July 2019 - Cloud Authentication Service (Identity Router)
The July 2019 release includes the following features and benefits.
Identity Router Update Schedule and Versions
Identity routers will be updated according to the following schedule.
| Date | Description |
|---|---|
| July 27, 2019 | Updated identity router software is available to all customers. |
| September 7, 2019 | Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update. |
| October 12, 2019 | If you postponed the default date, this is the last day when updates can be performed. |
The new identity router software versions are:
| Deployment Type | Version |
|---|---|
| On-premises | 2.7.0.0.5 |
| Amazon Cloud |
RSA_Identity_Router-2.7.0.0.5 |
My Page Improves Secure Registration for FIDO Tokens
Users can register FIDO Tokens in a more secure environment using RSA SecurID Access My Page. My Page allows you to protect FIDO registration with an access policy that you can align with your company’s existing policies. After you enable My Page registration for FIDO Tokens, the FIDO Token registration process that occurs during user authentication automatically becomes disabled. Users can also use My Page to delete their FIDO Tokens. For more information, see Device Registration.
Automatic Push Notifications for Users Who Access RADIUS-Based Applications
The user experience for accessing RADIUS-based applications has been improved. You can ensure that the Cloud Authentication Service always sends automatic push notifications for Approve or Device Biometrics when your deployment is configured as follows:
-
The RADIUS client is configured to apply an access policy for additional authentication without primary (for example, password) validation.
-
Approve or Device Biometrics is available in the access policy protecting the resource the user is attempting to access.
Previously, automatic push notifications were not available when only the access policy was applied for additional authentication without primary validation. For more information, see RADIUS for the Cloud Authentication Service Overview.
Identity Confidence Analytics Report for Troubleshooting User Authentication Issues
You can view up-to-date identity confidence analytics by generating a report in the Cloud Administration Console. The report, provided in a graphical, easy-to-read format, displays the number of times users attempted to access resources that are protected by access policies that contain the identity confidence attribute. The report can include all users in your company or only individual users within a specified timeframe. This report is particularly useful to Help Desk Administrators when they assist users who, for example, may have to authenticate at a high assurance level because their identity confidence scores are low. For more information, see Condition Attributes for Access Policies - Identity Confidence Analytics Report.
Identity Router Improvements
The following features require you to update your identity router software.
Identity Router Setup Made Easier
Identity router setup has been simplified for identity routers deployed in the VMware and Hyper-V environments. The proxy interface, which is not required for non-SSO deployments, is disabled by default in the Identity Router Setup Console. You can enable it as needed for SSO deployments.
Note: This enhancement affects only identity routers you deploy in the future. It does not affect identity routers already configured.
For more information, see Identity Router Network Interfaces and Default Ports.
Improved Status Indicators for Identity Routers
You can quickly identify potential problems that might occur when you set up and monitor identity routers using the improved status indicators in the Cloud Administration Console. The Platform > Identity Routers list page provides more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity. For more information, see View Identity Router Status in the Cloud Administration Console.
Improved Proxy Management for Identity Routers
More flexible deployment options are available to you for identity routers. Identity routers now support transparent, explicit, and man-in-the-middle proxy configurations. The identity router informs you if a non-SecurID SSL proxy certificate is configured, and allows you to temporarily accept the certificate and proceed while you work with your network IT to whitelist the URL. For more information, see Connect the Identity Router to the Cloud Administration Console.
RSA SecurID Authentication API Enhancements
The RSA SecurID Authentication API contains new methodIDs for SMS and Voice Tokencodes to promote consistency with other authentication methods. For more information, see RSA SecurID Authentication API Developer's Guide.
Fixed Issues
| Fixed Issue | Description |
|---|---|
| NGX-33346 | If you have configured My Page to use a Cloud identity provider, users can now use the SAMAccountName attribute as the user ID when registering devices. |
| NGX-17148 |
If an IWA user attempted to access the application portal when IWA connector server was down, the user received a connection timeout error rather than a message indicating unsuccessful authentication. To mitigate this, you can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests avoid a single point of failure. For more information, see Integrated Windows Authentication. |
| NGX-17276 | Previously, the Disabled option on the Basic Information page in the application configuration wizard did not disable applications that were configured to use SAML or HTTP Federation. This issue has been fixed. Beginning in July 2019, all applications that were previously configured as disabled will be unavailable to users and will not appear in the application portal and will not be available through deep linking. |
| NGX-29977 | You can now access the Cloud Administration Console using an email address containing a plus sign (+). Previously, this operation failed intermittently. |
| NGX-32525 | Documentation update clarifies when location is collected from users and administrators. |
| NGX-31946 | The Cloud Administration Console now displays the correct number of active user sessions. Previously, for some customers who used rich clients, the number of active sessions increased until the identity router was restarted. |
| NGX-31068 |
The publish status is displayed correctly in the Cloud Administration Console after you add and associate a profile for the RADIUS client. Previously, the status was Changes Pending even when no changes were pending. |
| NGX-30235 |
RADIUS profiles now allow multi-valued LDAP attributes to be mapped to the "Class" attribute. Each value of the multi-valued LDAP attribute will create a separate "Class" RADIUS attribute. |
July 8, 2019 - SecurID Authenticate for Android App
RSA SecurID Authenticate 3.0 for Android contains the following updates:
-
To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.
-
To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.
-
Bug fixes.
After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Users must keep the app open during the update process, which can take up to a few minutes to complete. Subsequent actionable notifications work as expected.
This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.
June 2019 - Cloud Authentication Service
Extend Cloud Authentication Service Authentication Methods to Windows Computers with RSA MFA Agent for Microsoft Windows
RSA MFA Agent 1.1 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.
The main highlights include:
-
Convenient authentication using Approve or Authenticate OTP.
-
Authenticate with the same registered device for both online and offline Windows sign-in.
-
Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.
For documentation and product download, see RSA MFA Agent for Microsoft Windows.
More Options for Customizing My Page
To improve the user experience, you can now customize My Page in the following ways:
-
Add your own company logo. For instructions, see Manage RSA SecurID Access My Page.
-
Create a single sign-on experience for My Page by adding your own Cloud Identity Provider. For instructions, see Add Cloud Identity Provider.
Clear the userParameters Attribute Checkbox in the Identity Source Configuration
If the userParameters attribute is selected for synchronization in your identity source configuration, RSA recommends that you clear the checkbox. Selecting this attribute occasionally prevents identity source synchronization.
Fixed Issues
| Issue | Description |
|---|---|
| NGX-24290 |
If a user locks his or her LDAP password, the User Management page for that user now shows a message indicating that the user's password is locked and what time it will unlock. |
| NGX-31821 | SecurID Authenticate 3.0.1 for iOS users no longer displays an incorrect error that the user already has a registered device. |
|
NGX-31158 | The top-level domain part of the protected domain name can now accept up to 33 characters. |
| NGX-29843 | When you add a RADIUS profile, you can now only map supported attributes. |
| NGX-29702 | The system now prevents an administrator from accidentally updating an identity router multiple times within a short period of time, which could cause the application portal sign-in to stop working. |
| NGX-29547 | The Cloud Administration Console and associated documentation were updated to clarify that when adding an application bookmark, you can allow all authenticated users to access the bookmark or select a policy that limits access to a subset of users. |
June 10, 2019 - SecurID Authenticate for iOS App
RSA SecurID Authenticate 3.0.2 for iOS resolves NGX-31886. With this fix, the Authenticate OTP will no longer display as zeroes for a small percentage of users who update to this app from version 2.2.
All Authenticate for iOS users should update to this version. This release requires iOS 11.
The small percentage of users who have updated to app version 3.0.1 and still experience this issue must do the following:
- Delete the device in My Page, or have an administrator delete the user's device in the Cloud Administration Console.
- Delete the Authenticate app on the mobile device.
- Install the Authenticate app from the App Store.
- Re-register the app with RSA SecurID Access.
May 29, 2019 - SecurID Authenticate for iOS App
RSA SecurID Authenticate 3.0.1 for iOS resolves the following issues:
- NGX-31260- Users who update to the latest app version now receive notifications for the Approve authentication method.
- NGX-31263- Users who update to the latest app version no longer need to re-register their devices with RSA Authenticator.
This version of the app requires iOS 11.
May 2019 - Cloud Authentication Service
SecurID Authenticate App Improvements Require Users to Update Before June 15, 2019
There are new versions for SecurID Authenticate for iOS, Android, and Windows, described below. To prevent issues with device registration and adding additional companies, users must update to these versions or higher before June 15, 2019.
-
SecurID Authenticate 3.0.3 for Windows contains bug fixes.
-
SecurID Authenticate 3.0 for iOS and Android contain the following updates:
-
To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.
-
To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.
-
Bug fixes.
After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Subsequent actionable notifications work as expected.
This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.
-
Improved Reporting of Users' Identity Confidence Scores Benefits Help Desk Administrators and Users
The User Event Monitor will report detailed information about users’ identity confidence scores. This information includes the user’s overall identity confidence score and tenant level confidence threshold, as well as the user's separate scores for device confidence, behavior confidence, and location confidence. Help Desk administrators can make use of this information when they assist users who are challenged for additional authentication factors or are unable to access protected resources. For more information, see Condition Attributes for Access Policies - Identity Confidence.
Fixed Issues
| Issue | Description |
|---|---|
| NGX-27407 |
Previously, if a user waited too long to complete additional authentication when accessing My Page, a User Session Expired message displayed, and the user had to cut and paste a URL to return to My Page. This problem has been fixed. Now, the user can provide additional authentication and then return to My Page by clicking a button, or the user will be automatically redirected to My Page after 20 seconds of inactivity. |
| NGX-26573 | Previously, generating a report listing all synchronized users took progressively longer over time. Performance has been significantly improved. |
|
NGX-16693 NGX-17168 | Previously, in the Cloud Administration Console, the dashboard incorrectly displayed the number of active sessions for identity routers. This problem has been fixed and the dashboard now displays the correct number of sessions. |
| NGX-20399 | Previously, if users' email addresses changed in identity sources, the users had to re-register their devices with the RSA SecurID Authenticate app. Email address changes are now handled seamlessly by the Authenticate app, and users do not need to re-register. |
April 2019 - Cloud Authentication Service
Send Emails to Users When They Register or Delete Devices
To help increase security, you can configure the Cloud Authentication Service to automatically send confirmation email to users in the following situations:
-
A user completes SecurID Authenticate device registration.
-
A user adds an additional company in the SecurID Authenticate app.
-
A user deletes a company in the SecurID Authenticate app.
-
A user deletes an SecurID Authenticate registered device.
You configure these options in My Account > Company Settings> Device Registration & Deletion Emails. For instructions, see Configure Device Registration and Deletion Emails.
Pagination for RADIUS Profiles in the Cloud Administration Console
Pagination now makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page. Expand each profile to see details, dissociate, or delete the profile. Profiles disappear from the list when you dissociate or delete them. For instructions on configuring RADIUS profiles, see Configure a RADIUS Profile for the Cloud Authentication Service.
Fixed Issues
| Issue | Description |
|---|---|
| NGX-25560 | If you manage the RSA SecurID Authenticate for Android app with an Enterprise Mobility Management (EMM) solution, the Email Logs button now works in the app. |
| NGX-26628 |
Previously, a user who had repeatedly attempted to register the same device unsuccessfully might not be able to register the device at all. This problem has been fixed - the user can now register the device. |
| NGX-28022 | Documentation for creating a custom portal has been updated to include the missing information. |
|
NGX-28076 NGX-28338 |
User who previously could not be synchronized due to case change in attribute value can now be synchronized correctly. |
March 2019 - Cloud Authentication Service (Identity Router)
The March 2019 release includes the following features and bug fixes.
-
Identity Router Replication Improvements Require Simultaneous Updates for All Clusters
-
Just-in-Time Synchronization Automatically Enabled for New Customers Beginning March 2019
-
Identify High Risk Users and Restrict Access to Protected Resources
-
Control Cloud Access for Cloud Administration REST APIs Using Role Permissions
-
FIDO Token Authentication Method Available on Multiple Browsers
-
Emergency SSH and Debug Logging Helps You Resolve Identity Router Connectivity Issues
-
Reminder: Users Must Update Their SecurID Authenticate for Android Apps by March 31, 2019
-
Release Notes Archive - Cloud Authentication Service and Authenticators (July 2019 - February 2019)
Identity Router Update Versions and Schedule
The latest identity router software versions are:
| Deployment Type | Version |
|---|---|
| On-premises | 2.6.0.0.11 |
| Amazon Cloud |
RSA_Identity_Router-2.6.0.0.12 |
Identity routers will be updated to these versions according to the following schedule.
| Date | Description |
|---|---|
| March 23, 2019 | Updated identity router software is available to all customers. |
| May 25, 2019 | Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update. |
| June 22, 2019 | If you postponed the default date, this is the last day when updates can be performed. |
Identity Router Replication Improvements Require Simultaneous Updates for All Clusters
has significantly improved the replication of critical data across identity routers for SSO Agent deployments. This critical data includes user profiles (keychains), user sessions, and cookies used for LDAP connections.
To take advantage of this new functionality, you must update all of your identity routers within a cluster at the same time and update all clusters at the same time. Perform simultaneous updates to avoid breaking inter- and intra-cluster keychain replication. After updates are complete, you will not be able to restore backup files created using the previous version. RSA recommends that you create backups immediately after performing the update.
Just-in-Time Synchronization Automatically Enabled for New Customers Beginning March 2019
Just-in-time synchronization is now automatically enabled for all customers who deploy the Cloud Authentication Service after the March 2019 release is available. Before March 2019, you needed to contact RSA Customer Support to enable this feature. Now Super Admins can enable it in the Cloud Administration Console on the My Account > Company Settings > Company Information tab without contacting Customer Support. If you are an existing customer and just-in-time synchronization was enabled prior to March 2019, it remains enabled until you choose to disable it.
Just-in-time synchronization ensures that the identity source in the Cloud Authentication Service is updated every time a user attempts to register a device using the SecurID Authenticate app or access a protected resource using additional authentication after the LDAP password is validated. When this feature is enabled, you never need to add user records through manual or scheduled synchronization. For more information, see Identity Sources for the Cloud Authentication Service.
Identify High Risk Users and Restrict Access to Protected Resources
You can control whether users who are identified as high risk can access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Use the Add/Remove High Risk User API to identify high risk users within the Cloud Authentication Service. Access policies provide a new condition attribute, High Risk User List, so that you can configure authentication requirements for high risk users. You can also use the Retrieve High Risk User List API to retrieve a list of all users identified as high risk. For more information, see:
If your company deploys RSA NetWitness Respond Version 11.3 or later, use that product instead of the APIs to obtain the same benefits. For instructions, see NetWitness Respond Configuration Guide for Version 11.3.
Control Cloud Access for Cloud Administration REST APIs Using Role Permissions
You can ensure that each Administration API has permission to access appropriate information in the Cloud Authentication Service by assigning an administrative role to each API key. The API uses the key in the request. By default, all Administration API keys generated before March 2019 default to the Help Desk Administrator role. The new Add/Remove High Risk User API and Retrieve High Risk User List API require keys assigned to the Super Admin role. For more information, see Using the Cloud Administration REST APIs.
FIDO Token Authentication Method Available on Multiple Browsers
The FIDO Token authentication method is now available on more browsers (including mobile browsers) and supports the FIDO 2 authentication standard. For a list of supported browsers, see Cloud Authentication Service User Requirements.
Emergency SSH and Debug Logging Helps You Resolve Identity Router Connectivity Issues
If the identity router is unable to connect to the Cloud Authentication Service (for example, during setup), you can use the Identity Router Setup Console to enable these emergency troubleshooting features:
-
Secure Shell (SSH) to access the command line
-
Emergency debug logging
After troubleshooting is completed and the identity router is connected to the Cloud Authentication Service, you can disable these features and use the Cloud Administration Console for future troubleshooting. For more information, see Troubleshoot Identity Router Issues.
Support for Multiple RADIUS Profiles
You can create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. Custom profiles increase flexibility because you can associate multiple profiles with a single client or the same profile with multiple clients. This feature allows you to implement strong, policy-based granular controls (for example, for Active Directory groups) for users and administrators who access RADIUS-based applications. For more information, see Configure a RADIUS Profile for the Cloud Authentication Service.
Enhanced Status Indicators for Identity Routers
Status indicators for the identity router have been improved and expanded, making it easier for you to troubleshoot problems with identity router services, as well as connectivity problems between identity routers and the Cloud Authentication Service. You can view detailed status information for each identity router in the Cloud Administration Console on the Platform > Identity Router page. For more information, see View Identity Router Status in the Cloud Administration Console.
Reminder: Users Must Update Their SecurID Authenticate for Android Apps by March 31, 2019
To align with the Google migration to Firebase Cloud Messaging (FCM), SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.
Fixed Issues
NGX-18781. Previously, after you modified cluster relationships and published the changes, all identity routers in the clusters were restarted and the publish operation did not complete. The restart no longer occurs and publishing completes as expected.
NGX-21183. When you use the Identity Router VM Console to update network settings or recommit changes, static routes that were configured in the Cloud Administration Console are no longer deleted from the identity router.
February 2019 - Cloud Authentication Service
The February 2019 release includes the following features and bug fixes.
Note: The current version of the identity router, v2.5.0.0.5, was not updated in this release.
Disaster Recovery Environment for the EMEA and AUS Regions
The disaster recovery environment for the Cloud Authentication Service is now available for the EMEA and AUS regions. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. RSA recommends that you test access to this environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.
On-Demand Access to Uptime Status of Cloud Services
You can now monitor the current and historical uptime of the Cloud Authentication Service and the Cloud Administration Console on a service status page. This page includes current service availability, recent uptime percentage, and historical uptime percentage. For more information, see Monitor Uptime Status for the Cloud Authentication Service.
Receive Frequent Updates on Cloud Authentication Service Availability with Health Check API
If you want to receive frequent updates on the Cloud Authentication Service availability, you can use the Health Check API to integrate with your application monitoring product. For more information, see Cloud Administration Health Check API.
Updated SecurID Authenticate Apps Simplify Device Registration with EMM Technology
SecurID Authenticate 2.3.0 for Android and SecurID Authenticate 2.2.0 for iOS now support simplifying device registration with Enterprise Mobility Management (EMM) technology that supports the AppConfig Community standards, such as VMWare AirWatch. With this functionality, you can help reduce the costs of device registration in your company by automatically downloading the app to users' devices and optionally configuring the Company ID and Email Address values. For more information, see Deploying the RSA SecurID Authenticate App in EMM Environment.
These app releases also contain bug fixes.
Users Must Update Their SecurID Authenticate for Android App by March 31, 2019
To align with the Google migration to Firebase Cloud Messaging (FCM), SecurID Authenticate 2.2.0 for Android uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.
Fixed Issues
NGX-21223. If you update the protected domain name after it has been initially configured on the My Account > Company Settings > Company Information page in the Cloud Administration Console, authentication no longer fails when users who access the RSA SecurID Access Application Portal attempt to open a Microsoft Office 365 application.
February 5, 2019 - SecurID Authenticate Apps
SecurID Authenticate 2.2.1 for Android resolves an issue with app instability on Samsung devices running Android 9 Pie. Samsung users should upgrade to this app version.
Return to Release Notes Archive - Cloud Authentication Service and Authenticators.
Related Articles
Release Notes Archive - Cloud Authentication Service and Authenticators (January 2019 - August 2017) Number of Views Release Notes Archive - Cloud Authentication Service and Authenticators (February 2020 - August 2019) Number of Views "java.lang.RuntimeException: java.lang.OutOfMemoryError: Java heap space" errors occur frequently in versions 6.x of RSA I… Number of Views Require the Security Console and Self-Service Console to Provide the Same Response for Valid and Invalid Usernames Number of Views Change a User's Password Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
