These release notes include product updates and bug fixes.
- June 2026 - Cloud Access Service
- May 2026 - Cloud Access Service
- April 2026 - Cloud Access Service
- March 2026 - Cloud Access Service
For additional information, see RSA Community for RSA product documentation.
For release notes before March 2026, see Release Notes Archive - Cloud Access Service and Authenticators.
June 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Agent Inventory Report Accuracy Improvements
The Agent Inventory report has been enhanced to improve reporting accuracy in environments with pre-installed Windows MFA agents. Updated logic now recognizes systems that share the same software ID, ensuring more complete and accurate inventory visibility across deployments. This enhancement provides more reliable inventory data for improved operational visibility and reporting accuracy.
Migrated to a New Device Option for Credential Recovery
The Credential Recovery list now includes the Migrated to new device option. You can now accurately report Migrated to new device as the reason for Credential Recovery, making it easier for administrators to audit Credential Recovery usage related to device upgrades.
ID Verification Support for User Authentication
ID Verification methods are now supported for user authentication. This enhancement enables you to authenticate during primary authentication or step-up authentication, including Live Verify scenarios. This capability helps improve authentication flexibility and provides an additional verification option for users who can and cannot access their registered authenticator device. You can configure and view this feature while creating or editing a policy in the Primary Authentication section by navigating to the Cloud Administration Console > Access > Policies.
Note: This feature is available in private preview. To request access to this feature, contact your RSA account manager or customer support.
Simplified User Attribute Synchronization UI for Active Directory (AD) and LDAP Identity Sources
In the Cloud Administration Console, the following options are now enabled automatically:
- Identity Source > User Attributes tab> Synchronize the selected attributes with the Cloud Authentication Service (required for CAS to function)
- Identity Source > Synchronize User Attributes tab> Synchronize user attributes (these attributes are now controlled by the checkbox in the Policies column. )
Event Monitor Navigation Updates
Event Monitor pages are now consolidated under Users > Reports to simplify navigation and improve accessibility within the Cloud Administration Console.
The following navigation items are removed:
- Users > User Event Monitor
- Platform > Admin Event Monitor
- Platform > System Event Monitor
You can now access all three Event Monitors from Users > Reports.
Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, support for non-company-specific URLs will be permanently shut down on July 30, 2026. You must update all affected service URLs to use your designated company-specific URLs before this date. For more information, see the Company-Specific Administrative URLs Update Instructions and Permanent Shutdown of Non-Company-Specific URLs. You must use your designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access through non-company specific URLs is not yet blocked; however, when it is blocked, it results in loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com).
To ensure uninterrupted access, you should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must Update Identity Router Software to the latest version to avoid any disruptions when non-company-specific URLs are permanently shut down.
Starting with the June 2025 release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:
- Logging in to the Cloud Administration Console via password or third-party IdP.
- Accessing the Cloud Administration REST APIs.
In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event from the Cloud Administration Console by navigating to Platform > Admin Event Viewer.
As part of the effort to permanently shut down non-company-specific URLs, the Software and Adapter Repository URLs used by IDRs will be updated to company-specific URLs starting with the June release. As a result, customers are advised to review their network configurations and ensure that the new URLs are whitelisted, if applicable.
Old URL format:
- Software Repo: https://public-apprepo-<tenantName>.<accessRegion>.securid.com
- Adapter Repo: https://public-connectorrepo-<tenantName>.<accessRegion>.securid.com
New URL format (Whitelisted):
- Software Repo: https://companyName.{baseAccessDNSName}.securid.com
- Adapter Repo: https://companyName.{baseAccessDNSName}.securid.com
GOV Deployment
Old URL format:
- Software Repo: https://public-apprepo-<tenantName>.<accessRegion>.securidgov.com
- Adapter Repo: https://public-connectorrepo-<tenantName>.<accessRegion>.securidgov.com
New URL format (Whitelisted):
- Software Repo: https://companyName.{baseAccessDNSName}.securidgov.com
- Adapter Repo: https://companyName.{baseAccessDNSName}.securidgov.com
A Status Monitor is already available to validate connectivity. If the status is healthy, no action will be required after the change.
You can verify this from the Cloud Administration Console by navigating to Platform > Identity Router and expanding the Identity Router section to view the status indicators. For more information, refer to this IDR Advisory.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
|
Authenticator for iOS & Android
|
4.4 |
June 2026 | |
|
4.5 |
October 2026 | ||
|
MFA Agent for Microsoft Windows |
2.3.3/ 2.3.4/ 2.3.5 |
December 2026 |
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-227053 | Fixed an issue where customers received a 403 response when attempting to save updates to an Identity Source. |
| NGX-228626 | Fixed an issue where DS100 FIDO registration failed in My Page. |
| NGX-228798 | Fixed an issue where incorrect encoding of the FreshestCRL extension in the provided CRL prevented Microsoft Entra ID from successfully validating agent certificates against the CRL. |
| NGX-228900 | Fixed an issue where a customer was unable to edit or modify attributes for local users. |
| NGX-229025 | Fixed an issue where customers received email notifications to upgrade Identity Routers (IDRs) even though their IDRs were already upgraded. |
| NGX-230207 | Fixed an issue where passwordless authentication failed on Entra-joined Windows 11 devices due to a certificate provisioning error. |
May 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
IP Address in User Event Monitor Logs
User Event Monitor logs now include the IP address for authentication events. In the User Event Monitor, REMOTE_IP is available in the authentication details for the following events:
- 20300 (error): Multifactor authentication failed to initiate.
- 20301 (notice): Multifactor authentication initiated.
Allow and Configure iShield Authenticators
You can allow or deny specific FIDO2 authenticators that users can register and use for authentication. Previously, iShield authenticators were always whitelisted and automatically allowed for authentication, and you could not manage it.
Swissbit iShield Key 2 is now available as a new authenticator option under Access > FIDO Authentication, where you can allow access and configure conditions.
Network Zone Replaces Trusted Network Attribute in Policies
As part of the condition attributes for access policies, the Trusted Network attribute is no longer available and has been replaced by the Network Zone attribute, which supports assigning one or more network zones. Your existing Trusted Network rules are now migrated to Network Zone attribute rules. Additionally, in the Cloud Administration Console, go to Access > Networks to manage Access Policy and IDR Network Zones. These network zones are no longer system defaults and can now be edited or deleted.
Use of Company-Specific URLs Required
As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. You must update the affected service URLs immediately. For more information, see the Company-Specific Administrative URLs Update Instructions. You must use your designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access through non-company specific URLs is not yet blocked; however, when it is blocked, it may result in loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ).
To ensure uninterrupted access, you should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must Update Identity Router Software to the latest version to avoid any disruptions when non-company-specific URLs are deprecated.
Starting with the June 2025 release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:
- Logging in to the Cloud Administration Console via password or third-party IdP.
- Accessing the Cloud Administration REST APIs.
In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event from the Cloud Administration Console by navigating to Platform > Admin Event Viewer.
As part of the effort to deprecate non-company-specific URLs, the Software and Adapter Repository URLs used by IDRs will be updated to company-specific URLs starting with the June release. As a result, customers are advised to review their network configurations and ensure that the new URLs are whitelisted, if applicable.
Current URL format:
- Software Repo: https://public-apprepo-<tenantName>.<accessRegion>.securid.com
- Adapter Repo: https://public-connectorrepo-<tenantName>.<accessRegion>.securid.com
New URL format (to be whitelisted):
- Software Repo: https://companyName.{baseAccessDNSName}.securid.com
- Adapter Repo: https://companyName.{baseAccessDNSName}.securid.com
GOV Deployment
Current URL format:
- Software Repo: https://public-apprepo-<tenantName>.<accessRegion>.securidgov.com
- Adapter Repo: https://public-connectorrepo-<tenantName>.<accessRegion>.securidgov.com
New URL format (to be whitelisted):
- Software Repo: https://companyName.{baseAccessDNSName}.securidgov.com
- Adapter Repo: https://companyName.{baseAccessDNSName}.securidgov.com
A Status Monitor is already available to validate connectivity. If the status is healthy, no action will be required after the change.
You can verify this from the Cloud Administration Console by navigating to Platform > Identity Router and expanding the Identity Router section to view the status indicators. For more information, refer to this IDR Advisory.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| Authenticator for Windows |
6.2.2 |
May 2026 | |
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
|
Authenticator for iOS & Android
|
4.4 |
June 2026 | |
|
4.5 |
October 2026 |
Identity Router (IDR) 12.25.0.0.9 Now Available
The IDR 12.25.0.0.9 release is now available. We recommend that all customers upgrade to this version.
Identity Router Update Schedule and Versions
Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
| Date | Description |
|---|---|
|
ANZ /CND / SGP: May 26, 2026 |
Updated identity router software is available to all customers. |
|
Default: Saturday, June 20, 2026 |
Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
|
Last: Saturday, July 18, 2026 |
If you have postponed the default date, this is the final day on which updates can be performed. |
|
Enforced: July 25, 2026 |
If the Identity Router (IDR) is not upgraded after the last permitted date for any reason, RSA will automatically initiate a mandatory upgrade seven days later. You will receive an email notification and a Cloud Administration Dashboard alert with the scheduled update date. |
Third-Party Integrations from RSA Ready
The following integrations are completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- New and Updated Integrations for ID Plus
- AWS Cognito (SAML)
- Citrix Workspace (SAML)
- Microsoft Sentinel High-Risk API
- Palo Alto Captive Portal (API)
- Salesforce Device Activation
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-228643 |
Resolved an issue with the encoding of the FreshestCRL extension.
|
| NGX-228223 |
Resolved an issue where users were unable to register DS100 authenticators in My Page. The registration failed with a Registration Unsuccessful message, and the User Event Monitor logged an ILLEGAL_AUTHENTICATOR error.
|
| NGX-227088 |
Resolved an issue where, in smaller browser window sizes, the footer overlapped page content and the Show More Options items appeared but could not be selected.
|
| NGX-223445 |
Resolved an issue where the User Search Filter field in the Synchronize User Attributes tab for an identity source showed an “Invalid filter format” error when using multi-byte characters.
|
April 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Credential Recovery Support for Multi-Credential Authenticators
CAS now supports credential recovery for authenticators that store multiple credential types for a single user on the same device. Examples include OTP and FIDO credentials in the RSA Authenticator app, SecurID OTP and FIDO credentials in the DS100, and HOTP and FIDO credentials in the iShield and Yubikeys. If you use supported combinations of FIDO and OTP authenticators, you can now replace your device through Credential Recovery self-service. This enhancement allows you to recover multiple credentials tied to a single device without manual intervention, reducing help desk dependency and associated administrative costs.
Configurable Live Verify Session Time Limit
The Live Verify configuration is now enhanced to allow the session time limit to be set from 5 to 15 minutes, in 1-minute increments, giving users additional time to successfully complete the verification process. The configured time limit applies to sessions initiated from the User Management page and via the API. To configure the time limit, navigate to Cloud Administration Console > My Account > Company Settings > Sessions & Authentication.
User-Initiated Unified Logout for My Page SSO Applications (General Availability)
User-initiated Unified Logout is now supported for My Page SAML and OIDC SSO applications, allowing you to sign out of all active participating Unified Logout application sessions with a single action. CAS centrally manages active sessions, simplifying session management, improving security, and supporting compliance with industry standards.
- To manage session lifetime for My Page, navigate to Cloud Administration Console > Access > My Page, select the Applications tab, and update the settings in the User Sessions section. The Session Duration setting in this section controls the session duration for all SAML and OIDC SSO applications managed by the My Page SSO Session Manager. In SAML, the session timeout is defined by the SessionNotOnOrAfter attribute. In OIDC, the session timeout is defined by the session_expiry claim in the ID token.
- To configure Unified Logout for SAML applications, navigate to Cloud Administration Console > Applications > Applications, select the SAML application, and update the SAML Unified Logout Configuration section on the Connection Profile tab.
- To configure Unified Logout for OIDC applications, navigate to Cloud Administration Console > Applications > Applications, select the OIDC application, and update the Unified Logout Configuration section on the Connection Profile tab.
Note: The My Page session duration centrally controls the session lifetime for both OIDC and SAML applications.
Common User Schema Preparation and Attribute Refresh Updates
CAS now automatically performs a Refresh Attributes action on all existing AD and LDAP identity sources to ensure the user schema (list of user attributes) is available in CAS. When creating a new AD or LDAP identity source, CAS attempts to automatically perform a Refresh Attributes action on the User Attributes tab in Cloud Administration Console > Users > Identity Sources, and the action must succeed before the identity source can be saved. If network, credential, or other issues prevent connection to the identity source, you must go to the Identity Source Details tab and resolve the issue.
Note: CAS will transition to a common user schema (a consistent set of user attributes) in a future release. This update prepares for that change by introducing enhancements to how Active Directory on-premises and LDAP identity sources are configured.
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| Authenticator for iOS & Android | 4.4 | June 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-222581 | Customer requests to CAS for administrative operations (for example, looking up a user or retrieving user devices) were intermittently blocked with a 429 response during periods of high load. |
| NGX-223465 | In IDR Audit Logging, when selecting the Output Type as Send to syslog, the Protocol selection is reversed. Selecting TCP applies UDP, and selecting UDP applies TCP. |
| NGX-225890 |
Resolved an issue where users intermittently encountered "UNKNOWN USER" errors when one directory server was unavailable, even though other directory servers were healthy to serve the request. The identity router (IDR) now correctly continues validation against available directories, and customers need to publish the IDR to apply the fix. |
Known Issue
The following table lists the known issue in this release:
| Known Issue | Description |
|---|---|
| NGX-226702 | When a network zone includes a trusted or restricted network with a blank CIDR and is used by application access policies evaluated via IDR, access may be incorrectly allowed or blocked respectively. This issue is fixed in the June release. For earlier releases, publishing resolves the issue. |
March 2026 - Cloud Access Service
Cloud Access Service Updates
The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).
Granular Control for FIDO Authenticators
You can now precisely define which FIDO authenticators can be used for registration and authentication by enabling or disabling them based on various parameters. To define the FIDO authenticators, navigate to Cloud Administration Console > Access > FIDO Authentication.
Note: FIDO inline registration and registration of new U2F authenticators are no longer supported. Previously registered U2F authenticators can continue to be used for step-up authentication.
OAuth JWT Support
OAuth JWT support is now available to enhance the security of external identity source SCIM client connections to CAS. SCIM access can now be secured using OAuth-based authentication instead of legacy API keys, providing stronger protection and improved control over integrations. To configure this feature, navigate to Cloud Administration Console > Platform > API Access Management. To apply the configuration to a SCIM identity source, navigate to Cloud Administration Console > Users > Identity Sources.
API Enhancement: Additional User Identifier Support
The Cloud Administration Retrieve Device Registration Code API, Cloud Administration User Details API, and Cloud Administration Authenticator Details API Version 1 now support the username input parameter to identify the user being managed. This enhancement provides greater flexibility when integrating with systems that use usernames as the primary user identifier.
Identity Router (IDR) Portal SSO Enhancements
SAML applications available from CAS legacy IDR SSO portal now include the following security and usability improvements:
- The maximum character length for IDR SAML application names increased from 100 to 200 characters to make applications easier to identify.
- The LDAP/AD user search filter configured in each identity source can now be globally enabled in the IDR portal to exclude users from authenticating. The portal does not attempt password authentication against the identity source, preventing password strikes that could lock user accounts.
- SAML application configuration now supports attribute filters, allowing control over which user attributes are sent to each application and helping prevent over-granting of access permissions. You can configure these attribute filters on the Fulfillment tab while adding a SAML Direct application. To access this option, navigate to Cloud Administration Console > Applications > Application Catalog.
Note: Ensure that all Identity Router versions are later than 12.24.0.0.16. If you cannot view these features, contact customer support.
Access Discovery on My Page
My Page is now enhanced with access discovery, providing managers and application owners with a complete view of access across all accounts, including those outside the standard Lifecycle Management process. This enhancement eliminates critical security blind spots, enables proactive risk mitigation, and ensures accountability for every entitlement, regardless of how it was provisioned. To view this enhancement, navigate to My Page > Access Control.
Third-Party Integrations from RSA Ready
The following integrations are completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
- New Integrations for ID Plus
- CrowdStrike Falcon Next-Gen SIEM (Authentication Manager Logs)
- Microsoft Sentinel Connector
- Microsoft Sentinel using Logic App
- SilverFort Bridge (SAML)
- Updated Integrations for ID Plus
- BeyondTrust Password Safe (RADIUS)
- Palo Alto Captive Portal (SAML)
- Palo Alto Cloud Identity Engine (SAML)
- Palo Alto NGFW Global Protect (RADIUS, SAML)
- Workday (SAML)
Upcoming End of Primary Support (EOPS) Details
The following table provides details of the RSA products reaching the end of support within the next six months:
| Product | Version | EOPS Date | Extended Support Level 1/Level 2 |
|---|---|---|---|
| MFA Agent for Microsoft Windows | 2.3.1/ 2.3.2 | May 2026 | No |
| Authenticator for iOS & Android | 4.4 | June 2026 | No |
| RSA Authentication Manager | 8.7 SP1 | June 2026 | June 2027/ June 2028 |
Fixed Issues
The following table lists the fixed issues for this release:
| Fixed Issue | Description |
|---|---|
| NGX-219544 | My Page times out or returns a 403 Unauthorized error despite an active authenticated session. |
| NGX-216530 | ID Dataweb returns unexpected results for a specific ID Dataweb workflow. |
Known Issue
The following table lists the known issue in this release:
| Known Issue | Description |
|---|---|
| NGX-224338 | When creating a policy and adding a conditional rule using the Network Zone attribute, the disclaimer text referenced an incorrect IDR release version. Network Zone attribute support for WebPortal policy evaluation is available starting with IDR release 12.24.0.0.x. |
Related Articles
RSA Authentication Manager 8.8 upgrade fails with ERROR: auth_manager.rest_service.old_access_key is not found Number of Views RSA Release Notes for RSA Authentication Manager 8.8 Number of Views Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … Number of Views Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures Number of Views RSA Authentication Manager - License Installation Fails with 'License/Serial Number Does Not Match' Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager Patch Updates RSA Authentication Manager 8.9 Release Notes (January 2026) RSA SecurID Authentication Engine 3.0.0 for Java Release Notes RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows
