RSA SecurID® Access Release Notes - Cloud Authentication Service and SecurID Authenticate App

These release notes include product updates and bug fixes.

For additional information, see:

  • SecurID Product Release Notes, a portal to all release notes for the Cloud Authentication Service, SecurID Authentication Manager, authentication agents, and token authenticators.

  • RSA Link, to access all SecurID product documentation.

September 2021 - Cloud Authentication Service Advisories

Be aware of the following important service updates.

Required Identity Router Updates Must be Completed by October 31, 2021

To strengthen overall security, SecurID has rolled out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

To view identity router version and operating system information, see View Identity Router Status in the Cloud Administration Console.

Replace These Identity Routers by October 31, 2021

If your identity routers meet all three of the following criteria, you must replace them by October 31, 2021 with a new image downloaded from the Cloud Administration Console:

  • 10 GB disk space or the identity router is embedded in Authentication Manager
  • SLES 11 operating system
  • Identity router version prior to 12.12

No additional updates are available for these identity routers, likely resulting in future compatibility issues. Perform the streamlined swap and replace procedure described in the Identity Router 12.12.x Migration Guide.

Allow Automatic Updates on Default Rollout Date for These Identity Routers

If your identity routers meet all three of the following criteria, SecurID recommends that you allow the update to occur automatically on the default rollout date.

  • 54 GB disk space or the identity router is embedded in Authentication Manager
  • SLES 12 operating system
  • Identity router version 12.11

You do not need to replace these identity routers. For more information, see Update Identity Router Software.

Allow Automatic In-Place Upgrade for These Identity Routers

If your identity routers meet all three of the following criteria, in-place upgrade will occur according to the standard identity router software update procedure that happens automatically on a default schedule:

  • 54 GB disk space
  • SLES 11 operating system
  • Identity router version prior to 12.12

For more information, see Update Identity Router Software.

Note: To view notifications for identity routers that are not eligible for an in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.

Before an in-place upgrade occurs, we recommend that you take a VM snapshot for VMware identity routers and take a storage volume snapshot for AWS identity routers. The in-place upgrade process updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.

Note: An in-place upgrade takes longer than the standard identity router software update. It may takes more than an hour for a single identity router update and more than two hours for a cluster of three identity routers.

Important Information for Identity Routers with SLES 12

The following information applies to identity routers with the SLES 12 operating system:

  • Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, SecurID Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.
  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Application Portal. The following algorithms are supported.
  Supported Algorithm
Signature Algorithm

rsa-sha256

rsa-sha384

rsa-sha512

dsa-sha256
Digest Algorithm

sha1

sha256

sha384

sha512

 

Just-in-Time Synchronization Always On for Immediate User On-Boarding and Updates

Just-in-Time synchronization instantaneously allows new users to authenticate with SecurID and prevents users who have been disabled from doing so. In the September release, Just-in-Time synchronization sync replaces scheduled synchronization to prevent artificial delays from scheduled synchronization intervals. Scheduled bulk synchronizations have been removed and Just-in-Time synchronization is always active. Automatic removal of users from SecurID that were deleted in a user identity store is coming in a future release.

On-board, off-board and update on-demand!

August 2021 - Cloud Authentication Service

The August release of the Cloud Authentication Service includes the following features and bug fixes.

New Look for the Cloud Administration Console User Interface 

The Cloud Administration Console has an updated, modern look that works more efficiently, improving usability and accessibility. Changes include redesigned main menu navigation bar and Publish bar. The new console has also been updated with the new SecurID branding, colors, and logo. This example shows the updated Cloud Administration Console dashboard.

securid_ngx_g_dashboard_newui.png

Improved Status Messages for the Identity Router

The identity router has improved status messages for update availability and starting status.

Update Availability Messages

In the Cloud Administration Console, improved status messages now clearly indicate when identity router updates are available, so that you do not have to upgrade any earlier than necessary.

securid_ngx_g_idr_update_available_message.png

Starting Status Messages

A new identity router status indicates that a registered identity router is starting. When the identity router is connected to the Cloud Administration Console, the status reads Starting until the identity router is Active.

ngx_g_idr_starting_status_message.png

Reminder: Update Identity Routers to Software Version 12.12.x and SLES 12 SP5

The June 2021 - Cloud Authentication Service (Identity Router) Release Notes provided important information on Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System. Be aware of the following:

  • If your identity routers have a 10 GB hard disk drive (HDD), you must replace them as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.

  • Identity routers with 54 GB HDD will be automatically upgraded either on the default rollout date or on the forced upgrade date. You do not need to replace these identity routers.

Changes to Identity Source Synchronization

In July 2021, just-in-time synchronization was enabled for all users, eliminating the need to schedule synchronization tasks. Just-in-time synchronization is now the primary method for keeping your identity sources up-to-date. Additional changes are continuing according to the following timetable.

Event Date
Scheduled synchronization was disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. Week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

 

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

For more information, see Identity Sources for the Cloud Authentication Service.

How Connection Speed Affects Just-in-Time Synchronization

Just-in-time synchronization is affected by the speed of your identity source directories. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. For users who already have records in the Cloud Authentication Service, just-in-time synchronization waits up to 5 seconds for the directory server to respond before attempting to update a user's record during authentication. After 5 seconds, cached data is used to proceed with authentication. If the Cloud Authentication Service receives a response within a few seconds after the 5-second time limit has passed, it does process that response and the updated information will be available in the Cloud Authentication Service the next time the user attempts to authenticate. Just-in-time synchronization waits up to 22 seconds for the directory server to respond before creating a user's record during authentication. If no response is received in that time, the authentication attempt fails.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

 

Fixed Issues

Fixed Issue Description
NGX-70781

The Cloud Authentication Service now accepts incoming SAML assertions from external identity providers that include the optional SPNameQualifier attribute of NameID element.

NGX-69964

Previously, users were being disabled during identity source synchronization if the user's DN and email address (mail attribute) changed simultaneously. This problem no longer occurs.

NGX-69615 Users saw misleading messages when they reset their PINs for SecurID hardware token using My Page. This problem has been fixed.

 

July 2021 - Cloud Authentication Service

The July 2021 release of the Cloud Authentication Service includes the following features.

New Cloud Administration APIs for Managing SID700 Hardware Tokens

You will be able to integrate Help Desk operations for SID700 tokens into your own provisioning or management tools. These APIs apply to hardware token records that are uploaded to the Cloud Authentication Service. The APIs perform the functions described below. For details on each API, see Using the Cloud Administration APIs.

Function Cloud Administration API
Retrieve details about all authenticators assigned to a user. Cloud Administration Authenticator User Details API
Retrieve details about a user's hardware token by providing the serial number. Cloud Administration Retrieve Hardware Token Serial Number API

Clear a user's PIN for a hardware token.

Cloud Administration Clear PIN for Hardware Token API

Assign or unassign a hardware token from a user.

Cloud Administration Assign Hardware Token API

Cloud Administration Unassign Hardware Token API

Delete a user's hardware token by providing the serial number. Cloud Administration Delete Hardware Token API

Enable or disable a user's hardware token.

Cloud Administration Enable Hardware Token API

Cloud Administration Disable Hardware Token API

Update the name of a user's hardware token.

Cloud Administration Update Hardware Token Name API

 

Note: The ability to manage SID700 hardware tokens in the Cloud Authentication Service is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where SecurID Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable native hardware token support, contact your RSA Sales representative or Channel Partner.

Identity Source Synchronization Changes Begin July 12, 2021 

Significant changes to identity source synchronization are coming in future releases. Beginning in July, users are automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.

Event Date

Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it.

week of July 12, 2021
Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

 

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

In addition, make sure your calls to the Cloud Administration Console APIs use the company-specific URLs when they become available. These APIs will continue to work with the existing shared URLs for the foreseeable future, but it is recommended to update these too once the company-specific URLs are available.

Improved Security for Approve Notifications in SecurID Access Federal Edition

Approve notifications in the RSA SecurID Authenticate app are more secure for SecurID Access Federal Edition customers. Each notification includes a confirmation code to ensure that the same user initiates the authentication attempt and taps Approve on a registered device. You must prepare your users for this change.

When users attempt to access an application with Approve, a confirmation code is displayed on the application screen and on the users’ phone. If the app is already open, the code appears in the app. If the app is closed, the code appears on the Lock screen. The user must tap Approve only if both codes match. If the codes do not match, the user’s account may have been compromised. In this case, the user should not tap Approve and must notify your IT Help Desk immediately.

Fixed Issues

Fixed Issued Description
NGX-67039 After registering device with the Cloud Authentication Service, the user received a confirmation message with his name misspelled. This problem has been fixed and device names now support Unicode.
NGX-66355 The updated certificate and 2048 key requirements for the latest identity router version are documented in the June 2021 Release Notes for the Cloud Authentication Service. See Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System.
NGX-64526 The Cloud Administration Console now displays a message if the return list or check list attributes are not present in the RADIUS dictionary file.

 

July 2021 - SecurID SDK 3.0 for iOS and Android – Coming Soon

Build your own custom authenticator app using the new SecurID SDK 3.0 for iOS and Android. Offer your users a way to authenticate with convenient MFA options while seamlessly maintaining a similar look and feel across your existing applications for a better overall user experience.

June 2021 - Cloud Authentication Service (Identity Router)

Prepare for Unification – the New SecurID App is Coming!

The new SecurID 3.0 app to be release in June 2021 is the first step towards making it easier than ever for iOS and Android users to access their multifactor authentication methods in one place. The version 3.0 app will provide SecurID Software Token, with the ability to manage multiple software tokens, generate tokencodes, and view token information in an all-new card-style interface for improved usability. The version 4.0 app, expected within a few months, will include Authenticate Tokencode, Device Biometrics, and Approve (push notifications). Encourage your users update their Authenticate apps to version 3.9 to ensure a seamless transition to the 4.0 app.

Cloud Authentication Service Provides Native Support for SID700 Hardware Tokens

The Cloud Authentication Service now supports SID700 hardware tokens, unleashing the potential of the cloud platform to meet your specific regulatory, security, and business requirements. The total cost of ownership is significantly reduced because users can self-register, activate, and manage their own tokens in My Page.

Note: This is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where SecurID Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

This is the front of the SID700 hardware token:

securid_ngx_g_sid_hardware_token_700_front.png

During authentication, the Cloud Authentication Service validates the tokencode and PIN. These tokens can be viewed and managed from the Cloud Administration Console. You do not need to deploy an RSA Authentication Manager server.

For more information see SecurID Hardware Token.

Note: Hardware tokens can be used for offline authentication on desktops that have macOS Agent Version 1.3 or Windows Agent Version 2.1.1 Patch.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

EU: 7/1/2021

ANZ, US: 7/6/2021

Updated identity router software is available to all customers.

7/24/2021

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
8/14/2021 If you postponed the default date, this is the last day when updates can be performed.

 

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Deployment Type Version
On-premises 2.12.0.0
Amazon Cloud

RSA_Identity_Router 2.12.0.0

 

Note: The schedule to update the identity router software described above is independent of the process for upgrading the operating system described below. You can update the software without upgrading the operating system.

Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System

To strengthen the overall security of RSA SecurID Access, in June 2021 RSA is rolling out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

Select the appropriate update option based on the current software and operating system version of your identity router. To check your software and operating system version, in the Cloud Administration Console, click Platform > Identity Routers, then click the arrow next to the identity router name.

securid_ngx_g_idr_details_for_release_notes.png

Select the appropriate update option for your environment.

Note: To find the version number for an identity router, sign in to the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name.

If your identity router has Follow this update path
  • 54 GB disk space or the identity router embedded in Authentication Manager

  • Operating System: SLES 12

  • Software Version: 12.11

RSA recommends that you allow the update to occur automatically on the default rollout date. You do not need to replace these identity routers. For more information, see Update Identity Router Software.

  • 54 GB disk space

  • Operating System: SLES 11

  • Software Version: prior to 12.12

In-place upgrade follows the standard identity router software update procedure that happens automatically on a default schedule. For more information, see Update Identity Router Software.

RSA recommends that you take a VM snapshot for VMware identity routers and take a storage volume snapshot for AWS identity routers before performing an in-place upgrade. In-place upgrade procedure updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.

You do not need to replace these identity routers.

Note: In-place upgrade takes longer than the standard identity router software update. It may takes more than an hour for a single identity router update and more than two hours for a three identity router cluster.

  • 10 GB disk space or the identity router embedded in Authentication Manager

  • Operating System: SLES 11

  • Software Version: prior to 12.12

These identity routers are not eligible for in-place upgrade. Perform the streamlined swap and replace procedure described in the Identity Router 12.12.x Migration Guide.

You must replace these identity routers as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.

Note: To view notification for identity routers that are not eligible for in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.

 

The following information applies to identity routers with the SLES 12 operating system:

  • Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, RSA SecurID Access Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the RSA SecurID Access Application Portal. The following algorithms are supported.

      Supported Algorithm
    Signature Algorithm

    rsa-sha256

    rsa-sha384

    rsa-sha512

    dsa-sha256

    Digest Algorithm

    sha1

    sha256

    sha384

    sha512

 

Identity Source Synchronization Changes Beginning July 2021

Significant changes to identity source synchronization are coming in future releases. Beginning in July, users will automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.

Event Date

Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it.

week of July 12, 2021
Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

 

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.

Cloud Administration Console URLs Expected to Change in October 2021 Release

Beginning October 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example.com, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in but administrators will be redirected to the new URL and will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

RSA Now Enforces TLS 1.2 for all Cloud Authentication Service Connections

RSA now requires all identity routers to use Transport Layer Security (TLS) 1.2 or greater encryption for all communication. If you have not yet updated your identity router connections to TLS 1.2, you must do so immediately to ensure uninterrupted connectivity. Make sure that everything that accesses the Cloud Authentication Service supports TLS 1.2. This includes all of your applications, identity sources, identity providers, agents, browsers, mobile apps, API connections, and networking equipment such as HTTPS proxies.

Fixed Issues

Issue Description
NGX-64133

The Cloud Administration Console now truncates leading and trailing spaces in URLs configured for SAML applications and HTTP Federation applications.

NGX-63547

A customer experienced the following situation. Applications were configured in the application portal using SAML, and a third-party identity provider (IdP) was configured as an SSO Agent IdP. When users tried to access a SAML application using an SP-initiated workflow and third-party IdP to authenticate to the portal, the users were sent to the portal instead of to the application they were trying to access. This problem has been fixed.

NGX-62497

A customer was unable to successfully integrate an application with the application portal using SAML and an SP-initiated connection if the RelayState parameter in the SAML request contained unescaped characters. The problem has been fixed.

NGX-60617

A customer's identity router failed to update and stopped processing authentications when the software update service connection was broken before the update. This problem has been fixed.

NGX-53737

You can now ensure that users are able to access high-risk SAML applications in the SSO Portal only after successfully completing additional authentication. Make sure the ForceAuthn attribute is "true" in the SAML request. The user will be prompted for additional authentication even though a user session already exists and additional authentication was already completed at the same assurance level or higher.

 

June 2021 – RSA SecurID Authenticate 3.9 App for iOS and Android

Prepare for unification! A future release of the new SecurID app will combine both Software Token and MFA functions into a single, easy to use SecurID app with improved usability and greater accessibility. This version 3.9 update contains functionality that ensures a seamless migration to the unified app. Encourage your users to upgrade so they will be ready to easily transition to the future SecurID 4.0 (unified) app coming soon.

 

May 2021 - Cloud Authentication Service

Fixed Issue

Issue Description
NGX-62567

A customer was unable to publish changes to the Cloud Authentication Service due to validation errors for attribute extensions. This problem has been fixed.

 

Known Issue

Issue Description
NGX-59855

Identity routers on the SLES 12 SP5 operating system do not function properly when an incompatible private key is uploaded to the Cloud Administration Console. See Knowledge Base article 00003969 for details and workaround.

April 2021 - Cloud Authentication Service

The April 2021 release of the Cloud Authentication Service includes the following features.

Improved Email Templates for Device Registration and Emergency Access

In email templates used for sending targeted device registration and emergency access emails, the signature field has been expanded to allow up to 2000 characters. For instructions on configuring emails, see Configure Email Notifications.

Support for Passwordless Authentication Through the MFA Agent 2.1 for Microsoft Windows

A modern, passwordless sign-in experience enables the dynamic workforce to be more productive while protecting the organization’s critical data wherever the user may be. This update to the Windows agent enables passwordless authentication to Windows 10 laptops and desktops using a FIDO2 security key with a USB connector for both online and offline authentication. For more information, see RSA® Authentication Agent for Microsoft Windows Documentation.

RSA to Enforce TLS 1.2 for all Cloud Authentication Service Connections Beginning May 15, 2021

On August 26, 2020, RSA announced that TLS 1.2 will be required for Cloud Authentication Service connections beginning on October 31, 2020. To provide additional time for customers to make necessary configuration changes, the date was moved to mid-April 2021. RSA will now enforce TLS 1.2 for all Cloud Authentication Service connections beginning on May 15, 2021. If you have not updated your connections to TLS 1.2, you must do so immediately to ensure uninterrupted connectivity. For details, see this advisory.

Fixed Issue

Fixed Issue Description
NGX-63011

A customer reported that new users were unable to register FIDO Yubikey 2.0 tokens under certain circumstances. This problem has been fixed.

 

March 2021 - Cloud Authentication Service

The March 2021 release of the Cloud Authentication Service contains the following new features.

Administrators Can Initiate User On-Boarding with Enhanced Just-in-Time Synchronization

Just-in-time user synchronization allows new users (for example, new hires) to immediately register authenticators with the Cloud Authentication Service without waiting for the daily identity source synchronization job to run. This release further enhances support for just-in-time use cases where on-boarding is initiated by the administrator rather than through user self-service. You can also use the Cloud Administration User Details API to add this functionality to your in-house tools. For example, this feature is helpful when your IT Help Desk generates a one-time mobile registration code or manually adds the user’s mobile number for SMS Tokencode delivery. For more information, see View User Information.

New REST API Identifies Anomalous Users

A new Cloud Administration REST API can provide your identity, security operations, and incident response teams with visibility into users who exhibit anomalous behavior in your organization based on users’ access patterns. Your teams’ ability to query through this API provides rich identity context for detection (threat hunting), remediation, or forensics exercises. For more information, see the Cloud Administration Anomalous Users API.

Improved Retrieval of License Usage Information

The Cloud Administration Retrieve License Usage API can now retrieve the license information for the current month and previous 12 months. This information includes number of MFA licenses used, number of users with third-party FIDO authenticators, number of SMS and Voice tokencodes sent, and number of active users. Use this information to monitor for license compliance. For details, see Cloud Administration Retrieve License Usage API Version 2.

Cloud Administration Console Support Ended for Internet Explorer on March 16, 2021

As of March 16, 2021, the Cloud Administration Console no longer supports Internet Explorer. For an up-to-date list of supported browsers, see Supported Browsers for the Cloud Administration Console.

Fixed Issues

Fixed Issue Description
NGX-58711 The documentation now clarifies how Approve authentication works when the user's device is locked and unlocked. For more information, see Configure Device Unlock for Approve.
NGX-56630 Two User Event Monitor messages were displayed for one unsuccessful RSA RADIUS authentication attempt with Authenticate Tokencode, and the attempt counted twice against the lockout count. The issue has been fixed.

 

Known Issue

Issue Description
NGX-61775

Problem: In the Cloud Administration Console, on the User Management page, the new option to Include users not yet synchronized to the Cloud Authentication Service in your search. Exact matches only fails by showing "No Result Found" if just-in-time synchronization is disabled on the My Account > Company Settings > Company Information page. This problem occurs even if the administrator correctly typed the email address of a valid user.

Workaround: If you want to use this new feature, enable just-in-time Synchronization on the My Account > Company Settings > Company Information page.

 

February 2021 - Cloud Authentication Service

The February 2021 release of the Cloud Authentication Service contains the following features.

Support for Constant Multivalued Attributes in the SAML Assertion

Configured SAML applications can assign entitlements dynamically based on the business context, such as the user role, as included in the SAML assertion. In the SAML authentication response, the Cloud Authentication Service can send the constant multivalue attributes that you define, in addition to user attributes from the identity source, to SAML applications. For instructions, see Configure Advanced Settings for a SAML Connection.

RSA MFA Agent 1.2 for macOS Supports Offline Emergency Access

You can install RSA MFA Agent 1.2 for macOS on Intel ® computers running macOS Big Sur (11.1). The agent also provides emergency access for users to sign in to their offline computers when their primary authenticator is misplaced or unavailable. You can customize the agent by disabling MFA for all unlock situations or for up to 12 hours, and by configuring the number of unsuccessful offline authentication attempts allowed with Authenticate Tokencode. For more information, see RSA MFA Agent for macOS.

 

January 2021 - Cloud Authentication Service

The January 2021 release of the Cloud Authentication Service includes the following features.

Updated Identity Router OVA Image with New Certificate (VMware Virtual Appliance)

The certificate used to sign the identity router virtual appliance .ova files expires on January 31, 2021. If you already downloaded an .ova image and have not yet deployed it, you must download the new .ova file (RSA_Identity_Router-2.11.0.0.7.ova) from the Cloud Administration Console as a replacement. The new .ova file will be available from the Cloud Administration Console on January 26, 2021. For instructions, see Obtain the Identity Router Image.

Cloud Administration REST API Retrieves Product Usage Analytics 

Your existing analytics tools can now discover trends in RSA SecurID Access product usage and registered authenticator patterns by using a REST API that can access the historical data. You can easily obtain the number of active users for the current and previous months, which can help you optimize product use, accurately forecast future needs, plan your budget, and meet compliance requirements. For more information, see Cloud Administration Retrieve License Usage API.

View Anomalous Users in the Identity Confidence Dashboard 

The Identity Confidence dashboard displays a list of the most anomalous users within your organization and provides insights into their behavior based on access patterns. Use this dynamic list to investigate and remediate potential access risks to your organization. For instructions, see View Risk Analytics and Track Behavior for a User.

Find and Add Unsynchronized Users 

In the Cloud Administration Console you can now find users who are not yet synchronized and automatically add them to the Cloud Authentication Service. This feature is convenient for finding new users or users who have not previously authenticated. Immediately after the user is added, you can manage that user by performing any administrative operation such as updating the user's SMS phone number or generating a registration code. On the Users > Management page, just type the user's email address and click the prompt. For more information, see View User Information.

Request a Cloud Authentication Service Account Directly from the Security Console in RSA Authentication Manager

You can provision Cloud Authentication Service deployment accounts easily and on-demand from the RSA Authentication Manager (8.5 or later) Security Console without involving RSA Sales or Customer Support. This self-service feature allows you to more fully realize the value of your existing Authentication Manager investment and accelerate the time to value by reducing cost, time, and data-entry errors associated with provisioning new accounts. For more information, see Request a Cloud Authentication Service Account.

SecurID Authentication Manager Provides Emergency Failover When the Cloud Authentication Service Cannot be Reached

Authentication Manager will be able to act as an on-premises failover when users present an RSA SecurID tokencode and Authentication Manager cannot reach the Cloud Authentication Service for validation. This feature ensures high availability to on-premises mission critical applications protected by RSA SecurID agents. For more information, see RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service.

Known Browsers Removed After 90 Days Without Use

Known browsers that are unused for more than 90 days are removed from users’ list of known browsers. If the Remember this Browser option remains enabled in the Cloud Administration Console on the My Account > Company Settings page, these users will again be prompted to remember the browser. Further, users might be prompted to re-authenticate as required by the configured access policy the next time they attempt to access a protected resource using a previously known browser. In the Cloud Administration Console, Help Desk Administrators can now view separate lists for a user’s registered devices and known browsers on the Users > Management page. Click an arrow to reveal a list of Known Browsers that have been used within the past 90 days.

Fixed Issues

Fixed Issue Description
NGX-57261 Documentation for the Cloud Administration Authenticator Details API is now updated to reflect that the Last Used On field no longer appears on the User Management page in the Cloud Administration Console.
NGX-57044 Some customers were unable to deploy the identity router version 2.11.0.0.6 in certain Amazon Web Services regions. This problem has been fixed.
NGX-55454 A customer experienced UI issues in the Cloud Administration Console due to a problem with the RSA Authentication Manager connection setup. This issue has been resolved and improvements made to prevent this from recurring.
NGX-55328

The documentation has been updated to reflect that custom portal settings cannot be used in combination with standard portal settings. The Login Page, Portal Page, and Error Page settings can be used only with the custom portal.

NGX-54807

The documentation has been updated to clarify how access policies can control the access to applications after users sign in to the SecurID Application Portal. The Portal Multifactor Authentication Policy can require additional authentication to portal. If the configured access policies do not allow a user to access any applications in the portal, the user can still sign into the portal, but no applications will be visible.

 

January 2021 - SecurID Authenticate 3.7 App for iOS

In SecurID Authenticate 3.7 for iOS, the following issue has been fixed.

Fixed Issue Description
NGX-56182 Previously, when Dark Mode was enabled on the user's phone, text the user typed into the app could not be read because it appeared as white against a white background. This problem has been fixed. Now the background turns black so the white text is clearly visible.

 

November 2020 - SecurID Authenticate 3.7 App for Android

SecurID Authenticate 3.7 App for Android contains:

  • A QR code scan icon on a new tab that is convenient for adding user accounts after device registration.

  • Miscellaneous bug fixes

 

November 2020 - Cloud Authentication Service

Action Required for RSA MFA Agents for Microsoft Windows 1.1 and 1.2 

In the coming months, RSA will improve security by enforcing the use of Transport Layer Security (TLS) 1.2 or greater encryption for all communication from clients (including identity routers, RSA Authentication Manager, agents, and proxies) to the Cloud Authentication Service. This TLS 1.2 enforcement change is scheduled for mid-April 2021. Before TLS 1.2 rolls out, all customers with RSA MFA Agent for Microsoft Windows 1.1 or 1.2 who expect to use emergency offline authentication must update their agents to the latest 1.2.1 or 2.0.x version to support TLS 1.2.

If offline authentication is enabled for your users and you do not upgrade the agents, the downloaded day files will not be updated on each agent and offline authentication will stop working in mid-April 2021. TLS 1.2 does not affect users’ ability to perform online authentication.

If you are using a proxy to proxy traffic from clients to the Cloud Authentication Service, the proxies must support TLS 1.2.

Identity Router Upgrade to SUSE LINUX Enterprise Server (SLES) 12 SP5

In the November release, the identity router image available for download is based on the SLES 12 SP5 operating system. If you download and deploy this new identity router image, be aware of the following:

  • Certificates and keys you upload for SSO SAML applications and RSA SecurID Access Application Portal (domain certificate) in the Cloud Administration Console must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the RSA SecurID Access Application Portal.

If you choose not to download and deploy the new identity router image, you do not need to take further action. Identity routers will be updated according to the schedule provided in these Release Notes. These updates are software only and do not update the operating system to SLES 12 SP5.

RSA will publish further guidance related to upgrading existing identity routers to SLES 12 SP5 in the coming weeks.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates are being released independently from Cloud Authentication Service updates.

Date Description

EU: 11/24/2020

ANZ, US: 12/3/2020

Updated identity router software is available to all customers.

2/20/2021

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
3/20/2021 If you postponed the default date, this is the last day when updates can be performed.

 

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Deployment Type Version
On-premises 2.11.0.0
Amazon Cloud

RSA_Identity_Router 2.11.0.0

 

Security Updates

As part of continuous platform upgrades and improvements, this release includes security updates to ensure that the Cloud Authentication Service and identity router are safe from security holes and vulnerabilities. RSA stays on top of security best practices by including strong, FIPS 140-2-compliant encryption modules and by hardening operating systems. Such practices reduce the compliance burden for your company.

Enhanced Visibility into Active Users 

You can now view the total number of active users for the current and previous months using the Cloud Administration Console Dashboard. You can also collect usage data through the Cloud Administration Retrieve License Usage API for external trending analysis. Use this information to optimize your product usage, accurately forecast future needs, and meet compliance requirements. For more information see Usage Information.

Ability to Disable the Remember This Browser Prompt

You can disable the Remember This Browser prompt that appears during step-up authentication. After you disable it, users are never prompted to click Remember This Browser. For configuration instructions, see Configure Company Information and Certificates.

Enhanced Identity Confidence Dashboard to Track User Behavior Over Time

The Identity Confidence Dashboard now displays a graph that allows you to see a user's Confidence scores over a period of time. The graph helps you understand:

  • Any trends in anomalous behavior for an individual user benchmarked against the behavior of all users.

  • The top contributing factors that pulled the score down for each access attempt where the user's identity confidence score was determined to be low in relation to the Confidence Threshold. The Confidence Threshold is calculated based on information collected from all users within your company.

For more information, see View User Risk Analytics and Track User Behavior Over Time.

Fixed Issues

Fixed Issue Description
NGX-54086 The embedded identity router was first registered to an account in the Cloud Authentication Service. After the customer changed the registration to a different company account, publishing failed because the new company name started with the same characters as the old company name. This problem has been fixed.
NGX-54035 In a deployment where two identity providers were configured for Integrated Windows Authentication (IWA, and one Audience ID was a substring of the other Audience ID, both IWA links sent users to the same IWA server rather than to their configured server. This problem has been fixed and users are now directed to their configured server.
NGX-51657 The SecurID Application Portal did not prompt users for additional authentication under unusual environmental conditions. This problem has been fixed.

 

November 2020 - SecurID Authenticate 3.6 App for iOS

RSA SecurID Authenticate 3.6 app for iOS contains the following updates and improvements:

  • Security enhancements.

  • Updated End-User License Agreement (EULA), Terms of Service, Copyrights, Trademarks, and Privacy Policy.

  • Bug fixes.

 

October 2020 - Cloud Authentication Service

User Event Monitor Displays Factors Contributing to Low Identity Confidence Score

The User Event Monitor in the Cloud Administration Console now provides you with enhanced visibility into user behavior. If a user's identity confidence score is low (below the Confidence Threshold), the monitor lists up to four factors that most contributed to lowering that user's score. The factors are listed in order from most impactful to less impactful. For example:

Contributing Factors = 1. New cookie or multiple cookies; 2. Location changed; 3. New application; 4. Location has multiple previous failed authentications

This improvement can help administrators and security analysts to better understand and troubleshoot risk-driven decisions. For more information, see View a User's Confidence Score in the User Event Monitor.

Retrieve the Full Authentication API Endpoint from the Cloud Administration Console 

You can now copy the authentication endpoint URL directly from the Cloud Administration Console and paste it in a secure place for delivery to your web client developers. This feature reduces the chance of error when retrieving the URL. For instructions, see Copy the RSA SecurID Authentication API REST URL.

RSA MFA Agent 1.1 for macOS 

RSA MFA Agent 1.1 for macOS now includes the following features:

  • Users with registered devices can use Device Biometrics as an authentication method.

  • Users can test authentication with the RSA Agent Control Center.

For more information, see RSA MFA Agent for macOS.

RSA is Improving How We Communicate RSA SecurID Access Cloud Authentication Service Updates

RSA is changing how it communicates updates for the RSA SecurID Access Cloud Authentication Service, including monthly maintenance notifications and service incidents. The new status page, status.securid.com, brings our current and historical uptime status together with a digest of all past and present incidents and associated details. RSA will also be able to better communicate updates throughout the course of any active incident.

You will now be able to select which notifications you want to receive based on your region, reducing unwanted email updates. Most current subscribers will be automatically subscribed to the new notification service. However, all current subscribers who want to continue to receive service notifications for the Cloud Authentication Service should take the following steps to confirm that they are subscribed correctly:

To subscribe or to check your subscription settings:

  1. Go to status.securid.com.

  2. Click Subscribe to Updates.

  3. Enter your email address and click Subscribe.

Status.securid.com is now live. See our advisory for more details about status.securid.com. RSA will continue to send service and maintenance notifications from our existing Service Notifications space through October 30, 2020.

Fixed Issues

Fixed Issue Description
NGX-53653 Previously, a customer was unable to add new Amazon Web Services applications for SSO when specific values were added in attribute extensions. This issue has been fixed.
NGX-53473 In the Cloud Authentication Service, phone number validation has been updated to incorporate recent changes in phone numbering systems worldwide.
NGX-52155 Documentation for the Cloud Authentication Service has been updated to make it easier to delete an identity source that is being used by a custom access policy or the Device Registration Using Password Policy. For instructions, see Delete an Identity Source from the Cloud Authentication Service.
NGX-52065

In the Cloud Administration Console, when you update the FIDO host name, a log event is now created so you can easily identify why the publish status changed.

NGX-51206

In a particular scenario, the identity router upgrade date scheduled by the customer was not honored and the identity router was upgraded prior to the scheduled date. This problem has been fixed.

NGX-53081 Previously, some users who tried to register a FIDO security key were not prompted to name the key and save it. Also, some users were unable to delete the security key on the first attempt. These problems have been fixed.

 

October 2020 - RSA SecurID Authenticate 3.5 App for Windows

RSA SecurID Authenticate 3.5 app for Windows contains the following updates and improvements:

  • Security enhancements using the Microsoft Cryptography API.

  • Updated End-User License Agreement (EULA), Terms of Service, Copyrights, Trademarks, and Privacy Policy.

  • Bug fixes.

Note: Users who upgrade to this version from 3.2 or earlier must delete all previous accounts and re-register.

 

September 2020 - Cloud Authentication Service

Actions Required for Upcoming Identity Router and RSA SecurID Authenticate App Security ImprovementsActions Required for Upcoming Identity Router and RSA SecurID Authenticate App Security Improvements

To strengthen the overall security of RSA SecurID Access, RSA is rolling out significant improvements that affect all identity routers and the RSA SecurID Authenticate app (iOS and Android). See this advisory for information on these improvements. To ensure uninterrupted service and avoid downtime, you must perform the following actions.

Action Begin Action End Action
After RSA migrates database data to FIPS-supported algorithms, the Cloud Administration Console will display a Changes Pending message. Please ignore this message as a publish is not required. This status will disappear after your next regular publish. No customer action needed. EMEA and ANZ regions: 8/29/2020 US region: 9/12/2020  

You must upgrade RSA SecurID Authenticate 2.x for Android or iOS to the latest version by October 12, 2020. See this advisory for details.

Immediately October 12, 2020

You must update all identity routers to the August release before the next identity router upgrade date (October 31, 2020):

  • For on-premises identity routers, apply version 2.10.0.0.5 or higher
  • For the Amazon Cloud, apply RSA_Identity_Router 2.10.0.0.6 or higher

After October 31, RSA SecurID Access will enforce TLS1.2 for all connections. Versions of TLS earlier than 1.2 will no longer work.

To ensure uninterrupted connectivity, make sure your identity routers are running the latest software version (12.10.0.8) prior to October 31. For instructions, see Update Identity Router Software for a Cluster.

If you are using a proxy server you must ensure it also supports TLS 1.2 and later.

Follow your normal upgrade schedule. October 31, 2020

Note: A new identity router that takes advantage of hardened security and the latest operating system patches using SLES version 12 SP5 is coming in November. Watch future notifications for details.

Multiple Service Provider Connections Allow Flexible Access Policy Assignment

RSA improved integration options for customers with SAML-based applications who cannot use the SAML Authentication Context attribute to assign an access policy based on a condition such as the user group and/or resource being accessed. These customers now have increased flexibility when assigning policies by configuring multiple service provider (SP) connections, each with its own unique identifier. For more information, see Add a Service Provider.

Authenticate to Cloud Administration Console Through Third-Party Identity Provider

Customer administrators can now securely login to the Cloud Administration Console through federation by extending their identity provider (IdP). Administrators who are using a common access card (CAC) and personal identity verification (PIV) can continue to use the Federal IdP infrastructure to perform a federated login to the Cloud Administration Console. For instructions, see Configure Session and Authentication Method Settings.

Fixed Issues

Fixed Issue Description
NGX-50739

Previously, resetting an Active Directory password from the custom application portal using the resetpw API did not enforce the Active Directory password policy. This problem has been fixed.

NGX-50457 The Cloud Administration User Event API produced incorrect output. In the row showing which authentication method was used to access an application, the Application column showed the type of device used to complete the authentication method rather than the actual application being accessed. This problem has been fixed and this column no longer shows the device type.
NGX-50062 In the Cloud Administration Console, a customer was unable to successfully Publish Changes. Instead, the request continued to load and change to Publish Pending. This problem was traced to a misconfiguration issue. For instructions to prevent this problem from occurring, see Add an Identity Source for the Cloud Authentication Service.

 

For release notes prior to September 2020, see Release Notes Archive - Cloud Authentication Service and RSA SecurID Authenticate Apps.