RSA Release Notes: Cloud Access Service and RSA Authenticators
3 days ago

    July 2026 - Cloud Access Service

    Cloud Access Service Updates

    The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

     

    Hardware OTP Credential Information Report Now Includes Username

    In addition to the existing user details, the Hardware OTP Credential Information report now includes the user's logon name in the Username column, which is the attribute mapped to your identity source. This enhancement enables you to identify users and correlate Hardware OTP credentials with the identity source.

     

     

    Local Groups Renamed to Global Groups in the Cloud Administration Console

    The term Local Groups previously suggested that only users from a local identity source could be members. However, users from any identity source can be added to these groups. To better reflect this capability, the name has been updated to Global Groups across all pages. This is a terminology change only and has no functional impact.

     

    Note: In this release, the attribute name continues to appear as localGroup in the policy and application user attribute selection dropdowns. This naming will be updated to align with the Global Groups terminology in a future CAS release.

     

     

    Share Authentication Method Information with Connected Applications 

    Authentication methods can now be sent as a statement attribute, enabling the sharing of authentication details with connected applications, such as Salesforce. This feature applies to My Page SSO SAML and OIDC applications, as well as SAML and OIDC relying party connectors.

    For My Page SSO SAML applications, a new System option has been added to the Attribute Source drop-down. You can find this setting on the Connection Profile tab, under the Connection Profile Advanced Configuration section within Statement Attributes. Previously, only Identity Resource and Constant were available.

    For My Page SSO OIDC applications, navigate to Access > OIDC Settings, where you can add a claim with the Source set to System. Then, on the OIDC application’s Connection Profile tab, you can add or select that claim.

     

     

    Use of Company-Specific URLs Required

    As a follow-up to the November 2024 Release Announcement, support for non-company-specific URLs will be permanently shut down on July 30, 2026. You must update all affected service URLs to use your designated company-specific URLs before this date. For more information, see the Company-Specific Administrative URLs Update Instructions and Permanent Shutdown of Non-Company-Specific URLs. You must use your designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IdPs). Access through non-company specific URLs is not yet blocked; however, when it is blocked on July 30, it will result in loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com).

    To ensure uninterrupted access, you should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must delete and reinstall Identity Router software using a newly downloaded IDR image (upgrade is not supported for v12.22 and earlier) to avoid any disruptions when non-company-specific URLs are permanently shut down.  

    Starting with the June 2025 release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

    • Logging in to the Cloud Administration Console via password or third-party IdP.
    • Accessing the Cloud Administration REST APIs.

    In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event from the Cloud Administration Console by navigating to Platform > Admin Event Viewer.

    As part of the effort to permanently shut down non-company-specific URLs, the Software and Adapter Repository URLs used by IDRs will be updated to company-specific URLs starting with the June release. As a result, customers are advised to review their network configurations and ensure that the new URLs are whitelisted, if applicable.

    Old URL format:

    New URL format (Whitelisted):

    GOV Deployment

    Old URL format:

    New URL format (Whitelisted):

    Status Monitor is already available to validate connectivity. If the status is healthy, no action will be required after the change.

    You can verify this from the Cloud Administration Console by navigating to Platform > Identity Router and expanding the Identity Router section to view the status indicators. For more information, refer to this IDR Advisory.

     

     

    Common User Schema Migration Dashboard – Coming Soon (August 2026)

    In August 2026, all RSA Cloud Access Service (CAS) deployments will start migrating from using each Identity source’s native user schema in policies, applications, and other CAS features, to a Common User Schema, which will make CAS deployments easier to manage. If there are no issues in a deployment that prevent migration, the migration process will be automatic, similar to an Identity Router (IDR) update. You will also be able to manually trigger the schema migration before the scheduled migration date.

    The Cloud Administration Console will include a Common User Schema Migration Dashboard, available from the homepage, that will show you when the deployment will be scheduled for automatic migration and all the user schema attribute name changes in every CAS feature. If there are any issues that block migration, a list of all required administrator actions to unblock migration will be displayed.

     

     

    Third-Party Integrations from RSA Ready

    The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

    • New and Updated Integrations for ID Plus
      • AWS IAM Identity Center (SAML)
      • Citrix Netscaler (SAML)
      • Lexmark eSF Application (API/Authentication Manager)
      • PingFederate (SAML, OIDC, API/Authentication Manager)

     

     

    Upcoming End of Primary Support (EOPS) Details

    The following table provides a summary view of the RSA products reaching the end of support within the next six months:

     

    Product

    Version

    EOPS Date

    Authenticator for iOS & Android

    4.5

    October 2026

    MFA Agent for Microsoft Windows

    2.3.3/2.3.4/2.3.5

    December 2026 

     

     

    Fixed Issues

    The following table lists the issues that are fixed for this release:

     

    Fixed Issue

    Description

    NGX-235002

    Resolved an issue affecting SAML authentication for Prisma Access Browser on iOS devices. Users can now successfully authenticate using SAML on iOS, and the authentication flow now completes successfully after users share their location. Authentication events are also correctly logged in the User Event Monitor, providing a consistent experience across supported platforms.

    NGX-231956

    Resolved an issue where the overall Publish Status and IDR Status were incorrectly displayed as Partial Success instead of Success for some customers with previously successful publish status.

    NGX-235568

    Resolved sign‑in errors in federated authentication caused by the RSA session cookie being blocked as a third‑party cookie due to browser security restrictions.

     

     

    Recent Release Notes

    Previous Release Notes: Release Notes Archive - Cloud Access Service and Authenticators