displayed as blank in the All Users report even though users had values configured for these fields. |
Known Issue
The following table lists the known issue in this release:
| Known Issue | Description |
|---|---|
| NGX-208730 | The Manager’s Email attribute was configured for users in the Unified Directory (UD); however, the Manager column in the All Users report remained blank. |
December 2025 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Improved Search in User Management
The User Management page in the Cloud Administration Console now includes enhanced search capabilities. You can search for users by first name, last name, or a combination of both, even when the user’s email address does not contain personally identifiable information (PII). You can also search using Mobile Lock ID for greater flexibility. These improvements provide a more efficient and accurate search experience, making it easier to find and manage user accounts across the system. To access the User Management page, go to Cloud Administration Console > Users > Management.
Enhanced User Interface for Bulk User Maintenance
The Bulk User Maintenance page now features a modern, more intuitive interface that provides a faster, more responsive, and consistent administrative experience.. This update streamlines navigation, improves usability, and ensures smoother interactions across all bulk user operations, enabling you to manage large user sets more efficiently and with greater confidence. To access the Bulk User Maintenance page, go to Cloud Administration Console > Users > Bulk User Maintenance.
Enhanced Role Management in My Page Access Control
The Access Control screen in My Page is enhanced to give application owners and managers greater control over role assignments. Application owners and managers can now use the Access Control tab in My Page to manage role assignments more effectively, enabling more efficient management of user access and ensuring that role assignments remain accurate and up to date. To access the Modify User Role screen, go to My Page > Access Control.
Governance & Lifecycle Connection to CAS
Governance & Lifecycle Connection to CAS is now available with an easy, wizard-based setup that streamlines configuration and enhances information sharing to strengthen your identity posture management. The Cloud Administration Console now includes a Governance & Lifecycle page under the Platform menu, providing the Registration Code and Registration URL to integrate with CAS.
New FIDO Management API Client Type
The API Client now includes a new FIDO Management API client type in the Client Type dropdown, enabling more flexible, service-driven authenticator enrollment workflows. The FIDO Management API assumes the caller has already validated the user, allowing you to register a user’s authenticator without requiring an active end-user session. This capability supports call-center and bulk issuance flows, automated enrollment processes, and help-desk–initiated actions. With this enhancement, you can trigger authenticator enrollments directly from your help desk or automation tools, streamline onboarding and recovery, and maintain user productivity during incidents or migrations. In the Cloud Administration Console, you can add the "FIDO Management API" client type via Platform > API Access Management > Add API Client.
Coming Soon - Deprecation of TCP Connection Between CAS and AM
RSA announces the upcoming deprecation of the TCP Agent connection between CAS and AM. If your environment is configured to connect to AM through Cloud Administration Console > Platform > Authentication Manager > Connection to Authentication Manager, you will need to update your configuration after the upcoming IDR release. This integration will transition to the Authentication Manager REST Agent, replacing the existing TCP Agent connection. At this time, no immediate action is required. Detailed instructions and timelines will be shared prior to the deprecation to guide you through the transition and ensure uninterrupted connectivity between CAS and AM.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authentication Agent for Web for IIS / Apache | 8.0.x | March 2026 | No |
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| Authenticator for iOS & Android | 4.4 | June 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
Fixed Issue
The following table lists the fixed issue for this release:
| Fixed Issue | Description |
|---|---|
| NGX-210269 | The PIN + l label was displayed incorrectly on CAS Unified OTP authentication localized screens. |
Known Issue
The following table lists the known issue in this release:
| Known Issue | Description |
|---|---|
| NGX-211721 |
In some situations, the publish operation may only complete partially, or the Adapter Update Service may show an unhealthy status. As a workaround, performing a Force Publish on the customer side will resolve the issue. After initiating the Force Publish, the Adapter Update Service status should update automatically within about 15 minutes. This issue is expected to be resolved in the upcoming IDR release. |
| NGX-208730 | The Manager’s Email attribute was configured for users in the Unified Directory (UD); however, the Manager column in the All Users report remained blank. |
November 2025 - Cloud Access Service
Critical Notices
The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.
Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Update the affected service URLs immediately. For more information, see the Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access through non-company specific URLs is not yet blocked, however, when it is blocked, it can potentially result in loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.
Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:
- Logging in to the Cloud Administration Console via password or third-party IdP.
- Accessing the Cloud Administration REST APIs.
In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event from the Cloud Administration Console in Platform > Admin Event Viewer.
Identity Router (IDR) 12.23.0.0.11 Now Available
The IDR 12.23.0.0.11 release is now available. We recommend that all customers upgrade to this version.
This release includes the following updates:
-
Fixed an issue affecting the IDR SSH login feature, which is used by RSA Support for troubleshooting purposes.
Note: This issue did not impact the core functionality of the IDR.
-
Fixed multiple security vulnerabilities.
Customers can wait for the scheduled upgrade or choose to upgrade at their own discretion.
Identity Router Update Schedule
Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
|
EU/ ANZ/ JP/ CA/ GS: September 2, 2025 US/ FedRamp Gov/ IN: September 3, 2025 | Updated identity router software is available to all customers. |
| Default: Saturday, October 25, 2025 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| Last: Saturday, November 15, 2025 |
If you postponed the default date, this is the last day when updates can be performed. |
Coming Soon - Deprecation of TCP Connection Between Cloud Access Service (CAS) and AM
RSA announces the upcoming deprecation of the TCP Agent connection between CAS and AM. If your environment is configured to connect to AM through Cloud Administration Console > Platform > Authentication Manager > Connection to Authentication Manager, an update will be required after the upcoming IDR release. This integration will transition to the Authentication Manager REST Agent, replacing the existing TCP Agent connection. At this time, no immediate action is required. Detailed instructions and timelines will be shared prior to the deprecation to guide you through the transition and ensure uninterrupted connectivity between CAS and AM.
Cloud Access Service Updates
My Page UI Now Supports Arabic RTL
The My Page user interface has been enhanced to improve usability and accessibility for Arabic-speaking users. Arabic content now displays from right to left (RTL), ensuring a more natural and intuitive reading experience. This enhancement provides a localized interface aligned with Arabic language standards, resulting in a smoother and more consistent user experience.
Export Admin Users Report via Cloud Administration Console or API
You can now export a comprehensive report of all administrative users directly from the Cloud Administration Console or retrieve it programmatically through the REST API. This report includes Admin Names, Admin Emails, Role, Status, Created At, Updated At, and last Login Time. This enhancement enables organizations to prove access, validate least privilege, and maintain continuous compliance evidence without relying on screenshots or manual exports.
To download the CSV report, go to Cloud Administration Console > My Account > Administrators > Admin Users Reports. You can also download this report through Cloud Administration Console > Users > Reports > Admin Users.
Enhanced All Users Report
The All Users report is now enhanced to include the exact Last Successful Authentication Date and the Last Successful Authentication Method for every user. This update provides greater accuracy and visibility into user activity, helping you identify dormant accounts and maintain audit-ready reporting. To download the CSV report, go to Cloud Administration Console > Users > Reports > All Users.
Enhanced Visibility with New RADIUS Clients Report
The RADIUS Clients report is introduced in the Cloud Access Service to provide deeper visibility into RADIUS client configurations and authentication activity. This report enables you to audit, optimize, and troubleshoot RADIUS integrations by consolidating detailed client information, including IP Address, Type, Authentication Configuration, Last Modified Date, and additional data fields. This enhancement improves operational efficiency, strengthens compliance reporting, and simplifies authentication management across environments. To download the CSV report, go to Cloud Administration Console > Users > Reports > Radius Clients.
Enhanced Passkey Support Across Domains
The FIDO authentication is now enhanced by enabling multiple custom FIDO Relying Party (RP) IDs per account. A passkey registered on one approved domain can now be used to sign in across other authorized domains, delivering a seamless and secure multi-domain experience while preserving FIDO’s domain binding and privacy protections (FIDO Related Origins). To add one or more domains, go to Cloud Administration Console > Access > FIDO Authentication > FIDO Relying Party Domain(s).
Default Network Zone Configuration
A default option for network zones is now introduced, allowing you to designate any network zone as the default. The default network zone automatically applies to all APIs, AM, SCIM, and IDR configurations that either do not specify a network zone or rely on the default setting. You can change or select a different default network zone at any time, and updates will only affect configurations that use the default zone. You can now set any network zone as the default in the Cloud Administration Console.
Note: A System Default Zone is automatically created to allow all IP addresses. Once a network zone is set as the default, it cannot be deleted unless another network zone is designated as the default.
Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- New Integrations for ID Plus
- Apple iOS Native VPN (RADIUS)
- BeyondTrust Password Safe (SAML)
- Broadcom Symantec PAM (SAML)
- FireMon Policy Manager (SAML)
- Updated Integrations for ID Plus
- AuthenTrend ATKey (FIDO)
- CyberArk PAM plug-in (AM)
- HPe Aruba ClearPass (RADIUS)
- Prove SMS Gateway (AM)
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authentication Agent for Web for IIS / Apache | 8.0.x | March 2026 | No |
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-208421 | A customer reported that the Cloud Administration Console was showing Pending Changes, even though no events were listed under Pending Publish Changes. |
| NGX-207577 | The user name in the top-right corner of My Page was not displayed. |
| NGX-207527 | A customer reported that the separator line between the navigation pane and the main page was missing from the RTL version of the My Page user interface. |
| NGX-207211 | A customer reported that an incorrect PIN + label was displayed on CAS Unified OTP authentication screens. |
| NGX-209085 | Users whose usernames entered on the web-based authentication screens that contained spaces were unable to authenticate through CAS. |
Known Issue
The following table lists the known issue in this release:
| Known Issue | Description |
|---|---|
| NGX-211721 |
In some situations, the publish operation may only complete partially, or the Adapter Update Service may show an unhealthy status. As a workaround, performing a Force Publish on the customer side will resolve the issue. After initiating the Force Publish, the Adapter Update Service status should update automatically within about 15 minutes. This issue is expected to be resolved in the upcoming IDR release. |
October 2025 - Cloud Access Service
Critical Notices
The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.
Mandatory Upgrade Required by October 6, 2025
Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.
For more information on upgrading components, please refer to the latest published advisory: REMINDER: 1 WEEK LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION.
Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.
Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:
- Logging in to the Cloud Administration Console via password or third-party IdP.
- Accessing the Cloud Administration REST APIs.
In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform > Admin Event Viewer.
Identity Router (IDR) 12.23.0.0.11 Now Available
The IDR 12.23.0.0.11 release is now available. We recommend that all customers upgrade to this version.
This release includes:
-
Fixed the issue affecting the IDR SSH login feature, which is used by RSA Support for troubleshooting purposes.
Note: This issue did not impact the core functionality of the Identity Router (IDR).
-
Fixed multiple security vulnerabilities.
Customers can wait for the scheduled upgrade or choose to upgrade on their own discretion.
Identity Router Update Schedule and Versions
Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
|
EU/ ANZ/ JP/ CA/ GS: September 2, 2025 US/ FedRamp Gov/ IN: September 3, 2025 | Updated identity router software is available to all customers. |
| Default: Saturday, October 25, 2025 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| Last: Saturday, November 15, 2025 |
If you postponed the default date, this is the last day when updates can be performed. |
Cloud Access Service Updates
Updated Subprocessor List
The list of subprocessors used by RSA has been updated to reflect the latest changes. For more information, see RSA Subprocessor Information.
New Column in Hardware OTP Credential Information Report: Last Successful Authentication
The Hardware OTP Credential Information report now includes a new column, Last Successful Authentication. This column shows the last time a hardware OTP credential is used for authentication. The update helps you track credential usage, strengthen security by identifying inactive credentials, and simplify audit readiness.
To generate the report, go to Users > Reports > Hardware OTP Credential Information > Generate.
New Controls for Online Emergency Access Code Duration Settings
Super Administrators can now manage Online Emergency Access Code duration settings at the account level. Super Administrators can allow administrators to override these settings or lock them to prevent changes. These controls give Super Administrators greater flexibility, strengthen security, and ensure consistent policy enforcement across your organization.
To configure this feature, go to Cloud Administration Console > My Account > Company Settings > Sessions & Authentication > Emergency Access Codes.
If Lock Online Emergency Access Code settings is disabled, administrators can manage online Emergency Access Code duration in the Cloud Administration Console > Users > Management > Emergency Access Code.
Enhanced Network Zone Configuration for Identity Router (IDR) Clusters
We have enhanced network zone management so you not only have the option to apply restricted networks from the IDR Network Zone across all IDRs, but you can also configure network zones for individual IDR clusters. This enhancement gives you more granular control, improves security, and provides greater flexibility so you can choose the approach that best fits your needs.
To access this feature, navigate to Cloud Administration Console > Platform > Clusters, then edit an existing cluster or add a new one, and go to the Network Zones section.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3 | October 2025 | No |
| Authentication Agent for Web for IIS / Apache | 8.0.x | March 2026 | No |
Fixed Issue
The following table lists the fixed issue for this release:
| Fixed Issue | Description |
|---|---|
| NGX-201226 |
Administrators encounter an error when resetting their Cloud Administration Console password.
|
September 2025 - Cloud Access Service
Critical Notices
The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.
Mandatory Upgrade Required by October 6, 2025
Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.
For more information on upgrading components, please refer to the latest published advisory: 6 WEEKS LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION.
Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.
Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:
- Logging in to the Cloud Administration Console via password or third-party IdP.
- Accessing the Cloud Administration REST APIs.
In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform > Admin Event Viewer.
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
New Export Capability for Event Monitors
You can now export event logs directly from the User Event Monitor, System Event Monitor, and Admin Event Monitor in the Cloud Administration Console. This enhancement allows you to generate structured CSV reports with just a few clicks, making it easier to analyze activity, support compliance efforts, and streamline audit reporting.
- For the Admin and System Event Monitor: navigate to Cloud Administration Console > Platform > Admin Event Monitor / System Event Monitor , then click Generate Report.
- For the User Event Monitor: navigate to Cloud Administration Console > Users >User Event Monitor , then click Generate Report.
Simplify User Deprovisioning with Lifecycle Management
You can now enable, disable, or delete user access to applications provisioned through the Cloud Administration Console, giving managers and application owners greater control over access governance. These actions are available in My Page > My Users Access, providing improved visibility and flexibility when managing user permissions. To activate these capabilities, ensure the "Delete Action" is enabled and that the appropriate access control settings are configured through Cloud Administration Console > Application Catalog > Fulfillment. The availability of enable/disable options may vary depending on the selected Fulfillment Configuration Type, and all access changes will be reflected accordingly on My Page.
Create and Update Local Users Through the Manage Local User API
You can now use the Manage Local User API to create and update users in the local identity store, enabling automation of user lifecycle management. This enhancement supports seamless integration with existing workflows and ensures that actions align with the Cloud Administration Console permissions. The API is secured with modern OAuth protection, ensuring secure and scalable access for administrative operations.
Enforce Managed Browser Access
You can now require users to access Microsoft Edge for Business resources only through managed browsers, ensuring that access is limited to trusted, compliant devices. By leveraging Microsoft Edge device signals, this feature verifies endpoint compliance before granting access to critical applications. This strengthens your Zero Trust security posture by combining identity verification with device trust without complexity. To access this feature, navigate to Cloud Administration Console > Access > Managed Browser. You can then use the "Managed Browser" attribute within an Access Policy to enforce browser-based access controls. To configure the connector, see
Configurable Periodic User Refresh for Inactive Accounts
You can now configure how often inactive accounts are refreshed from your on-prem directory (LDAP) in CAS. By default, up to 1,000 accounts unused in the past 30 days are refreshed daily. You can lower this threshold to as few as 7 days to better align with your security policies. To configure this feature go to Cloud Administration Console > Users > Bulk Maintenance.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3 | October 2025 | No |
Coming Soon
The following section outlines the upcoming features planned for the October release.
RSA MFA Agent for macOS 2.0 Expands Passwordless Authentication
RSA MFA Agent for macOS 2.0 introduces expanded support for passwordless primary authentication methods and enhanced resiliency features.
New passwordless authentication methods include:
- Mobile Passkey, using the RSA Authenticator app v4.6+ for iOS or Android (no Bluetooth required)
- QR Code Authentication
- Biometric Authentication
- Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.
Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- New Integrations for ID Plus
-
- Articulate Reach (SCIM)
- HP Aruba ClearPass (SAML)
- Microsoft Edge for Business Browser (RSA Device Trust Connector)
- Rapid7 (SAML)
- Updated Integrations for ID Plus
-
- CyberArk PAM Vault (Radius)
- CyberArk PAM PVWA (Radius)
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-203216 | Creating a SAML Service Provider failed when both Access Provision Request was enabled and Sign SAML Request was selected. |
| NGX-201414 | CAS dashboard displayed -1 for the number of Cloud tokens due to a mismatch in calculations between active cloud users and hybrid users. |
August 2025 - Cloud Access Service
Critical Notices
The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.
Mandatory Upgrade Required by October 6, 2025
Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.
Refer to the following advisories for details on upgrading the components:
Infinispan Upgrade in Identity Router (IDR) 12.23.0.0.X Requires Cluster-Wide Version Consistency
Note: This upgrade affects proxied applications on the IDR SSO Portal that store your credentials.
The upcoming Identity Router (IDR) 12.23.0.0.X release, as outlined in the Identity Router Update Schedule and Versions table, includes a critical Infinispan upgrade. During the upgrade process, if IDRs within a cluster are running different versions, they will continue to serve requests; however, keychain synchronization may be temporarily impacted. These functions will automatically resume once all IDRs in the cluster have been upgraded to the same version. Before performing an in-place upgrade, RSA strongly recommends creating a snapshot of the virtual machine for VMware and Hyper-V-based routers, or of the storage volume for AWS-based routers to ensure recovery options are available if needed.
Notes:
-
All IDRs in a cluster must run the same version to prevent replication disruptions.
-
If you plan to add a new IDR using the 12.23.0.0.X template while other IDRs in the cluster are still on 12.22.0.0.X, you must first upgrade all existing IDRs to version 12.23.0.0.X before introducing the new node.
-
Backup files created with earlier versions will not be restorable after upgrading to 12.23.0.0.X.
-
RSA strongly recommends creating new backups immediately after completing the upgrade.
-
Keychain replication does not apply to Embedded IDRs, as they do not support the IDR SSO Portal. Therefore, this update does not apply to AM Embedded IDRs.
-
Backups apply specifically to the HTTP Federation (Fed) application in the IDR SSO Portal.
This action is essential to maintain cluster stability, ensure successful replication, and avoid potential service issues.
Identity Router Update Schedule and Versions
Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
|
EU/ ANZ/ JP/ CA/ GS: September 2, 2025 US/ FedRamp Gov/ IN: September 3, 2025 | Updated identity router software is available to all customers. |
| Default: Saturday, October 25, 2025 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| Last: Saturday, November 15, 2025 |
If you postponed the default date, this is the last day when updates can be performed. |
Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.
Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:
- Log in to the Admin Console via password or third-party IDP.
- Access the Admin REST APIs.
In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IDP login and Admin API access. You can view this event in the Admin Event Viewer.
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Improved Support for SAML Certificate Rotation
You can now load up to two SAML signing certificates per application in CAS, ensuring seamless transitions when certificates expire. CAS automatically switches to the other certificate, maintaining secure and uninterrupted access for your applications. Managing certificates is now easier through the Cloud Administration Console, where you can view, import, and update them. This feature is available for both My Page SSO and Relying Party applications.
- To use this feature for an SSO application, navigate to Cloud Administration Console > Applications > Application Catalog / My Applications, select a SAML application, and on the Connection Profile page, upload certificate from the Message Protection section.
- To use this feature for a Relying Party application, navigate to Cloud Administration Console > Authentication Clients > Relying Parties, select an application, and on the Connection Profile page, upload certificate from the Message Protection section.
Copy SAML Metadata URL
You can now copy the SAML metadata URL directly from your configured applications, making it faster to share metadata with services that require a direct URL instead of uploading files. This enhancement simplifies your SAML setup process and saves time. This feature is available for both My Page SSO and Relying Party applications.
- To access this feature for an SSO application, go to Cloud Administration Console > Applications > My Applications, select a configured SAML SSO application, and from the dropdown, select Copy Metadata URL.
- To access this feature for a Relying Party application, navigate to Cloud Administration Console > Authentication Clients > Relying Parties, select a configured SAML Relying Party application, and from the dropdown, select Copy Metadata URL.
Coming Soon (This Month) - RSA Mobile SDK for iOS and Android
RSA Mobile SDK version 4.0.7 for iOS and version 4.0.3 for Android is scheduled for release by mid-August 2025. This is a minor update that includes the following enhancements:
-
Updated certificates (required for secure communication with CAS)
-
Enhanced Android SDK support for multiple binding methods, enabling organizations to deploy several custom applications with greater flexibility.
RSA SecurID Access Admin REST API 2.8.0 Now Available
RSA SecurID Access Admin REST API version 2.8.0 is now available with the updates on OAuth API access support. You can download the updated API package from the ID Plus Admin REST API Download page.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3 | October 2025 | No |
Fixed Issue
The following table lists the fixed issue for this release:
| Fixed Issue | Description |
|---|---|
| NGX-196186 | The "Country" attribute in a customer's access policy was occasionally evaluated incorrectly for end users connecting via the Starlink internet service provider. |
Related Articles
Release Notes Archive - Cloud Authentication Service and Authenticators (July 2025 - January 2025) 669Number of Views Release Notes Archive - Cloud Authentication Service and Authenticators (November 2023 - November 2022) 362Number of Views Release Notes Archive - Cloud Authentication Service and Authenticators (November 2024 - March 2024) 444Number of Views RSA November 2025 Release Announcements 54Number of Views RSA Release Notes: Cloud Access Service and RSA Authenticators 2.98KNumber of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager 8.9 Release Notes (January 2026) Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Access Service RSA Authentication Manager Upgrade Process