Release Notes Archive - Cloud Authentication Service and Authenticators

This document contains release notes for releases prior to October 2021. For the most current release notes, see SecurID® Access Release Notes: Cloud Authentication Service and Authenticators.

September 2021 - Cloud Authentication Service

Required Identity Router Updates Must be Completed by October 31, 2021

To strengthen overall security, SecurID has rolled out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5. To view identity router version and operating system information, see View Identity Router Status in the Cloud Administration Console.

Replace These Identity Routers by October 31, 2021

If your identity routers meet both of the following criteria, you must replace them by October 31, 2021 using the replace procedure described in the Identity Router 12.12.x Migration Guide:

  • 10 GB disk space or the identity router is embedded in Authentication Manager

  • SLES 11 operating system

  • Identity router version 12.12 or earlier

No additional updates are available for these identity routers.

Identity Routers Already Updated

If your identity routers meet all three of the following criteria, automatic updates or in-place upgrade should already have occurred on the default rollout date.

  • 54 GB disk space or the identity router embedded in Authentication Manager

  • SLES 11 or 12 operating system

  • Identity router version prior to 12.12

You do not need to replace these identity routers. For more information, see Update Identity Router Software.

Note: To view notification for identity routers that are not eligible for in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.

Before an in-place upgrade occurs, we recommend that you take a snapshot for VMware and Hyper-V identity routers and take a storage volume snapshot for AWS identity routers. These snapshots can be discarded after a successful upgrade. The in-place upgrade procedure updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.

Note: An in-place upgrade takes longer than the standard identity router software update. It may take more than an hour for a single identity router update and more than two hours for a cluster of three identity routers.

Additional Information for Identity Routers with SLES 12

The following information applies to identity routers with the SLES 12 operating system:

  • Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, SecurID Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Application Portal. The following algorithms are supported.

    Supported Algorithm
    Signature Algorithm

    rsa-sha256

    rsa-sha384

    rsa-sha512

    dsa-sha256

    Digest Algorithm

    sha1

    sha256

    sha384

    sha512

Unify Your Authenticators, Your Way - SecurID SDK 3.1 for iOS and Android

Build a custom authenticator app for your SecurID, MFA and now Transaction Signing needs, with the new SecurID SDK 3.1 for iOS and Android. Make it easy for your users to access any authenticator conveniently within the same familiar app for a better overall user experience. For more information, see this advisory and SecurID SDK Documentation.

Authenticators Unite – SecurID App 4.0 is Coming!

The SecurID app for iOS and Android will soon add MFA functions from the SecurID Authenticate app to the existing SecurID Token capabilities. This merger simplifies the management complexities of your hybrid deployment and minimizes user disruption as you move to the cloud with the same authenticator app.

SecurID Authenticate app users can easily replace their existing app with the SecurID app using QR Codes from a self-service portal like My Page and experience improved usability and greater accessibility enjoyed by millions of SecurID app users today. To learn more, see this advisory.

Just-in-Time Synchronization Always On for Immediate User On-Boarding and Updates

SecurID’s just-in-time synchronization instantaneously allows new users to authenticate with SecurID and prevents disabled users from doing so. In this release, just-in-time synchronization replaces scheduled synchronization to prevent artificial delays from scheduled synchronization intervals. Scheduled bulk synchronization has been removed and just-in-time synchronization is always active. You can still manually synchronize identity sources on-demand. Automatic removal of users from SecurID that were deleted in a user identity store is coming in a future release. For more information, see Synchronizing Identity Sources with the LDAP Directory Server.

On-board, off-board and update on-demand!

Fixed Issues

Fixed Issue Description
NGX-72108 Users were prevented from using My Page to activate their cloud-managed hardware tokens if permission to use Authenticate Tokencode, Device Biomtrics, and Approve was not enabled for the company. This problem has been fixed.
NGX-70788 The documentation has been updated to clarify why some users receive an 8-digit emergency tokencode while others receive a 12-digit emergency tokencode. For more information, see Emergency Tokencode.
NGX-71761 A customer was unable to publish due to system constraints. This problem has been fixed.

August 2021 - Cloud Authentication Service

The August release of the Cloud Authentication Service includes the following features and bug fixes.

New Look for the Cloud Administration Console User Interface

The Cloud Administration Console has an updated, modern look that works more efficiently, improving usability and accessibility. Changes include redesigned main menu navigation bar and Publish bar. The new console has also been updated with the new SecurID branding, colors, and logo. This example shows the updated Cloud Administration Console dashboard.

securid_ngx_g_dashboard_newui.png

Improved Status Messages for the Identity Router

The identity router has improved status messages for update availability and starting status.

Update Availability Messages

In the Cloud Administration Console, improved status messages now clearly indicate when identity router updates are available, so that you do not have to upgrade any earlier than necessary.

securid_ngx_g_idr_update_available_message.png

Starting Status Messages

A new identity router status indicates that a registered identity router is starting. When the identity router is connected to the Cloud Administration Console, the status reads Starting until the identity router is Active.

securid_ngx_g_idr_starting_status_message.png

Reminder: Update Identity Routers to Software Version 12.12.x and SLES 12 SP5

The June 2021 - Cloud Authentication Service (Identity Router) Release Notes provided important information on Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System. Be aware of the following:

  • If your identity routers have a 10 GB hard disk drive (HDD), you must replace them as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.

  • Identity routers with 54 GB HDD will be automatically upgraded either on the default rollout date or on the forced upgrade date. You do not need to replace these identity routers.

Changes to Identity Source Synchronization

In July 2021, just-in-time synchronization was enabled for all users, eliminating the need to schedule synchronization tasks. Just-in-time synchronization is now the primary method for keeping your identity sources up-to-date. Additional changes are continuing according to the following timetable.

Event Date
Scheduled synchronization was disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. Week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

For more information, see Identity Sources for the Cloud Authentication Service.

How Connection Speed Affects Just-in-Time Synchronization

Just-in-time synchronization is affected by the speed of your identity source directories. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. For users who already have records in the Cloud Authentication Service, just-in-time synchronization waits up to 5 seconds for the directory server to respond before attempting to update a user's record during authentication. After 5 seconds, cached data is used to proceed with authentication. If the Cloud Authentication Service receives a response within a few seconds after the 5-second time limit has passed, it does process that response and the updated information will be available in the Cloud Authentication Service the next time the user attempts to authenticate. Just-in-time synchronization waits up to 22 seconds for the directory server to respond before creating a user's record during authentication. If no response is received in that time, the authentication attempt fails.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

Fixed Issues

Fixed Issue Description
NGX-70781

The Cloud Authentication Service now accepts incoming SAML assertions from external identity providers that include the optional SPNameQualifier attribute of NameID element.

NGX-69964

Previously, users were being disabled during identity source synchronization if the user's DN and email address (mail attribute) changed simultaneously. This problem no longer occurs.

NGX-69615 Users saw misleading messages when they reset their PINs for SecurID hardware token using My Page. This problem has been fixed.

July 2021 - Cloud Authentication Service

The July 2021 release of the Cloud Authentication Service includes the following features.

New Cloud Administration APIs for Managing SID700 Hardware Tokens

You will be able to integrate Help Desk operations for SID700 tokens into your own provisioning or management tools. These APIs apply to hardware token records that are uploaded to the Cloud Authentication Service. The APIs perform the functions described below. For details on each API, see Using the Cloud Administration APIs.

Function Cloud Administration API
Retrieve details about all authenticators assigned to a user. Cloud Administration Authenticator User Details API
Retrieve details about a user's hardware token by providing the serial number. Cloud Administration Retrieve Hardware Token Serial Number API

Clear a user's PIN for a hardware token.

Cloud Administration Clear PIN for Hardware Token API

Assign or unassign a hardware token from a user.

Cloud Administration Assign Hardware Token API

Cloud Administration Unassign Hardware Token API

Delete a user's hardware token by providing the serial number. Cloud Administration Delete Hardware Token API

Enable or disable a user's hardware token.

Cloud Administration Enable Hardware Token API

Cloud Administration Disable Hardware Token API

Update the name of a user's hardware token.

Cloud Administration Update Hardware Token Name API

Note: The ability to manage SID700 hardware tokens in the Cloud Authentication Service is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where SecurID Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable native hardware token support, contact your RSA Sales representative or Channel Partner.

Identity Source Synchronization Changes Begin July 12, 2021

Significant changes to identity source synchronization are coming in future releases. Beginning in July, users are automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.

Event Date

Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it.

week of July 12, 2021
Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

In addition, make sure your calls to the Cloud Administration Console APIs use the company-specific URLs when they become available. These APIs will continue to work with the existing shared URLs for the foreseeable future, but it is recommended to update these too once the company-specific URLs are available.

Improved Security for Approve Notifications in SecurID Federal Edition

Approve notifications in the SecurID Authenticate app are more secure for SecurID Federal Edition customers. Each notification includes a confirmation code to ensure that the same user initiates the authentication attempt and taps Approve on a registered device. You must prepare your users for this change.

When users attempt to access an application with Approve, a confirmation code is displayed on the application screen and on the users’ phone. If the app is already open, the code appears in the app. If the app is closed, the code appears on the Lock screen. The user must tap Approve only if both codes match. If the codes do not match, the user’s account may have been compromised. In this case, the user should not tap Approve and must notify your IT Help Desk immediately.

Fixed Issues

Fixed Issued Description
NGX-67039 After registering device with the Cloud Authentication Service, the user received a confirmation message with his name misspelled. This problem has been fixed and device names now support Unicode.
NGX-66355 The updated certificate and 2048 key requirements for the latest identity router version are documented in the June 2021 Release Notes for the Cloud Authentication Service. See Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System.
NGX-64526 The Cloud Administration Console now displays a message if the return list or check list attributes are not present in the RADIUS dictionary file.

July 2021 - SecurID SDK 3.0 for iOS and Android – Coming Soon

Build your own custom authenticator app using the new SecurID SDK 3.0 for iOS and Android. Offer your users a way to authenticate with convenient MFA options while seamlessly maintaining a similar look and feel across your existing applications for a better overall user experience.

June 2021 - Cloud Authentication Service (Identity Router)

Prepare for Unification – the New SecurID App is Coming!

The new SecurID 3.0 app to be release in June 2021 is the first step towards making it easier than ever for iOS and Android users to access their multifactor authentication methods in one place. The version 3.0 app will provide SecurID Software Token, with the ability to manage multiple software tokens, generate tokencodes, and view token information in an all-new card-style interface for improved usability. The version 4.0 app, expected within a few months, will include Authenticate Tokencode, Device Biometrics, and Approve (push notifications). Encourage your users update their Authenticate apps to version 3.9 to ensure a seamless transition to the 4.0 app.

Cloud Authentication Service Provides Native Support for SID700 Hardware Tokens

The Cloud Authentication Service now supports SID700 hardware tokens, unleashing the potential of the cloud platform to meet your specific regulatory, security, and business requirements. The total cost of ownership is significantly reduced because users can self-register, activate, and manage their own tokens in My Page.

Note: This is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where RSA Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

This is the front of the SID700 hardware token:

securid_ngx_g_sid_hardware_token_700_front.png

During authentication, the Cloud Authentication Service validates the tokencode and PIN. These tokens can be viewed and managed from the Cloud Administration Console. You do not need to deploy an RSA Authentication Manager server.

For more information see SecurID Hardware Token.

Note: Hardware tokens can be used for offline authentication on desktops that have macOS Agent Version 1.3 or Windows Agent Version 2.1.1 Patch.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

EU: 7/1/2021

ANZ, US: 7/6/2021

Updated identity router software is available to all customers.

7/24/2021

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
8/14/2021 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Deployment Type Version
On-premises 2.12.0.0
Amazon Cloud

RSA_Identity_Router 2.12.0.0

Note: The schedule to update the identity router software described above is independent of the process for upgrading the operating system described below. You can update the software without upgrading the operating system.

Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System

To strengthen the overall security of SecurID, in June 2021 RSA is rolling out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

Select the appropriate update option based on the current software and operating system version of your identity router. To check your software and operating system version, in the Cloud Administration Console, click Platform > Identity Routers, then click the arrow next to the identity router name.

securid_ngx_g_idr_details_for_release_notes.png

Select the appropriate update option for your environment.

Note: To find the version number for an identity router, sign in to the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name.

If your identity router has Follow this update path
  • 54 GB disk space or the identity router embedded in Authentication Manager

  • Operating System: SLES 12

  • Software Version: 12.11

RSA recommends that you allow the update to occur automatically on the default rollout date. You do not need to replace these identity routers. For more information, see Update Identity Router Software.

  • 54 GB disk space

  • Operating System: SLES 11

  • Software Version: prior to 12.12

In-place upgrade follows the standard identity router software update procedure that happens automatically on a default schedule. For more information, see Update Identity Router Software.

RSA recommends that you take a VM snapshot for VMware identity routers and take a storage volume snapshot for AWS identity routers before performing an in-place upgrade. In-place upgrade procedure updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.

You do not need to replace these identity routers.

Note: In-place upgrade takes longer than the standard identity router software update. It may takes more than an hour for a single identity router update and more than two hours for a three identity router cluster.

  • 10 GB disk space or the identity router embedded in Authentication Manager

  • Operating System: SLES 11

  • Software Version: prior to 12.12

These identity routers are not eligible for in-place upgrade. Perform the streamlined swap and replace procedure described in the Identity Router 12.12.x Migration Guide.

You must replace these identity routers as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.

Note: To view notification for identity routers that are not eligible for in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.

The following information applies to identity routers with the SLES 12 operating system:

  • Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, SecurID Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Application Portal. The following algorithms are supported.

    Supported Algorithm
    Signature Algorithm

    rsa-sha256

    rsa-sha384

    rsa-sha512

    dsa-sha256

    Digest Algorithm

    sha1

    sha256

    sha384

    sha512

Identity Source Synchronization Changes Beginning July 2021

Significant changes to identity source synchronization are coming in future releases. Beginning in July, users will automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.

Event Date

Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it.

week of July 12, 2021
Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example.com, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in but administrators will be redirected to the new URL and will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

RSA Now Enforces TLS 1.2 for all Cloud Authentication Service Connections

RSA now requires all identity routers to use Transport Layer Security (TLS) 1.2 or greater encryption for all communication. If you have not yet updated your identity router connections to TLS 1.2, you must do so immediately to ensure uninterrupted connectivity. Make sure that everything that accesses the Cloud Authentication Service supports TLS 1.2. This includes all of your applications, identity sources, identity providers, agents, browsers, mobile apps, API connections, and networking equipment such as HTTPS proxies.

Fixed Issues

Issue Description
NGX-64133

The Cloud Administration Console now truncates leading and trailing spaces in URLs configured for SAML applications and HTTP Federation applications.

NGX-63547

A customer experienced the following situation. Applications were configured in the application portal using SAML, and a third-party identity provider (IdP) was configured as an SSO Agent IdP. When users tried to access a SAML application using an SP-initiated workflow and third-party IdP to authenticate to the portal, the users were sent to the portal instead of to the application they were trying to access. This problem has been fixed.

NGX-62497

A customer was unable to successfully integrate an application with the application portal using SAML and an SP-initiated connection if the RelayState parameter in the SAML request contained unescaped characters. The problem has been fixed.

NGX-60617

A customer's identity router failed to update and stopped processing authentications when the software update service connection was broken before the update. This problem has been fixed.

NGX-53737

You can now ensure that users are able to access high-risk SAML applications in the SSO Portal only after successfully completing additional authentication. Make sure the ForceAuthn attribute is "true" in the SAML request. The user will be prompted for additional authentication even though a user session already exists and additional authentication was already completed at the same assurance level or higher.

June 2021 – SecurID Authenticate 3.9 App for iOS and Android

Prepare for unification! A future release of the new SecurID app will combine both Software Token and MFA functions into a single, easy to use SecurID app with improved usability and greater accessibility. This version 3.9 update contains functionality that ensures a seamless switchover to the unified app. Encourage your users to upgrade so they will be ready to easily transition to the future SecurID 4.0 (unified) app coming soon.

May 2021 - Cloud Authentication Service

Fixed Issue

Issue Description
NGX-62567

A customer was unable to publish changes to the Cloud Authentication Service due to validation errors for attribute extensions. This problem has been fixed.

Known Issue

Issue Description
NGX-59855

Identity routers on the SLES 12 SP5 operating system do not function properly when an incompatible private key is uploaded to the Cloud Administration Console. See Knowledge Base article 00003969 for details and workaround.

April 2021 - Cloud Authentication Service

The April 2021 release of the Cloud Authentication Service includes the following features.

Improved Email Templates for Device Registration and Emergency Access

In email templates used for sending targeted device registration and emergency access emails, the signature field has been expanded to allow up to 2000 characters. For instructions on configuring emails, see Configure Email Notifications.

Support for Passwordless Authentication Through the MFA Agent 2.1 for Microsoft Windows

A modern, passwordless sign-in experience enables the dynamic workforce to be more productive while protecting the organization’s critical data wherever the user may be. This update to the Windows agent enables passwordless authentication to Windows 10 laptops and desktops using a FIDO2 security key with a USB connector for both online and offline authentication. For more information, see RSA® Authentication Agent for Microsoft Windows Documentation.

RSA to Enforce TLS 1.2 for all Cloud Authentication Service Connections Beginning May 15, 2021

On August 26, 2020, RSA announced that TLS 1.2 will be required for Cloud Authentication Service connections beginning on October 31, 2020. To provide additional time for customers to make necessary configuration changes, the date was moved to mid-April 2021. RSA will now enforce TLS 1.2 for all Cloud Authentication Service connections beginning on May 15, 2021. If you have not updated your connections to TLS 1.2, you must do so immediately to ensure uninterrupted connectivity. For details, see this advisory.

Fixed Issue

Fixed Issue Description
NGX-63011

A customer reported that new users were unable to register FIDO Yubikey 2.0 tokens under certain circumstances. This problem has been fixed.

March 2021 - Cloud Authentication Service

The March 2021 release of the Cloud Authentication Service contains the following new features.

Administrators Can Initiate User On-Boarding with Enhanced Just-in-Time Synchronization

Just-in-time user synchronization allows new users (for example, new hires) to immediately register authenticators with the Cloud Authentication Service without waiting for the daily identity source synchronization job to run. This release further enhances support for just-in-time use cases where on-boarding is initiated by the administrator rather than through user self-service. You can also use the Cloud Administration User Details API to add this functionality to your in-house tools. For example, this feature is helpful when your IT Help Desk generates a one-time mobile registration code or manually adds the user’s mobile number for SMS Tokencode delivery. For more information, see View User Information.

New REST API Identifies Anomalous Users

A new Cloud Administration REST API can provide your identity, security operations, and incident response teams with visibility into users who exhibit anomalous behavior in your organization based on users’ access patterns. Your teams’ ability to query through this API provides rich identity context for detection (threat hunting), remediation, or forensics exercises. For more information, see the Cloud Administration Anomalous Users API.

Improved Retrieval of License Usage Information

The Cloud Administration Retrieve License Usage API can now retrieve the license information for the current month and previous 12 months. This information includes number of MFA licenses used, number of users with third-party FIDO authenticators, number of SMS and Voice tokencodes sent, and number of active users. Use this information to monitor for license compliance. For details, see Cloud Administration Retrieve License Usage API Version 2.

Support Ended for Internet Explorer on March 16, 2021

As of March 16, 2021, the Cloud Administration Console no longer supports Internet Explorer. For an up-to-date list of supported browsers, see Supported Browsers for the Cloud Administration Console.

Fixed Issues

Fixed Issue Description
NGX-58711 The documentation now clarifies how Approve authentication works when the user's device is locked and unlocked. For more information, see Configure Device Unlock for Approve.
NGX-56630 Two User Event Monitor messages were displayed for one unsuccessful RSA RADIUS authentication attempt with Authenticate OTP, and the attempt counted twice against the lockout count. The issue has been fixed.

Known Issue

Issue Description
NGX-61775

Problem: In the Cloud Administration Console, on the User Management page, the new option to Include users not yet synchronized to the Cloud Authentication Service in your search. Exact matches only fails by showing "No Result Found" if just-in-time synchronization is disabled on the My Account > Company Settings > Company Information page. This problem occurs even if the administrator correctly typed the email address of a valid user.

Workaround: If you want to use this new feature, enable just-in-time Synchronization on the My Account > Company Settings > Company Information page.

February 2021 - Cloud Authentication Service

The February 2021 release of the Cloud Authentication Service contains the following features.

Support for Constant Multivalued Attributes in the SAML Assertion

Configured SAML applications can assign entitlements dynamically based on the business context, such as the user role, as included in the SAML assertion. In the SAML authentication response, the Cloud Authentication Service can send the constant multivalue attributes that you define, in addition to user attributes from the identity source, to SAML applications. For instructions, see Configure Advanced Settings for a SAML Connection.

RSA MFA Agent 1.2 for macOS Supports Offline Emergency Access

You can install RSA MFA Agent 1.2 for macOS on Intel ® computers running macOS Big Sur (11.1). The agent also provides emergency access for users to sign in to their offline computers when their primary authenticator is misplaced or unavailable. You can customize the agent by disabling MFA for all unlock situations or for up to 12 hours, and by configuring the number of unsuccessful offline authentication attempts allowed with Authenticate Tokencode. For more information, see RSA MFA Agent for macOS.

January 2021 - Cloud Authentication Service

The January 2021 release of the Cloud Authentication Service includes the following features.

Updated Identity Router OVA Image with New Certificate (VMware Virtual Appliance)

The certificate used to sign the identity router virtual appliance .ova files expires on January 31, 2021. If you already downloaded an .ova image and have not yet deployed it, you must download the new .ova file (RSA_Identity_Router-2.11.0.0.7.ova) from the Cloud Administration Console as a replacement. The new .ova file will be available from the Cloud Administration Console on January 26, 2021. For instructions, see Obtain the Identity Router Image.

Cloud Administration REST API Retrieves Product Usage Analytics

Your existing analytics tools can now discover trends in SecurID product usage and registered authenticator patterns by using a REST API that can access the historical data. You can easily obtain the number of active users for the current and previous months, which can help you optimize product use, accurately forecast future needs, plan your budget, and meet compliance requirements. For more information, see Cloud Administration Retrieve License Usage API.

View Anomalous Users in the Identity Confidence Dashboard

The Identity Confidence dashboard displays a list of the most anomalous users within your organization and provides insights into their behavior based on access patterns. Use this dynamic list to investigate and remediate potential access risks to your organization. For instructions, see View Risk Analytics and Track Behavior for a User.

Find and Add Unsynchronized Users

In the Cloud Administration Console you can now find users who are not yet synchronized and automatically add them to the Cloud Authentication Service. This feature is convenient for finding new users or users who have not previously authenticated. Immediately after the user is added, you can manage that user by performing any administrative operation such as updating the user's SMS phone number or generating a registration code. On the Users > Management page, just type the user's email address and click the prompt. For more information, see View User Information.

RSA Authentication Manager Provides Emergency Failover When the Cloud Authentication Service Cannot be Reached

Authentication Manager will be able to act as an on-premises failover when users present an SecurID tokencode and Authentication Manager cannot reach the Cloud Authentication Service for validation. This feature ensures high availability to on-premises mission critical applications protected by SecurID agents. For more information, see RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service.

Known Browsers Removed After 90 Days Without Use

Known browsers that are unused for more than 90 days are removed from users’ list of known browsers. If the Remember this Browser option remains enabled in the Cloud Administration Console on the My Account > Company Settings page, these users will again be prompted to remember the browser. Further, users might be prompted to re-authenticate as required by the configured access policy the next time they attempt to access a protected resource using a previously known browser. In the Cloud Administration Console, Help Desk Administrators can now view separate lists for a user’s registered devices and known browsers on the Users > Management page. Click an arrow to reveal a list of Known Browsers that have been used within the past 90 days.

Fixed Issues

Fixed Issue Description
NGX-57261 Documentation for the Cloud Administration Authenticator Details API is now updated to reflect that the Last Used On field no longer appears on the User Management page in the Cloud Administration Console.
NGX-57044 Some customers were unable to deploy the identity router version 2.11.0.0.6 in certain Amazon Web Services regions. This problem has been fixed.
NGX-55454 A customer experienced UI issues in the Cloud Administration Console due to a problem with the RSA Authentication Manager connection setup. This issue has been resolved and improvements made to prevent this from recurring.
NGX-55328

The documentation has been updated to reflect that custom portal settings cannot be used in combination with standard portal settings. The Login Page, Portal Page, and Error Page settings can be used only with the custom portal.

NGX-54807

The documentation has been updated to clarify how access policies can control the access to applications after users sign in to the SecurID Application Portal. The Portal Multifactor Authentication Policy can require additional authentication to portal. If the configured access policies do not allow a user to access any applications in the portal, the user can still sign into the portal, but no applications will be visible.

January 2021 - SecurID Authenticate 3.7 App for iOS

In SecurID Authenticate 3.7 for iOS, the following issue has been fixed.

Fixed Issue Description
NGX-56182 Previously, when Dark Mode was enabled on the user's phone, text the user typed into the app could not be read because it appeared as white against a white background. This problem has been fixed. Now the background turns black so the white text is clearly visible.

November 2020 - SecurID Authenticate 3.7 App for Android

SecurID Authenticate 3.7 App for Android contains:

  • A QR code scan icon on a new tab that is convenient for adding user accounts after device registration.

  • Miscellaneous bug fixes

November 2020 - Cloud Authentication Service

Action Required for RSA MFA Agents for Microsoft Windows 1.1 and 1.2

In the coming months, RSA will improve security by enforcing the use of Transport Layer Security (TLS) 1.2 or greater encryption for all communication from clients (including identity routers, RSA Authentication Manager, agents, and proxies) to the Cloud Authentication Service. This TLS 1.2 enforcement change is scheduled for mid-April 2021. Before TLS 1.2 rolls out, all customers with RSA MFA Agent for Microsoft Windows 1.1 or 1.2 who expect to use emergency offline authentication must update their agents to the latest 1.2.1 or 2.0.x version to support TLS 1.2.

If offline authentication is enabled for your users and you do not upgrade the agents, the downloaded day files will not be updated on each agent and offline authentication will stop working in mid-April 2021. TLS 1.2 does not affect users’ ability to perform online authentication.

If you are using a proxy to proxy traffic from clients to the Cloud Authentication Service, the proxies must support TLS 1.2.

Identity Router Upgrade to SUSE LINUX Enterprise Server (SLES) 12 SP5

In the November release, the identity router image available for download is based on the SLES 12 SP5 operating system. If you download and deploy this new identity router image, be aware of the following:

  • Certificates and keys you upload for SSO SAML applications and SecurID Application Portal (domain certificate) in the Cloud Administration Console must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Application Portal.

If you choose not to download and deploy the new identity router image, you do not need to take further action. Identity routers will be updated according to the schedule provided in these Release Notes. These updates are software only and do not update the operating system to SLES 12 SP5.

RSA will publish further guidance related to upgrading existing identity routers to SLES 12 SP5 in the coming weeks.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates are being released independently from Cloud Authentication Service updates.

Date Description

EU: 11/24/2020

ANZ, US: 12/3/2020

Updated identity router software is available to all customers.

2/20/2021

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
3/20/2021 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Deployment Type Version
On-premises 2.11.0.0
Amazon Cloud

RSA_Identity_Router 2.11.0.0

Security Updates

As part of continuous platform upgrades and improvements, this release includes security updates to ensure that the Cloud Authentication Service and identity router are safe from security holes and vulnerabilities. RSA stays on top of security best practices by including strong, FIPS 140-2-compliant encryption modules and by hardening operating systems. Such practices reduce the compliance burden for your company.

Enhanced Visibility into Active Users

You can now view the total number of active users for the current and previous months using the Cloud Administration Console Dashboard. You can also collect usage data through the Cloud Administration Retrieve License Usage API for external trending analysis. Use this information to optimize your product usage, accurately forecast future needs, and meet compliance requirements. For more information see Usage Information.

Ability to Disable the Remember This Browser Prompt

You can disable the Remember This Browser prompt that appears during step-up authentication. After you disable it, users are never prompted to click Remember This Browser. For configuration instructions, see Configure Company Information and Certificates.

Enhanced Identity Confidence Dashboard to Track User Behavior Over Time

The Identity Confidence Dashboard now displays a graph that allows you to see a user's Confidence scores over a period of time. The graph helps you understand:

  • Any trends in anomalous behavior for an individual user benchmarked against the behavior of all users.

  • The top contributing factors that pulled the score down for each access attempt where the user's identity confidence score was determined to be low in relation to the Confidence Threshold. The Confidence Threshold is calculated based on information collected from all users within your company.

For more information, see View User Risk Analytics and Track User Behavior Over Time.

Fixed Issues

Fixed Issue Description
NGX-54086 The embedded identity router was first registered to an account in the Cloud Authentication Service. After the customer changed the registration to a different company account, publishing failed because the new company name started with the same characters as the old company name. This problem has been fixed.
NGX-54035 In a deployment where two identity providers were configured for Integrated Windows Authentication (IWA, and one Audience ID was a substring of the other Audience ID, both IWA links sent users to the same IWA server rather than to their configured server. This problem has been fixed and users are now directed to their configured server.
NGX-51657 The SecurID Application Portal did not prompt users for additional authentication under unusual environmental conditions. This problem has been fixed.

November 2020 - SecurID Authenticate 3.6 App for iOS

SecurID Authenticate 3.6 app for iOS contains the following updates and improvements:

  • Security enhancements.

  • Updated End-User License Agreement (EULA), Terms of Service, Copyrights, Trademarks, and Privacy Policy.

  • Bug fixes.

October 2020 - Cloud Authentication Service

User Event Monitor Displays Factors Contributing to Low Identity Confidence Score

The User Event Monitor in the Cloud Administration Console now provides you with enhanced visibility into user behavior. If a user's identity confidence score is low (below the Confidence Threshold), the monitor lists up to four factors that most contributed to lowering that user's score. The factors are listed in order from most impactful to less impactful. For example:

Contributing Factors = 1. New cookie or multiple cookies; 2. Location changed; 3. New application; 4. Location has multiple previous failed authentications

This improvement can help administrators and security analysts to better understand and troubleshoot risk-driven decisions. For more information, see View a User's Confidence Score in the User Event Monitor.

Retrieve the Full Authentication API Endpoint from the Cloud Administration Console

You can now copy the authentication endpoint URL directly from the Cloud Administration Console and paste it in a secure place for delivery to your web client developers. This feature reduces the chance of error when retrieving the URL. For instructions, see Copy the SecurID Authentication API REST URL.

RSA MFA Agent 1.1 for macOS

RSA MFA Agent 1.1 for macOS now includes the following features:

  • Users with registered devices can use Device Biometrics as an authentication method.

  • Users can test authentication with the RSA Agent Control Center.

For more information, see RSA MFA Agent for macOS.

RSA is Improving How We Communicate SecurID Cloud Authentication Service Updates

RSA is changing how it communicates updates for the SecurID Cloud Authentication Service, including monthly maintenance notifications and service incidents. The new status page, status.securid.com, brings our current and historical uptime status together with a digest of all past and present incidents and associated details. RSA will also be able to better communicate updates throughout the course of any active incident.

You will now be able to select which notifications you want to receive based on your region, reducing unwanted email updates. Most current subscribers will be automatically subscribed to the new notification service. However, all current subscribers who want to continue to receive service notifications for the Cloud Authentication Service should take the following steps to confirm that they are subscribed correctly:

To subscribe or to check your subscription settings:

  1. Go to status.securid.com.

  2. Click Subscribe to Updates.

  3. Enter your email address and click Subscribe.

Status.securid.com is now live. See our advisory for more details about status.securid.com. RSA will continue to send service and maintenance notifications from our existing Service Notifications space through October 30, 2020.

Fixed Issues

Fixed Issue Description
NGX-53653 Previously, a customer was unable to add new Amazon Web Services applications for SSO when specific values were added in attribute extensions. This issue has been fixed.
NGX-53473 In the Cloud Authentication Service, phone number validation has been updated to incorporate recent changes in phone numbering systems worldwide.
NGX-52155 Documentation for the Cloud Authentication Service has been updated to make it easier to delete an identity source that is being used by a custom access policy or the Device Registration Using Password Policy. For instructions, see Delete an Identity Source from the Cloud Authentication Service.
NGX-52065

In the Cloud Administration Console, when you update the FIDO host name, a log event is now created so you can easily identify why the publish status changed.

NGX-51206

In a particular scenario, the identity router upgrade date scheduled by the customer was not honored and the identity router was upgraded prior to the scheduled date. This problem has been fixed.

NGX-53081 Previously, some users who tried to register a FIDO security key were not prompted to name the key and save it. Also, some users were unable to delete the security key on the first attempt. These problems have been fixed.

October 2020 - SecurID Authenticate 3.5 App for Windows

SecurID Authenticate 3.5 app for Windows contains the following updates and improvements:

  • Security enhancements using the Microsoft Cryptography API.

  • Updated End-User License Agreement (EULA), Terms of Service, Copyrights, Trademarks, and Privacy Policy.

  • Bug fixes.

Note: Users who upgrade to this version from 3.2 or earlier must delete all previous accounts and re-register.

September 2020 - Cloud Authentication Service

Actions Required for Upcoming Identity Router and SecurID Authenticate App Security Improvements

To strengthen the overall security of SecurID, RSA is rolling out significant improvements that affect all identity routers and the SecurID Authenticate app (iOS and Android). See this advisory for information on these improvements. To ensure uninterrupted service and avoid downtime, you must perform the following actions.

Action Begin Action End Action
After RSA migrates database data to FIPS-supported algorithms, the Cloud Administration Console will display a Changes Pending message. Please ignore this message as a publish is not required. This status will disappear after your next regular publish. No customer action needed. EMEA and ANZ regions: 8/29/2020 US region: 9/12/2020

You must upgrade SecurID Authenticate 2.x for Android or iOS to the latest version by October 12, 2020. See this advisory for details.

Immediately October 12, 2020

You must update all identity routers to the August release before the next identity router upgrade date (October 31, 2020):

  • For on-premises identity routers, apply version 2.10.0.0.5 or higher
  • For the Amazon Cloud, apply RSA_Identity_Router 2.10.0.0.6 or higher

After October 31, SecurID will enforce TLS1.2 for all connections. Versions of TLS earlier than 1.2 will no longer work.

To ensure uninterrupted connectivity, make sure your identity routers are running the latest software version (12.10.0.8) prior to October 31. For instructions, see Update Identity Router Software for a Cluster.

If you are using a proxy server you must ensure it also supports TLS 1.2 and later.

Follow your normal upgrade schedule. October 31, 2020

Note: A new identity router that takes advantage of hardened security and the latest operating system patches using SLES version 12 SP5 is coming in November. Watch future notifications for details.

Multiple Service Provider Connections Allow Flexible Access Policy Assignment

RSA improved integration options for customers with SAML-based applications who cannot use the SAML Authentication Context attribute to assign an access policy based on a condition such as the user group and/or resource being accessed. These customers now have increased flexibility when assigning policies by configuring multiple service provider (SP) connections, each with its own unique identifier. For more information, see Add a Service Provider.

Authenticate to Cloud Administration Console Through Third-Party Identity Provider

Customer administrators can now securely login to the Cloud Administration Console through federation by extending their identity provider (IdP). Administrators who are using a common access card (CAC) and personal identity verification (PIV) can continue to use the Federal IdP infrastructure to perform a federated login to the Cloud Administration Console. For instructions, see Configure Session and Authentication Method Settings.

Fixed Issues

Fixed Issue Description
NGX-50739

Previously, resetting an Active Directory password from the custom application portal using the resetpw API did not enforce the Active Directory password policy. This problem has been fixed.

NGX-50457 The Cloud Administration User Event API produced incorrect output. In the row showing which authentication method was used to access an application, the Application column showed the type of device used to complete the authentication method rather than the actual application being accessed. This problem has been fixed and this column no longer shows the device type.
NGX-50062 In the Cloud Administration Console, a customer was unable to successfully Publish Changes. Instead, the request continued to load and change to Publish Pending. This problem was traced to a misconfiguration issue. For instructions to prevent this problem from occurring, see Add an Identity Source for the Cloud Authentication Service.

August 2020 - Cloud Authentication Service (Identity Router)

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Note that starting in August 2020, identity router updates will be released independently from Cloud Authentication Service updates.

Date Description

8/25/2020

Updated identity router software is available to all customers.

9/26/2020 (EMEA, ANZ)

10/3/2020 (US)

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
10/31/2020 If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment Type Version
On-premises 2.10.0.0.5
Amazon Cloud

RSA_Identity_Router 2.10.0.0.6

Android and iOS Users Must Upgrade SecurID Authenticate 2.x App the Latest Version by October 12, 2020

We are continually enhancing SecurID by adding new features and keeping up-to-date with security best practices. To keep up with these changes, users with SecurID Authenticate 2.x for Android or iOS must upgrade to the latest version available in the Apple App and Google Play stores by October 12, 2020. After this date, 2.x users will not be able to authenticate. SecurID strongly recommends that you upgrade users as soon as possible to avoid any interruptions or downtime. For more information, see this advisory.

Integrate FIDO Authentication Using Cloud Administration API

The RSA Cloud Administration APIs now include support for FIDO. Customers and RSA Ready technology partners can enable their commercial and custom applications to enroll FIDO Tokens leveraging these APIs in addition to using SecurID for FIDO-based authentication. For more information, see Cloud Administration FIDO Authenticator API.

Modernized SecurID Application Portal

SecurID has redesigned the SecurID Application Portal with the same modern look-and-feel that users already see in the web authentication and My Page screens. Improvements include an updated visual design, accessibility improvements and improved ability to display custom customer logos. For example:

securid_cloudaugustreleasenotesportalgraphic.png

Delete RSA Authentication Manager Connection Information

If your Cloud Authentication Service deployment was integrated with SecurID Authentication Manager and it allows users with SecurID Tokens to access cloud-protected resources, you can now delete unused connections. Deleting prevents you from receiving unnecessary logging errors.

Note: Use this feature only after you have updated the identity router software to version 2.10.0.0.5.

For more information, see Delete the Connection Between the Cloud Authentication Service and RSA Authentication Manager.

Fixed Issues

Fixed Issue Description
NGX-50436 In the Cloud Administration Console, informational text and online Help for High Availability Tokencode were corrected.
NGX-48685 An identity router configured with one network interface was unable to connect to RSA Authentication Manager after reboot unless an administrator clicked Update IDR Setup Configuration on the Identity Router Setup page. This problem has been fixed.
NGX-48520 In the Cloud Administration Console, the Last Used On field was removed from the User Management page because it did not apply to mobile devices.
NGX-47885 The browser autocomplete feature is no longer enabled for text fields on the SecurID Application Portal and the Identity Router Setup Console.
NGX-46349

Previously, disabling Identity Confidence Collection in the Cloud Administration Console on the My Account > Company Settings > Company Information page broke access policies that used the Trusted Network conditional policy attribute and were used by applications configured for single sign-on (SSO). This problem has been fixed.

NGX-44842 In the Cloud Administration Console, the user interface design and Help text have been improved to make it easier to configure user attributes when you add an identity source.
NGX-44332 The identity router can now communicate with its software update repositories over TLSv1.2.

SecurID Authenticate 3.3 App for Windows

SecurID Authenticate 3.3 app contains modifications that are required for future app releases. To ensure that Windows users with earlier versions have the latest product improvements, these users must upgrade the app to version 3.3 to avoid re-registration.

July 2020 - RSA MFA Agent 2.0 for Microsoft Windows

RSA MFA Agent 2.0 for Microsoft Windows leverages the Cloud Authentication Service and RSA Authentication Manager 8.5 to provide strong multifactor authentication to users signing into Windows, both online and offline. The MFA Agent provides multiple authentication options for users, along with features that improve user productivity and security during Windows sign-in. This update contains many new features, including:

  • Authentication to both Cloud Authentication Service and RSA Authentication Manager 8.5. You can choose from the supported multifactor authentication options based upon your business needs.

  • Offline authentication available for both RSA Authentication Manager and Cloud Authentication Service users.

  • REST-based agent that addresses security and compliance needs with strong crypto algorithms.

  • Enhanced load balancing and failover with additional administrative controls and new options for customizing the user sign-in experience.

For complete information on new features, see RSA MFA Agent 2.0 for Microsoft Windows Release Notes.

RSA also offers an MFA Agent for the macOS. For complete documentation, see RSA MFA Agent 1.0 for macOS.

July 2020 - SecurID Authenticate App for Android

RSA Authenticate 3.6 for Android app now supports face recognition. Devices must meet the Android security specifications and have a strong rating to allow use of Biometric authentication (face recognition and fingerprint) within the Authenticate app. For example, the Pixel 4 device supports strong facial recognition technology. See https://source.android.com/security/biometric/measure for more information. Users should check with their device vendors to confirm if their devices are compatible.

This release also contains miscellaneous bug fixes and improvements.

July 2020 - Cloud Authentication Service

New API Provides License and Usage Information

RSA is providing a new API to help you integrate your existing tools and gain visibility into your company’s license and usage information, which is important for planning and budgeting your future license upgrades. The Cloud Administration Retrieve License Usage API allows administrators to access the number of MFA licenses used, the number of users with third-party FIDO authenticators, and the total number of SMS and Voice Tokencodes sent for the current month. You can use this data for external trending analysis. For more information, see Cloud Administration Retrieve License Usage API.

Fixed Issues

Fixed Issue Description
NGX-48522

Under certain circumstances, users who authenticated through a relying party had to press the tab key twice in order to move the cursor to the password field. This problem has been fixed.

NGX-47434 The documentation has been updated to indicate that users who sign in to My Page are automatically synchronized to the Cloud Authentication Service. For details, see Just-in-Time Synchronization.
NGX-44932 Previously, there was no way to delete a certificate chain from the Company Settings > Company Information page. Now you can click Delete to delete the certificate chain.

June 29, 2020 - SecurID Authenticate App for iOS and Android

RSA Authenticate 3.5 app for iOS and Android contains miscellaneous fixes and improvements. On Android devices, this update is qualified with Android OS 6.x and later.

Authenticate Key Technical Preview

The app includes Authenticate Key, a FIDO-based authenticator that can be used for primary and additional authentication. This is a Technical Preview feature that is disabled by default. If you are interested in enabling this feature, contact RSA.

Fixed Issues

Fixed Issue Description
NGX-40499 The copyright for the Authenticate app has been updated to 2020.
NGX-40276

Removing PIN protection from the iOS app in a registered device with multiple PIN protected accounts no longer causes other PIN-protected accounts to re-lock immediately after authentication.

NGX-44181 An Android device that had not been jailbroken incorrectly displayed a noncompliance message. This problem has been fixed.

Known Issue

Known Issue Description
NGX-48898

Problem: When users install the iOS app, a message indicates that Bluetooth must be turned on to use Authenticate Key.

Workaround: Users who do not plan to use Authenticate Key should ignore this message.

June 2020 Cloud Authentication Service

The June 2020 release includes the following features and benefits.

More Value for Enterprise and Premium Editions with YubiKey for SecurID

Customers with SecurID Enterprise or Premium Edition can now use YubiKey for RSA and other third-party FIDO authenticators without purchasing additional licenses. Previously, these customers had to purchase a separate MFA license for each user to use these authenticators. FIDO authenticators provide a positive user experience and help prevent man-in-the-middle and phishing attacks for FIDO-enabled authentication use cases.

RSA Authentication API Supports FIDO/FIDO2

The RSA Authentication API now supports FIDO/FIDO2 for authentication. Along with other RSA-supported MFA options, customers and RSA Ready technology partners can enable commercial and custom applications to use RSA for FIDO authentication. For more information, see RSA Authentication API Developer's Guide.

Easy Access to License and Usage Information

Customers can now easily access their current Cloud Authentication Service license and usage information in the Cloud Administration Console for compliance and operational needs. For more information, see Cloud Administration Console Dashboard.

Fixed Issues

Fixed Issue Description
NGX-47287

Certain client applications (for example, MS Office applications) that used older JavaScript engines displayed a script error during authentication. This issue has been resolved.

NGX-45622 When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the SecurID Authenticate app) are now able to successfully authenticate.
NGX-44853 The documentation now explains that when you upload a company logo to My Page, that logo can also be used for the relying party sign-in page and on additional authentication screens presented to users. See Adding a Custom Logo to Your Cloud Authentication Service Deployment.

May 2020 - Cloud Authentication Service

The May 2020 release includes the following features and benefits.

Allow Emergency Tokencode to replace FIDO when FIDO is used for Primary Authentication

Users can use Emergency Tokencode to sign in when they misplace or lose their FIDO authenticator. Emergency Tokencode allows them to access SaaS and web applications that are protected using FIDO as a primary authentication method. For more information, see FIDO.

Securing the Password Reset Process for Administrators

Securely resetting Cloud Administration Console passwords is even better. Now, password resets must be completed within two hours of requesting the password reset link.

Fixed Issues

Fixed Issue Description
NGX-45653

Previously, the User Event Monitor email autocomplete did not show events for users with apostrophes in their email addresses, forcing users to enter the full email address with apostrophes in the filter box in order to see events. This problem has been fixed.

NGX-45485

When just-in-time synchronization was enabled, users who attempted to authenticate during an automatic or manual identity source synchronization might become disabled when they should have remained enabled. This problem no longer occurs.

NGX-22987 Microsoft Azure Active Directory provided the email address instead of the UPN in authentication requests for guest users. This problem has been fixed. Now the Cloud Authentication Service takes the user identity from the email address if the UPN is omitted.

Known Issue

Known Issue Description
NGX-45622

Problem: When entering Authenticate Tokencode during authentication, RADIUS client users who enter a space after four digits (as displayed in the SecurID Authenticate app) are unable to successfully authenticate.

Workaround: Do not enter the space during authentication.

April 2020 - Cloud Authentication Service (Identity Router)

The April 2020 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

Date Description
April 28, 2020 Updated identity router software is available to all customers.

July 11, 2020 (ANZ)

July 25, 2020 (EMEA, US)

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
August 15, 2020 If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment Type Version
On-premises 2.9.0.0.4
Amazon Cloud

RSA_Identity_Router 2.9.0.0

Enterprise Edition Supports Additional Conditional Access Policy Attributes

Most access policy attributes that were previously available only to customers with Premium Edition are now available to all customers with Enterprise Edition. This feature provides Enterprise customers with greater flexibility in defining conditional access policies. For example, you can enforce different authentication requirements for trusted and untrusted locations. For the list of available attributes, see SecurID Editions.

Support for Threat-Aware Authentication Extended in Cloud Administration API

SecurID Threat Aware Authentication now supports additional customer scenarios in the Cloud Administration of High-Risk User API version 2. You can now manage high-risk users based on Primary Username and Alternate Username. See Cloud Administration Retrieve High-Risk User List API Version 2.

Note: Primary Username temporarily still appears as SecurID Username in the Cloud Administration Console.

Data Collection for Identity Confidence and Location Can Be Disabled from the Cloud Administration Console

Data collection for identity confidence and location can now be disabled and re-enabled from the Cloud Administration Console. For more information, see Configure Company Information and Certificates and Condition Attributes for Access Policies.

Action Required If Identity Confidence Data Collection is Already Disabled for Your Deployment

If you previously disabled identity confidence data collection on the identity router with the assistance of RSA Customer Support, you must now use the Cloud Administration Console to disable this function. After you update your identity router software to the 2.9.0.0.4 version, data collection will be automatically enabled. To disable data collection, open the Cloud Administration Console and click My Account > Company Settings. In the Identity Confidence Collection field, click Disabled.

Editable Preconfigured Access Policies

All of the preconfigured access policies provided with SecurID can now be edited for immediate customization.See Preconfigured Access Policies.

Delete a User Immediately Using New Cloud Administration API

Use the Cloud Administration Delete User Now API to delete a single disabled user from the Cloud Authentication Service and immediately remove all information and devices associated with the user. See Cloud Administration Delete User Now API.

Permissions List Available for SecurID Authenticate and SecurID Software Token Apps

You can download a list of all permissions associated with using the SecurID Authenticate and SecurID Software Token apps. Use this document to inform your users which permissions are optional and which are required. See SecurID Authenticate and SecurID Software Token App Permissions.

Additional Improvements

The April 2020 release contains the following additional improvements and changes:

  • Six new videos demonstrate how to configure the Cloud Authentication Service. See Cloud Authentication Service Videos.

  • All references to FIDO Token have been changed to FIDO in the documentation and user interface.

Fixed Issues

Fixed Issue Description
NGX-41625

Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA users. However, there is a possibility that users who have version 80 and authenticate to the SecurID Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This problem has been fixed. For more information, see https://community.rsa.com/docs/DOC-110956.

NGX-43410

Publishing configuration changes sometimes failed if the identity router was processing a RADIUS authentication request during the publish. This problem no longer occurs.

RSA recommends publishing during off-peak hours when there is less authentication traffic.

NGX-42825 A customer's identity router registration failed at the final step "Checking for connection for authentication and product maintenance." This problem has been fixed.
NGX-42179 On the identity router, some HTTP pages included unnecessary technical information. This problem no longer occurs.
NGX-41473

Email notifications configured in the Cloud Administration Console were being sent from a RSA account on behalf of emails domains that are unconfigured for this account. As a result, the notifications were blocked by SPAM filters. This problem has been fixed. The From email address has been changed to noreply@securid.com.

NGX-41467

When using change password functionality with a custom portal, the customer now receives the response in JSON format.

NGX-16781

Identity router problems occurred when the same resource was configured for multiple services. For example, if the DNS server was also the gateway, or if the DNS server and identity source used the same IP address. This problem has been fixed.

NGX-36432

The Identity Router Setup Console was incorrectly loaded in certain rare situations when unable to resolve the host name within the specified time. This problem has been fixed.

NGX-39900

NGX-41634

NGX-39859

NGX-39846

NGX-39088

NGX-39077

NGX-39081

Miscellaneous security vulnerabilities were fixed.

April 27, 2020 - RSA Security Key Utility Improvements

The RSA Security Key Utility version 1.1 has been updated to include:

  • Performance improvements.

  • User interface localized in Chinese, Portuguese, Japanese, French, Spanish, and German.

  • Documentation updates.

For downloads, see RSA Security Key Utility. For upgrade instructions, see Using RSA Security Key Utility.

March 2020 - Cloud Authentication Service

Update Your IP Addresses to Connect to the Cloud Authentication Service

RSA is not releasing new features in March 2020. Instead, be reminded that you must update your firewall to allow your identity routers and user web browsers to connect to new IP addresses for the Cloud Authentication Service and Cloud Administration Console. These changes are required by our Cloud service provider. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

Region New IP Addresses

ANZ

20.37.53.30, 20.39.99.202

Completed on March 20, 2020

EMEA 51.105.164.237, 52.155.160.141 Friday, April 3, 5:00 PM EDT

US

52.188.41.46, 52.160.192.135

Saturday, April 11

These dates and IP addresses are also published here.

It is important to know:

  • During the maintenance window for this upgrade, authentication services will continue, but you may lose audit data and new device registrations. For example, lost data may include browsers that were "remembered" during maintenance and user actions on My Page. Users who register devices during this time must re-register.

  • No configuratiosn changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. If you use any third-party tools, such as Pingdom, to monitor your deployment, you might want to temporarily disable alerts during the migration.

March 19, 2020 - SecurID Authenticate for Android

SecurID Authenticate 3.3 for Android includes enhanced compliance checks to ensure the device is not rooted before allowing use of the app. The app previously checked for compliance during registration. The app now checks for compliance whenever users open the app (for example, to complete registration or an authentication request) and in interactive notifications for Approve. If the Authenticate app detects that a device is rooted, the app displays a "Device Not Compliant" message and prevents use of the app.

If your users are using rooted devices, instruct your users to unroot their devices, re-install the SecurID Authenticate app (if necessary), and complete registration again with the app.

March 9, 2020 - RSA Security Key Utility

RSA announces the release of RSA Security Key Utility, a Windows utility that you deploy on users' Windows machines to manage user verification for FIDO2-certified security keys. Users can use the utility to manage a PIN for the security key or reset the key.

securid_ngx_g_fido_create_pin.png

RSA Security Key Utility works with any FIDO2-certified USB security key. For system requirements, installation instructions, and more, see Using RSA Security Key Utility.

You can provide the following video to your users to demonstrate how to create and reset a PIN using the utility. The video is also available in the user help:

securid_watchthevideographic.png

February 2020 - Cloud Authentication Service

Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes

On February 18, 2020, Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA users. However, there is a possibility that users who have version 80 and authenticate to the SecurID Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This does not affect deployments that use RADIUS or relying parties. If this issue affects your users, you might need to take further action. For instructions, see Immediate Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes.

Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020)

To align with changes required by our Cloud service provider, Microsoft Azure, the Cloud Authentication Service and Cloud Administration Console IP addresses will change in March 2020. RSA recommends that you make any necessary firewall changes to allow your identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

Region New IP Addresses

Date

ANZ

20.37.53.30, 20.39.99.202

March 20, 2020

EMEA 51.105.164.237, 52.155.160.141 March 20,2020

US

52.188.41.46, 52.160.192.135

March 21, 2020

Note: No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

To test access to the new IP addresses, see Test Access to Cloud Authentication Service.

These dates and IP addresses are also published here.

Support for Windows Hello and Android Phone as FIDO Authenticators

The Cloud Authentication Service supports Windows Hello and Android phone as FIDO authenticators. Users must register these authenticators in My Page and not during first-time authentication to an application. You must enable registration for these authenticators in My Page. For more information, see FIDO Authenticators.

New Terminology for Authenticators and Devices

With the support of the FIDO platform authenticators Windows Hello and Android phone, terminology is changing in the Cloud Administration Console and product documentation to address authenticators that are not necessarily devices.

The following changes have been made in the documentation:

  • Authenticator is the new general term for something that a user authenticates with. As part of this change, device registration has been changed to authenticator registration. For example, "Users must complete authenticator registration to access protected applications."

  • Device will continue to be used in situations specific to the SecurID Authenticate app. For example, "An individual user can use the SecurID Authenticate app on a single registered device."

  • The FIDO terminology has changed for end users in My Page, browser-based authentication prompts, and help. In the past, users selected FIDO Token in My Page or More Options, for example. Now users select security key, Windows Hello, or Android phone, depending on what your organization has instructed them to register and use.

    All FIDO authenticators are still managed by the FIDO Token authentication method in the Cloud Administration Console.

The Cloud Administration Console text will be updated in a future release.

New Identity Source Attribute – Alternate Username

A new user identifier, Alternate Username, is available as an identity source attribute. Customers with relying parties such as Azure Active Directory can use any attribute, such as UPN, that is suitable for use as the SecurID username. For configuration instructions, see Add an Identity Source for the Cloud Authentication Service.

Cloud Administration API Retrieves Device Registration Codes

A new API allows users to securely register their devices within custom help desk and self-service portals. The API generates one-time device registration codes. For more information, see Cloud Administration Retrieve Device Registration Code API.

Fixed Issues

Fixed Issue Description
NGX-38913 Previously, customers with the SecurID Base or Enterprise Edition were unable to use access policies that contained condition attributes that are supported for those editions. This problem has been resolved.
NGX-38902 Previously, under certain conditions, some users continued to appear on the Users > Management page in the Cloud Administration Console and in synchronized user reports after their identity source had been deleted from the customer's deployment. This problem no longer occurs.

February 3, 2020 - SecurID Authenticate for Android App

SecurID Authenticate 3.2 for Android contains bug fixes.

January 2020 - Cloud Authentication Service

FIDO2 Certification for Cloud Authentication Service

The Cloud Authentication Service is now a FIDO2 Certified Server. The certification demonstrates compliance with the FIDO specification and ensures compatibility with any FIDO-certified security key.

As part of this certification, the Cloud Authentication Service checks the integrity of the security key response message during registration. If the response message is modified on its way to the Cloud Authentication Service, the registration is unsuccessful.

Additionally, the Cloud Authentication Service verifies the integrity and authenticity of FIDO-certified security keys listed with the FIDO Alliance Metadata Service (MDS). The Cloud Authentication Service rejects MDS-listed keys if detected as counterfeit or compromised.

Jailbreak Detection for SecurID Authenticate for iOS

SecurID Authenticate 3.2 for iOS contains the following updates:

  • Compliance checks to ensure the device is not jailbroken before allowing use of the app. If the Authenticate app detects that a device is jailbroken, the app displays a "Device Not Compliant" message and prevents use of the app. This message displays when users open the app (for example, to complete device registration or an authentication request) and in interactive notifications for Approve.

    If your users are using jailbroken devices, they will no longer be able to use the app. Instruct your users to restore their devices, and then complete device registration again with the SecurID Authenticate app.

  • Bug fixes.

Security Fix for Integrated Windows Authentication Connector Requires Manual Update

A password is now required to protect the Issuer Signing Certificate file (.pfx) when you install the Integrated Windows Authentication (IWA) Connector. If your company installed the Connector prior to the January 2020 release, RSA recommends that you install the latest version of the Connector (1.6) with the certificate file password. For instructions, see Install the Integrated Windows Authentication Connector.

Schedule for Planned Changes to Cloud Authentication Service IP Addresses (March 2020)

To align with changes required by our Cloud service provider, Microsoft Azure, the Cloud Authentication Service and Cloud Administration Console IP addresses will change in March 2020. RSA recommends that you make any necessary firewall changes to allow your identity routers and user browsers to connect to these new IP addresses. To prevent service disruption, your network must be able to connect to both the existing and new IP addresses by the following dates.

Region New IP Addresses

Date

ANZ

20.37.53.30, 20.39.99.202

March 20, 2020

EMEA 51.105.164.237, 52.155.160.141 March 20,2020

US

52.188.41.46, 52.160.192.135

March 21, 2020

Note: No configuration changes are required within the Cloud Authentication Service. If your firewall rules limit outgoing IP traffic, then you need to work with your IT team to add or whitelist the new IP addresses. If your firewall rules do not limit outgoing IP traffic, then you do not need to take additional action at this time.

To test access to the new IP addresses, see Test Access to Cloud Authentication Service.

These dates and IP addresses are also published here.

Known Issue

Known Issue Description
NGX-38913

Problem: Customers with the SecurID Base or Enterprise Edition cannot use access policies that contain condition attributes that are supported for those editions.

Workaround: If you have the Base or Enterprise Edition, do not use conditional attributes in access policies until after this issue is fixed.

November 2019 - Cloud Authentication Service (Identity Router)

The November 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

Date Description
12/4/19 Updated identity router software is available to all customers.
1/25/2020 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
2/22/2020 If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment Type Version
On-premises 2.8.0.0.5
Amazon Cloud

RSA_Identity_Router 2.8.0.0.6

RADIUS Support for Emergency Tokencode

Emergency Tokencode is supported for thick RADIUS clients and for Cisco Adaptive Security Appliance (ASA). RADIUS users who forget or misplace their registered devices can access protected SaaS and web applications using Emergency Tokencode by selecting it from the list of available authentication options. You can also customize your Cisco ASA to accept Emergency Tokencode.

Note: If you are planning to use Emergency Tokencode, perform the customization before you update the identity router.

For instructions, see Customize the SecurID Web Interface for a Cisco Adaptive Security Appliance.

SAML Configuration Improvements

The following configuration improvements affect SAML-enabled web applications when the Cloud Authentication Service is the identity provider:

  • You can require the identity provider to send AuthnContextClassRef in the SAML response as PasswordProtectedTransport to indicate that the password exchange must use a secure transport method. Currently, AuthnContextClassRef is sent as Password.

  • You can configure multivalued attributes to send each value in a separate attributeValue element. Currently, these values are separated by commas.

For instructions, see Configure Advanced Settings for a SAML Connection.

Customizable Attribute Mappings for Active Directory Identity Sources

You are now allowed to customize the default attribute mappings for Active Directory identity sources. For more information, see Directory Server Attributes Synchronized for Authentication.

Improved Documentation for Access Policies

RSA Link now provides complete documentation describing how to use operators when specifying LDAP attributes in access policies. For more information, see Operators for Using LDAP Attributes in Access Policies.

Fixed Issues

Fixed Issue Description
NGX-37423

When the Cloud identity provider was configured for SecurID manages all authentication with Password as the primary authentication method, iOS auto-populated the password field with a suggested strong password and forced the user to choose a password. This problem no longer occurs and users are simply prompted to enter the email address and password.

NGX-37397

Previously, in environments that used the SSO Agent with a load balancer, when the load balancer checked the identity router health status and no alternate Cloud Authentication Service IPs were reachable, the identity router status servlet reported the identity router as unhealthy. As a result, load balancer stopped sending traffic to the identity router. This problem has been fixed.

NGX-37059

Previously, when domain certificates that had been uploaded to the Cloud Authentication Service expired, administrators were unable to navigate to other console pages, including the Authentication API Keys. Now, a warning message appears when certificates expire and navigation to other pages is allowed.

NGX-35793 Approve authentication through the MFA Agent was failing because inactive notifications were being sent to the user's device. This problem has been fixed.
NGX-34903 In some deployments, users were able to access SAML and Windows O365 applications directly with an expired LDAP password. Now, users are prompted to change their passwords when the option to allow password change is enabled.
NGX-34426

Previously, a security vulnerability was found in a version of jQuery-ui included in the identity router. The jQuery-ui was upgraded to a newer version to address this vulnerability.

NGX-33608 The security vulnerability affecting session fixation for the identity router setup console and web portal was fixed.

Known Issues

Known Issue Description
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for SecurID.

NGX-38137

Problem: Multifactor authentication fails when a company (deployment) has the following configuration settings:

  • The SecurID Setup Administrator selected Allow access to Authenticate Tokencode, Approve, Device Biometrics and FIDO Token for the company.

  • The resource is protected by a preconfigured access policy.

Authentication fails with the message "No challenge methods found for given policy."

Workaround: Use a custom access policy.

November 14, 2019 - SecurID Authenticate for Windows 10 App

SecurID Authenticate 3.2 for Windows 10 allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes.

October 2019 - Cloud Authentication Service

The October 2019 release includes the following features and benefits.

Enable Password-Less Authentication Using FIDO2 Tokens When Authenticating to Service Providers

You can now specify FIDO Token as a primary authentication option when configuring service providers. To authenticate with this option, a user must have a FIDO2 token that requires multifactor authentication on the token (such as PIN or biometric), the user must set up the token multifactor authentication, and the user must register the FIDO Token in My Page. For more information, see Cloud Authentication Service User Requirements.

Add Your Own Customized Logos to User Authentication Pages

You will be able to customize pages used for additional authentication by adding your own logo when you configure SecurID My Page. For instructions, see Manage SecurID My Page.

User Event Log API Provides Details on Users' Identity Confidence Scores

The Cloud Administration User Event Log API will return the overall identity confidence score, including threshold and category scores (behavior, location and device) for users. Previously this information was exposed only in the User Event Monitor. Through the API, you can now export user risk information to any Security Information and Event Management (SIEM) platform for further analysis. For more information, see Cloud Administration User Event Log API.

Full Support for Adding 10 Accounts in SecurID Authenticate App Releases

SecurID Authenticate 3.1 for iOS allows a user to add up to 10 different accounts (formerly called companies) in the app and contains bug fixes. A November release of SecurID Authenticate for Windows will allow a user to add up to 10 different accounts.

RSA is aware of the current iOS 13 issue in which the Touch ID screens do not display when a user is trying to authenticate with Touch ID on some devices. For example, this issue is noticed in the Authenticate app when a user is authenticating with a fingerprint to view the Authenticate OTP or to access an application.

Users should update to iOS 13.1.3 to resolve this issue. In the meantime, users can continue to use Touch ID in the Authenticate app by placing their fingers on the Home button when they would usually see the Touch ID screens. Touch ID is working in the background, so placing their fingers on the Home button completes the authentication request.

More Flexibility with New "Determined by Service Provider" Primary Authentication Option When Adding a Service Provider

To provide more flexibility when configuring authentication for a service provider, if you select the option to have SecurID manage all authentication, you can now select the Determined by Service Provider at Run Time option to specify primary authentication in the RequestedAuthnContext attribute. For more information, see Add a Service Provider.

Expanded Cloud Authentication Service Authentication Methods and Improved Productivity and Security with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.2 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve, Authenticate Tokencode, SecurID Token, Device Biometrics, SMS Tokencode, Voice Tokencode and Emergency Tokencode.

  • Seamless authentication using the same registered authentication device for both online and offline Windows sign-in.

  • Online emergency access to Windows computers when users misplace or lose their authenticators (SecurID Authenticate device or SecurID hardware token).

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

  • Many features to improve productivity and security during Windows sign-in.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

Fixed Issues

Fixed Issue Description
NGX-33732

Previously, a customer was unable to export a large number of user event logs using the Cloud Administration User Event Log API. This problem has been fixed.

NGX-34352 Previously, when a new customer used a Firefox or Microsoft Edge browser to sign in to the Cloud Administration Console for the first time, the license did not display correctly. This problem has been fixed.
NGX-36891

Previously, you were not permitted to save a relying party configuration with an ACS URL of more than 100 characters. The limit has been increased to 4000 characters.

Known Issue

Known Issue Description
NGX-16781

Problem: The identity router does not reliably route traffic to some services when multiple services are hosted by the same network resource. For example, if your DNS server and Active Directory server share the same IP address, the identity router might not route traffic properly to either service.

Workaround: Configure DNS, gateways, and other network infrastructure services on dedicated servers that do not host other services for SecurID.

September 2019 - Cloud Authentication Service

Cloud Authentication Service Phased Update Process

Cloud Authentication Service updates will be rolled out in phases for each region (ANZ, EMEA, US) between October 9-17, 2019. RSA will notify you before your region is updated.

Emergency Access Enhancements

To enhance emergency access capabilities, Emergency Tokencode will be available for users who forget or misplace their registered devices. After you generate the tokencode in the Cloud Administration Console, the user can select Emergency Tokencode during the next authentication. For more information, see Supported Authentication Methods - Emergency Tokencode.

Note: In the September release, this feature is supported for SaaS and web applications only. Support for RADIUS applications is expected to be available in a future release.

Performance and Reliability Improvements

To help improve performance and reliability, the components responsible for backend communication in the Cloud will be updated.

Planned Update to Cloud Authentication Service IP Address Rescheduled

For more information on this update, see the RSA Link notification.

October 1, 2019 - SecurID Authenticate for Android

SecurID Authenticate 3.1 for Android allows an individual user to add up to 10 different accounts (formerly called companies) in the app. Also, this release is qualified with Android 10.

September 18, 2019 - SecurID Authenticate for iOS

SecurID Authenticate 3.0.4 for iOS is qualified with iOS 13 and resolves NGX-34252, an issue with the Authenticate OTP display on iOS 13.

September 5, 2019 - SecurID Authenticate for Windows 10

SecurID Authenticate 3.1.1 for Windows contains the following updates:

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate app continues to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

With this release, SecurID Authenticate for Windows no longer supports Windows Mobile devices.

August 2019 - Cloud Authentication Service

The August 2019 release provides the following features and bug fixes.

Generate a Device Registration Code for Users

Help Desk Administrators can use the Cloud Administration Console to generate a one-time numeric device registration code and provide it to users who need to register iOS, Android, and Windows devices with the SecurID Authenticate App. This capability will help your company move closer towards meeting requirements for National Institute of Standards and Technology (NIST) Identity Assurance Level 2. To learn how to use this feature, see Manage Users for the Cloud Authentication Service - Generate a Device Registration Code.

Improved Single Sign-On Option When Adding a Service Provider

To improve usability, when you add a service provider and select SecurID to manage all authentication, you can now select a Cloud identity provider to provide the primary authentication. This is useful for providing single sign-on from SecurID or third-party portals or links.

Improvements and Additional Configuration Options for My Page

You can now provide single sign-on to SecurID My Page when users access My Page through the SecurID Application Portal, a third-party portal where My Page is configured, or directly through the My Page URL.

Additionally, to increase flexibility, SecurID My Page now contains the following configuration options:

  • Logout URL to redirect users to a specific URL after they sign out of My Page.

  • Error URL to redirect users to a specific URL after they encounter an error.

  • Assertion Consumer Service value for copying into your identity provider configuration settings if you are configuring My Page for single sign-on in an unsolicited response flow (for example, when users access My Page through a third-party portal).

For more information, see Manage SecurID My Page.

Additional Deployment Option for SecurID Authenticate for Windows

Generally, users install SecurID Authenticate for Windows from the Microsoft Store. If your users cannot use the Microsoft Store, you can use Deployment Image Servicing and Management (DISM) to deploy the app from a command-line tool. After the app is deployed, users can then complete SecurID Authenticate device registration.

For more information, see Deploying the SecurID Authenticate for Windows App Using DISM.

Send Us Your Feedback

Do you have thoughts on SecurID that you want to tell us? Are you finding what you need in the documentation on RSA Link? It is easier than ever to send us your feedback.

We can't wait to hear from you!

Fixed Issues

Fixed Issue Description
NGX-33217 Publishing in a cluster with a Global Server Load Balancer (GSLB) resulted in a HTTP status code 503 error for some customers. The documentation has been clarified to explain that if you use GSLBs, configure them to wait for seven minutes before they switch to another cluster. This guidance is now documented in Publishing Changes to the Identity Router and Cloud Authentication Service.

August 14, 2019 - SecurID Authenticate for iOS App

SecurID Authenticate 3.0.3 for iOS contains bug fixes.

Fixed Issue

Fixed Issue Description
NGX-33118 SecurID Authenticate for iOS no longer freezes on the splash screen when receiving notifications.

July 2019 - Cloud Authentication Service (Identity Router)

The July 2019 release includes the following features and benefits.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule.

Date Description
July 27, 2019 Updated identity router software is available to all customers.
September 7, 2019 Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
October 12, 2019 If you postponed the default date, this is the last day when updates can be performed.

The new identity router software versions are:

Deployment Type Version
On-premises 2.7.0.0.5
Amazon Cloud

RSA_Identity_Router-2.7.0.0.5

My Page Improves Secure Registration for FIDO Tokens

Users can register FIDO Tokens in a more secure environment using SecurID My Page. My Page allows you to protect FIDO registration with an access policy that you can align with your company’s existing policies. After you enable My Page registration for FIDO Tokens, the FIDO Token registration process that occurs during user authentication automatically becomes disabled. Users can also use My Page to delete their FIDO Tokens. For more information, see Device Registration.

Automatic Push Notifications for Users Who Access RADIUS-Based Applications

The user experience for accessing RADIUS-based applications has been improved. You can ensure that the Cloud Authentication Service always sends automatic push notifications for Approve or Device Biometrics when your deployment is configured as follows:

  • The RADIUS client is configured to apply an access policy for additional authentication without primary (for example, password) validation.

  • Approve or Device Biometrics is available in the access policy protecting the resource the user is attempting to access.

Previously, automatic push notifications were not available when only the access policy was applied for additional authentication without primary validation. For more information, see RADIUS for the Cloud Authentication Service Overview.

Identity Confidence Analytics Report for Troubleshooting User Authentication Issues

You can view up-to-date identity confidence analytics by generating a report in the Cloud Administration Console. The report, provided in a graphical, easy-to-read format, displays the number of times users attempted to access resources that are protected by access policies that contain the identity confidence attribute. The report can include all users in your company or only individual users within a specified timeframe. This report is particularly useful to Help Desk Administrators when they assist users who, for example, may have to authenticate at a high assurance level because their identity confidence scores are low. For more information, see Condition Attributes for Access Policies - Identity Confidence Analytics Report.

Identity Router Improvements

The following features require you to update your identity router software.

Identity Router Setup Made Easier

Identity router setup has been simplified for identity routers deployed in the VMware and Hyper-V environments. The proxy interface, which is not required for non-SSO deployments, is disabled by default in the Identity Router Setup Console. You can enable it as needed for SSO deployments.

Note: This enhancement affects only identity routers you deploy in the future. It does not affect identity routers already configured.

For more information, see Identity Router Network Interfaces and Default Ports.

Improved Status Indicators for Identity Routers

You can quickly identify potential problems that might occur when you set up and monitor identity routers using the improved status indicators in the Cloud Administration Console. The Platform > Identity Routers list page provides more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity. For more information, see View Identity Router Status in the Cloud Administration Console.

Improved Proxy Management for Identity Routers

More flexible deployment options are available to you for identity routers. Identity routers now support transparent, explicit, and man-in-the-middle proxy configurations. The identity router informs you if a non-SecurID SSL proxy certificate is configured, and allows you to temporarily accept the certificate and proceed while you work with your network IT to whitelist the URL. For more information, see Connect the Identity Router to the Cloud Administration Console.

SecurID Authentication API Enhancements

The SecurID Authentication API contains new methodIDs for SMS and Voice Tokencodes to promote consistency with other authentication methods. For more information, see SecurID Authentication API Developer's Guide.

Fixed Issues

Fixed Issue Description
NGX-33346 If you have configured My Page to use a Cloud identity provider, users can now use the SAMAccountName attribute as the user ID when registering devices.
NGX-17148

If an IWA user attempted to access the application portal when IWA connector server was down, the user received a connection timeout error rather than a message indicating unsuccessful authentication. To mitigate this, you can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests avoid a single point of failure. For more information, see Integrated Windows Authentication.

NGX-17276 Previously, the Disabled option on the Basic Information page in the application configuration wizard did not disable applications that were configured to use SAML or HTTP Federation. This issue has been fixed. Beginning in July 2019, all applications that were previously configured as disabled will be unavailable to users and will not appear in the application portal and will not be available through deep linking.
NGX-29977 You can now access the Cloud Administration Console using an email address containing a plus sign (+). Previously, this operation failed intermittently.
NGX-32525 Documentation update clarifies when location is collected from users and administrators.
NGX-31946 The Cloud Administration Console now displays the correct number of active user sessions. Previously, for some customers who used rich clients, the number of active sessions increased until the identity router was restarted.
NGX-31068

The publish status is displayed correctly in the Cloud Administration Console after you add and associate a profile for the RADIUS client. Previously, the status was Changes Pending even when no changes were pending.

NGX-30235

RADIUS profiles now allow multi-valued LDAP attributes to be mapped to the "Class" attribute. Each value of the multi-valued LDAP attribute will create a separate "Class" RADIUS attribute.

July 8, 2019 - SecurID Authenticate for Android App

SecurID Authenticate 3.0 for Android contains the following updates:

  • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

  • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

  • Bug fixes.

After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Users must keep the app open during the update process, which can take up to a few minutes to complete. Subsequent actionable notifications work as expected.

This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

To see release notes for earlier releases, see Release Notes Archive | Cloud Authentication Service and SecurID Authenticate Apps.

June 2019 - Cloud Authentication Service

Extend Cloud Authentication Service Authentication Methods to Windows Computers with RSA MFA Agent for Microsoft Windows

RSA MFA Agent 1.1 for Microsoft Windows works with the Cloud Authentication Service to require users to provide additional authentication to sign into Windows computers, whether they are online or offline.

The main highlights include:

  • Convenient authentication using Approve or Authenticate OTP.

  • Authenticate with the same registered device for both online and offline Windows sign-in.

  • Support for policy-driven identity assurance with conditional trusted network and trusted location attributes.

For documentation and product download, see RSA MFA Agent for Microsoft Windows.

More Options for Customizing My Page

To improve the user experience, you can now customize My Page in the following ways:

Clear the userParameters Attribute Checkbox in the Identity Source Configuration

If the userParameters attribute is selected for synchronization in your identity source configuration, RSA recommends that you clear the checkbox. Selecting this attribute occasionally prevents identity source synchronization.

Fixed Issues

Issue Description
NGX-24290

If a user locks his or her LDAP password, the User Management page for that user now shows a message indicating that the user's password is locked and what time it will unlock.

NGX-31821 SecurID Authenticate 3.0.1 for iOS users no longer displays an incorrect error that the user already has a registered device.

NGX-31158

The top-level domain part of the protected domain name can now accept up to 33 characters.
NGX-29843 When you add a RADIUS profile, you can now only map supported attributes.
NGX-29702 The system now prevents an administrator from accidentally updating an identity router multiple times within a short period of time, which could cause the application portal sign-in to stop working.
NGX-29547 The Cloud Administration Console and associated documentation were updated to clarify that when adding an application bookmark, you can allow all authenticated users to access the bookmark or select a policy that limits access to a subset of users.

June 10, 2019 - SecurID Authenticate for iOS App

SecurID Authenticate 3.0.2 for iOS resolves NGX-31886. With this fix, the Authenticate OTP will no longer display as zeroes for a small percentage of users who update to this app from version 2.2.

All Authenticate for iOS users should update to this version. This release requires iOS 11.

The small percentage of users who have updated to app version 3.0.1 and still experience this issue must do the following:

  1. Delete the device in My Page, or have an administrator delete the user's device in the Cloud Administration Console.
  2. Delete the Authenticate app on the mobile device.
  3. Install the Authenticate app from the App Store.
  4. Re-register the app with SecurID.

May 29, 2019 - SecurID Authenticate for iOS App

SecurID Authenticate 3.0.1 for iOS resolves the following issues:

  • NGX-31260- Users who update to the latest app version now receive notifications for the Approve authentication method.
  • NGX-31263- Users who update to the latest app version no longer need to re-register their devices with SecurID.

This version of the app requires iOS 11.

May 2019 - Cloud Authentication Service

SecurID Authenticate App Improvements Require Users to Update Before June 15, 2019

There are new versions for SecurID Authenticate for iOS, Android, and Windows, described below. To prevent issues with device registration and adding additional companies, users must update to these versions or higher before June 15, 2019.

  • SecurID Authenticate 3.0.3 for Windows contains bug fixes.

  • SecurID Authenticate 3.0 for iOS and Android contain the following updates:

    • To increase usability, users receive device registration or deletion confirmation emails in the language of the users’ registered devices.

    • To reduce administrative effort and increase usability, if a user’s email address changes in the identity source, the Authenticate apps continue to work seamlessly. Users no longer need to re-register their devices.

    • Bug fixes.

    After Android users update to this app version, the first time that they receive a notification, they must tap the notification to open the app, wait for the app to complete the update process, and then complete the authentication (for example, by tapping Approve or using a fingerprint). Subsequent actionable notifications work as expected.

    This Android app version is only available to users running Android 6.0 or later. Android 5.0 users must update to 6.0 or later and then update to this app version.

Improved Reporting of Users' Identity Confidence Scores Benefits Help Desk Administrators and Users

The User Event Monitor will report detailed information about users’ identity confidence scores. This information includes the user’s overall identity confidence score and tenant level confidence threshold, as well as the user's separate scores for device confidence, behavior confidence, and location confidence. Help Desk administrators can make use of this information when they assist users who are challenged for additional authentication factors or are unable to access protected resources. For more information, see Condition Attributes for Access Policies - Identity Confidence.

Fixed Issues

Issue Description
NGX-27407

Previously, if a user waited too long to complete additional authentication when accessing My Page, a User Session Expired message displayed, and the user had to cut and paste a URL to return to My Page. This problem has been fixed. Now, the user can provide additional authentication and then return to My Page by clicking a button, or the user will be automatically redirected to My Page after 20 seconds of inactivity.

NGX-26573 Previously, generating a report listing all synchronized users took progressively longer over time. Performance has been significantly improved.

NGX-16693

NGX-17168

Previously, in the Cloud Administration Console, the dashboard incorrectly displayed the number of active sessions for identity routers. This problem has been fixed and the dashboard now displays the correct number of sessions.
NGX-20399 Previously, if users' email addresses changed in identity sources, the users had to re-register their devices with the SecurID Authenticate app. Email address changes are now handled seamlessly by the Authenticate app, and users do not need to re-register.

April 2019 - Cloud Authentication Service

Send Emails to Users When They Register or Delete Devices

To help increase security, you can configure the Cloud Authentication Service to automatically send confirmation email to users in the following situations:

  • A user completes SecurID Authenticate device registration.

  • A user adds an additional company in the SecurID Authenticate app.

  • A user deletes a company in the SecurID Authenticate app.

  • A user deletes an SecurID Authenticate registered device.

You configure these options in My Account > Company Settings> Device Registration & Deletion Emails. For instructions, see Configure Device Registration and Deletion Emails.

Pagination for RADIUS Profiles in the Cloud Administration Console

Pagination now makes it easier to manage multiple RADIUS profiles. In the Cloud Administration Console, you can choose to display 10, 20, or 30 profiles associated with a client on the RADIUS Profiles page. Expand each profile to see details, dissociate, or delete the profile. Profiles disappear from the list when you dissociate or delete them. For instructions on configuring RADIUS profiles, see Configure a RADIUS Profile for the Cloud Authentication Service.

Fixed Issues

Issue Description
NGX-25560 If you manage the SecurID Authenticate for Android app with an Enterprise Mobility Management (EMM) solution, the Email Logs button now works in the app.
NGX-26628

Previously, a user who had repeatedly attempted to register the same device unsuccessfully might not be able to register the device at all. This problem has been fixed - the user can now register the device.

NGX-28022 Documentation for creating a custom portal has been updated to include the missing information.

NGX-28076

NGX-28338

User who previously could not be synchronized due to case change in attribute value can now be synchronized correctly.

March 2019 - Cloud Authentication Service (Identity Router)

The March 2019 release includes the following features and bug fixes.

Identity Router Update Versions and Schedule

The latest identity router software versions are:

Deployment Type Version
On-premises 2.6.0.0.11
Amazon Cloud

RSA_Identity_Router-2.6.0.0.12

Identity routers will be updated to these versions according to the following schedule.

Date Description
March 23, 2019 Updated identity router software is available to all customers.
May 25, 2019 Default date when identity routers are scheduled to automatically update to the new version unless you postpone the update.
June 22, 2019 If you postponed the default date, this is the last day when updates can be performed.

Identity Router Replication Improvements Require Simultaneous Updates for All Clusters

SecurID has significantly improved the replication of critical data across identity routers for SSO Agent deployments. This critical data includes user profiles (keychains), user sessions, and cookies used for LDAP connections.

To take advantage of this new functionality, you must update all of your identity routers within a cluster at the same time and update all clusters at the same time. Perform simultaneous updates to avoid breaking inter- and intra-cluster keychain replication. After updates are complete, you will not be able to restore backup files created using the previous version. RSA recommends that you create backups immediately after performing the update.

Just-in-Time Synchronization Automatically Enabled for New Customers Beginning March 2019

Just-in-time synchronization is now automatically enabled for all customers who deploy the Cloud Authentication Service after the March 2019 release is available. Before March 2019, you needed to contact RSA Customer Support to enable this feature. Now Super Admins can enable it in the Cloud Administration Console on the My Account > Company Settings > Company Information tab without contacting Customer Support. If you are an existing customer and just-in-time synchronization was enabled prior to March 2019, it remains enabled until you choose to disable it.

Just-in-time synchronization ensures that the identity source in the Cloud Authentication Service is updated every time a user attempts to register a device using the SecurID Authenticate app or access a protected resource using additional authentication after the LDAP password is validated. When this feature is enabled, you never need to add user records through manual or scheduled synchronization. For more information, see Identity Sources for the Cloud Authentication Service.

Identify High Risk Users and Restrict Access to Protected Resources

You can control whether users who are identified as high risk can access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Use the Add/Remove High Risk User API to identify high risk users within the Cloud Authentication Service. Access policies provide a new condition attribute, High Risk User List, so that you can configure authentication requirements for high risk users. You can also use the Retrieve High Risk User List API to retrieve a list of all users identified as high risk. For more information, see:

If your company deploys RSA NetWitness Respond Version 11.3 or later, use that product instead of the APIs to obtain the same benefits. For instructions, see NetWitness Respond Configuration Guide for Version 11.3.

Control Cloud Access for Cloud Administration REST APIs Using Role Permissions

You can ensure that each Administration API has permission to access appropriate information in the Cloud Authentication Service by assigning an administrative role to each API key. The API uses the key in the request. By default, all Administration API keys generated before March 2019 default to the Help Desk Administrator role. The new Add/Remove High Risk User API and Retrieve High Risk User List API require keys assigned to the Super Admin role. For more information, see Using the Cloud Administration REST APIs.

FIDO Token Authentication Method Available on Multiple Browsers

The FIDO Token authentication method is now available on more browsers (including mobile browsers) and supports the FIDO 2 authentication standard. For a list of supported browsers, see Cloud Authentication Service User Requirements.

Emergency SSH and Debug Logging Helps You Resolve Identity Router Connectivity Issues

If the identity router is unable to connect to the Cloud Authentication Service (for example, during setup), you can use the Identity Router Setup Console to enable these emergency troubleshooting features:

  • Secure Shell (SSH) to access the command line

  • Emergency debug logging

After troubleshooting is completed and the identity router is connected to the Cloud Authentication Service, you can disable these features and use the Cloud Administration Console for future troubleshooting. For more information, see Troubleshoot Identity Router Issues.

Support for Multiple RADIUS Profiles

You can create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. Custom profiles increase flexibility because you can associate multiple profiles with a single client or the same profile with multiple clients. This feature allows you to implement strong, policy-based granular controls (for example, for Active Directory groups) for users and administrators who access RADIUS-based applications. For more information, see Configure a RADIUS Profile for the Cloud Authentication Service.

Enhanced Status Indicators for Identity Routers

Status indicators for the identity router have been improved and expanded, making it easier for you to troubleshoot problems with identity router services, as well as connectivity problems between identity routers and the Cloud Authentication Service. You can view detailed status information for each identity router in the Cloud Administration Console on the Platform > Identity Router page. For more information, see View Identity Router Status in the Cloud Administration Console.

Reminder: Users Must Update Their SecurID Authenticate for Android Apps by March 31, 2019

To align with the Google migration to Firebase Cloud Messaging (FCM), SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Fixed Issues

NGX-18781. Previously, after you modified cluster relationships and published the changes, all identity routers in the clusters were restarted and the publish operation did not complete. The restart no longer occurs and publishing completes as expected.

NGX-21183. When you use the Identity Router VM Console to update network settings or recommit changes, static routes that were configured in the Cloud Administration Console are no longer deleted from the identity router.

February 2019 - Cloud Authentication Service

The February 2019 release includes the following features and bug fixes.

Note: The current version of the identity router, v2.5.0.0.5, was not updated in this release.

Disaster Recovery Environment for the EMEA and AUS Regions

The disaster recovery environment for the Cloud Authentication Service is now available for the EMEA and AUS regions. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. RSA recommends that you test access to this environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.

On-Demand Access to Uptime Status of Cloud Services

You can now monitor the current and historical uptime of the Cloud Authentication Service and the Cloud Administration Console on a service status page. This page includes current service availability, recent uptime percentage, and historical uptime percentage. For more information, see Monitor Uptime Status for the Cloud Authentication Service.

Receive Frequent Updates on Cloud Authentication Service Availability with Health Check API

If you want to receive frequent updates on the Cloud Authentication Service availability, you can use the Health Check API to integrate with your application monitoring product. For more information, see Cloud Administration Health Check API.

Updated SecurID Authenticate Apps Simplify Device Registration with EMM Technology

SecurID Authenticate 2.3.0 for Android and SecurID Authenticate 2.2.0 for iOS now support simplifying device registration with Enterprise Mobility Management (EMM) technology that supports the AppConfig Community standards, such as VMWare AirWatch. With this functionality, you can help reduce the costs of device registration in your company by automatically downloading the app to users' devices and optionally configuring the Company ID and Email Address values. For more information, see Deploying the SecurID Authenticate App in EMM Environment.

These app releases also contain bug fixes.

Users Must Update Their SecurID Authenticate for Android App by March 31, 2019

To align with the Google migration to Firebase Cloud Messaging (FCM), SecurID Authenticate 2.2.0 for Android uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

Fixed Issues

NGX-21223. If you update the protected domain name after it has been initially configured on the My Account > Company Settings > Company Information page in the Cloud Administration Console, authentication no longer fails when users who access the SecurID Application Portal attempt to open a Microsoft Office 365 application.

February 5, 2019 - SecurID Authenticate Apps

SecurID Authenticate 2.2.1 for Android resolves an issue with app instability on Samsung devices running Android 9 Pie. Samsung users should upgrade to this app version.

January 2019 - Cloud Authentication Service

SecurID Authenticate for AndroidNow Uses Updated Push Notification Service

To align with the Google migration to Firebase Cloud Messaging (FCM), SecurID Authenticate 2.2.0 for Android now uses FCM for push notifications. Users must take action by updating to version 2.2.0 or higher of the app by March 31, 2019.

New Administration APIs Expand Integration of Help Desk Functions Into Your Existing Tool Framework

SecurID added four new Administration APIs to help you expand the integration of Help Desk functions into your existing enterprise service desk tools. These APIs can be used to synchronize a user between an identity source and the Cloud Authentication Service, update a user's Enabled/Disabled status, find a user by searching for a string in the user's email address, and mark an inactive user as pending deletion or remove the marked deletion status. Also, the Retrieve Authentication Audit Logs API now supports filtering authentication audit logs using a specified date range. For more information, see:

Improved Look and Feel of End-User Authentication Experience

To increase the usability on mobile browsers, the look and feel of the end-user authentication experience has been improved. One key change is the checkbox that displayed the contents of fields (for example, a passcode or tokencode field) has been replaced with a visibility toggle. For a list of supported browsers, see Cloud Authentication Service User Requirements.

Ability to Control If Users Can Delete Devices in My Page

To help improve security and increase flexibility, you can now specify if you want users to delete their devices in My Page. You configure this option in the Cloud Administration Console in Platform > My Page.

Support for Active Directory 2019

The Cloud Authentication Service now supports Active Directory 2019 as an identity source.

Disaster Recovery Environment Available for US Region

RSA maintains a disaster recovery environment for the Cloud Authentication Service. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. The disaster recovery environment is currently available for the US region. RSA recommends that you test access to the disaster recovery environment before it is needed to ensure a smooth transition during unexpected downtime. For instructions, see Test Access to Disaster Recovery Environment.

Fixed Issues

NGX-22022. Previously, when you used the Cloud Administration Console to add a SAML application, on the Connection Profile page, the Identity Provider URL field was not automatically populated if one identity router in the cluster was inactive. Now, if high availability is enabled for the cluster, the Identity Provider URL includes the load balancer name. If high availability is disabled, the URL includes the identity router hostname.

NGX-21728. Previously, some blocks of user data were too large to be successfully synchronized to the Cloud Authentication Service. The service has been modified to accept larger blocks of user data, so this problem no longer occurs.

NGX-21682. SecurID has updated the list of country codes it supports for SMS Tokencode and Voice Tokencode authentication.

NGX-21553. Previously, authentication failed after an administrator re-mapped identity source attributes after the initial mapping. This problem has been corrected and mapping changes are now handled as expected.

NGX-21286. Previously, a misleading message indicating successful synchronization appeared in the administration audit logs after an administrator initiated identity source synchronization. The message has been corrected to reflect what actually happened: <Administrator_name> manually initiated synchronization for <identity source>.

NGX-20908. Previously, in certain deployments, after an administrator attempted to delete or edit and save an access policy, a publish operation succeeded to the identity routers but failed to the Cloud Authentication Service. This problem has been fixed.

November 2018 - Cloud Authentication Service

Deploy Identity Routers in the Cloud Using Amazon Web Services

You can now deploy the identity router in the Amazon Web Services (AWS) Elastic Compute Cloud (EC2), thus reducing or eliminating the on-premises footprint of RSA. You have the flexibility to choose a cloud-only or hybrid-cloud deployment. For example, in a hybrid-cloud deployment, the identity router in the AWS cloud can connect to on-premises components such as RSA Authentication Manager or your LDAP directory server. You use an Amazon Machine Image (AMI) that you access with your AWS account to deploy the identity router in the cloud. For more information, see Amazon Web Services Identity Router Deployment Models.

Users Can Delete Registered Devices in My Page

To increase user self-service capabilities and reduce administrative support costs, My Page now allows users to delete their current registered devices. When users get new devices (for example, mobile phones) they can first delete their current devices in My Page and then complete registration on the new devices—all without administrative assistance.

New Administration APIs Available to Integrate Help Desk Functions Into Your Existing Tool Framework

SecurID provides new Administration APIs to help you integrate SecurID Help Desk functions into your existing enterprise service desk tools. The new APIs support the ability to retrieve user and device details, unlock tokencodes, delete user devices, update SMS Tokencode and Voice Tokencode phone numbers, and retrieve authentication audit logs for specific users. For more information, see Using the Cloud Administration REST APIs.

Improved Documentation for Configuring High Availability Deployments

You will find it easier to configure high availability for different types of deployment using improved documentation on RSA Link. High availability increases the likelihood that an identity router will be available to process authentication requests when one or more identity routers in the same cluster are down. High availability also improves performance by ensuring that requests are distributed evenly among identity routers. For instructions, see Configure High Availability for Cloud Authentication Service Deployments.

Updated SecurID Authenticate Apps

SecurID Authenticate 2.1.0 for iOS and SecurID Authenticate 2.1.0 for Android contain bug fixes.

Fixed Issues

NGX-19853. When you disable a user, the SecurID Authenticate for iOS and Android apps no longer delete the user's company in the app.

NGX-19870. When an automatic Integrated Windows Authentication (IWA) identity provider is configured in your deployment and users try to open the application portal URL in a browser, the portal sign-in page used to appear instead of the portal landing page that lists the applications. This problem has been fixed and now the portal landing page appears.

NGX-20598. Previously, when you attempted to add a location to the Trusted Location page using an address, certain addresses did not appear in the Bing maps suggestion list. Now you can use the Search button to find addresses that do not appear in this list.

October 2018 - Cloud Authentication Service

Easier Direct-to-Cloud Integration for Key Apps

To provide easier direct-to-cloud integration, you can now protect Workday, ServiceNow, and Microsoft Office 365 without needing to use the IDR SSO Agent. For instructions, see the following:

Updated SecurID Authenticate for Android App

SecurID Authenticate 2.0.2 for Android contains bug fixes.

Fixed Issues

NGX-17695. Previously, in some IDR SSO Agent deployments, the publishing status indicator displayed “Changes Pending” when there were no updated settings to be published. This problem no longer occurs.

NGX-19930. The Identity Router Setup Console Network Diagnostics page no longer reports that the identity router failed to connect to two URLs used for software updates. The problem is corrected if you publish after the cloud or identity router upgrade is performed.

October 15, 2018 - SecurID Authenticate Apps

SecurID Authenticate 2.0.1 for iOS is qualified with iOS 12 and contains bug fixes.

September 27, 2018 - SecurID Authenticate Apps

SecurID Authenticate 2.0.1 for Android contains bug fixes.

September 2018 - Cloud Authentication Service

The September 2018 release of the Cloud Authentication Service includes the following features and updates:

My Page - User Portal for Easy Device Registration

To enhance the security of device registration while minimizing user friction, this release introduces SecurID My Page, a new web-based portal that uses multifactor authentication and QR or limited one-time-use numeric registration codes to complete device registration. See how this works.

If you are currently using the SecurID Authenticate Device Registration access policy, be aware that the name and purpose of this policy will change in the September release to help control migration to My Page. The policy will be renamed to Device Registration Using Password and will allow you to control who can use password as the registration code. If necessary, update the policy configuration to align with your company needs.

Note that if you want to continue using a password to complete device registration, your users can enter their passwords as the registration code.

Updated SecurID Authenticate Apps for My Page and Android 9 Pie Qualification

SecurID Authenticate 2.0.0 for iOS, SecurID Authenticate 2.0.0 for Android, and SecurID Authenticate 3.0.0 for Windows 10 contain the following updates:

  • Updated device registration flow to work with SecurID My Page. To register a device, iOS and Android users scan a QR code or enter a limited one-time-use numeric registration code. Windows 10 users enter a limited one-time-use numeric registration code.

    Users only need to register a device if they are a new user, adding a new company, or switching a device. Existing users do not need to re-register.

  • If you require users to enter a PIN or Device Biometrics to view the Authenticate OTP, the process to reset a PIN has changed. iOS users will first be prompted for the device passcode. Android users will first be prompted for device credentials. Windows 10 users must first delete all the companies that protect the Authenticate Tokencode and then re-register those companies.

  • The SecurID Authenticate for Android app is qualified with Android 9 Pie.

  • Bug fixes.

Cloud Administration User Event Log API

You can use the User Event Log API to export user audit logs from the Cloud Authentication Service. This feature improves auditing and security monitoring of end-user activity, which is useful for compliance audits, troubleshooting, risk assessment, and security information and event monitoring (SIEM) analysis. For more information, see Cloud Administration User Event Log API.

Preconfigured Access Policy with Contextual Risk-Based Analytics

To further assist new customers in getting up an running more quickly, an additional preconfigured access policy has been added to the initial three delivered in August 2018. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium edition customers.

Improved Logging for User Synchronization Events

Improved log messages for user synchronization events will make troubleshooting easier when users are automatically re-enabled or disabled in the Cloud Authentication Service, or when users are not found in the directory server during synchronization.

Fixed Issues

NGX-19192. In RADIUS and relying party deployments, the proxy server specified in the Identity Router Setup Console now handles traffic for authentication and product maintenance (such as cluster updates). In an SSO Agent deployment, the proxy server now handles traffic for product maintenance.

NGX-19829. Previously, you were unable to delete an identity source after you had visited the Clusters page. This problem has been fixed.

NGX-19798. In the Cloud Administration Console, the Device Enrollment policy is no longer included in the access policy count displayed on the Dashboard page. The Dashboard count includes your company’s custom access policies and preconfigured access policies.

August 29, 2018 - SecurID Authenticate Apps

SecurID Authenticate 1.8.0 for iOS and SecurID Authenticate 1.6.3 for Android contain bug fixes. For more information, see Critical Updates for SecurID Components Used with the Cloud Authentication Service.

Users who need to complete device registration (for example, new users, users adding a new company in the app, or users switching devices) must update to these app versions before completing device registration.

Users who have already completed device registration are not required to update to these app versions. However, RSA recommends that users always use the latest version of the apps, so they have the latest fixes, features, and enhancements.

August 2018 - Cloud Authentication Service

Critical Update for Identity Routers

The August 2018 release includes a critical fix for your identity router, which will be released Saturday, August 18, 2018. This critical update requires that you update your identity router software on or before August 29, 2018 to ensure continued connectivity to the service. For more information, click here.

What's New in This Release

This release also includes the following features and bug fixes:

  • New customers can get up and running more quickly using three preconfigured access policies that they can either use as is, or clone and customize. These customers do not need to create new access policies. For more information, click here.

  • You can generate and download a user report that displays your users’ Enable and Disabled status. This information improves visibility into your user population. For instructions, click here.

  • When you configure strong authentication to access the Cloud Administration Console, SecurID prevents you from unintentionally locking yourself out by evaluating the access policy and verifying if it allows you to access the console. For example, the policy might exclude you based on identity source or contextual conditions. If you are excluded for any reason, you will be prevented from configuring this feature until you modify the policy or select a different policy. For configuration instructions, click here.

  • This release offers an optional sneak peek into a new direction that we are taking for SecurID Authenticate device registration---including multifactor authentication and QR codes. If you want to try this new registration process, contact your RSA sales representative for more information.

  • The Cloud Authentication Service is now hosted on Microsoft Azure Australia Central, a protected-level Azure instance within the Canberra Data Centre. This new hosting option enables compliance with Australian and New Zealand Privacy Legislation. The data centers are designed for Australian government and critical infrastructure sectors.

Fixed Issues

NGX-19516. Previously, if a user was synchronized to the Cloud Authentication Service, deleted from a directory server, and then re-added using the same DN, the user could not be resynchronized to the Cloud Authentication Service. Now you can successfully resynchronize such users.

NGX-19643. When the Load Balancer DNS Name is not within the Protected Domain Name configured on the My Account > Company Settings page of the Cloud Administration Console, multiple identical event log messages are generated when a user attempts to sign out of the application portal. Now the Cloud Administration Console verifies if the Load Balancer DNS Name is within the Protected Domain Name, fixing the issue.

NGX-19737. Previously, under certain circumstances, users who entered their LDAP credentials correctly to access Microsoft Office 365 through a desktop client, and then expected to be prompted for additional authentication, instead encountered a script error that prevented them from authenticating. This problem has been fixed.

July 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Disabled Users Automatically Changed to Pending Deletion

By default, the Cloud Authentication Service will automatically change the status of all Disabled users to Pending Deletion after the users have been disabled for 90 days, or the number of days you configure. Automatic bulk user deletion benefits your deployment by preventing inefficiencies that result from processing large numbers of disabled users.

Note: It is important to know that this feature takes effect immediately after the cloud upgrade goes live on July 21. At that time, the status of all users who have been Disabled for at least 90 days will automatically change to Pending Deletion, and these users will be automatically purged from the Cloud Authentication Service seven days after the upgrade. Purging removes all information and devices associated with the user from the Cloud Authentication Service. It does not remove users from the directory server. If any users were automatically marked Pending Deletion and you want to prevent them from being purged after seven days, click here for instructions.

Cloud Authentication Service Automatically Disables Users Missing From Directory Server

The Cloud Authentication Service now recognizes when previously synchronized users are either no longer present in the directory server or are excluded from the User Search Filter scope and disables these users in the Cloud Authentication Service during identity source synchronization. This feature ensures that users who may have been terminated from your organization can no longer authenticate. When automatic bulk user deletion is enabled, these users will automatically be changed to Pending Deletion after 90 days (or the number of days you configure), and then purged seven days after Pending Deletion.

Streamlined Authentication for RADIUS Users

The Cloud Authentication Service provides new features to deliver an optimized experience with reduced friction to RADIUS users:

Push Notifications Sent Automatically to RADIUS Users without User Selection

You can configure RADIUS clients to send push notifications for Approve and Device Biometrics without forcing users to select an authentication method by entering a number, when one of these is the user's default method. Users who do not respond to the automatic notification within a configured timeframe can select any method provided from the assurance level in the access policy. The timeout does not apply if this feature is disabled and the user manually selects a method.

LDAP Password Not Required During Authentication When Managed by the RADIUS Client

Some use cases require users to authenticate with LDAP passwords, but then RSA requires the same passwords a second time, before prompting for additional authentication. You can simplify authentication by configuring the RADIUS client to manage the primary authentication and the Cloud Authentication Service to only perform additional authentication, as determined by the access policy. When you enable this feature for a RADIUS client, users enter their passwords only once. See how this works.

Note: When this feature is enabled, either the RADIUS client must require password authentication, or the access policy must require all users to perform additional authentication. If you do not enforce either password or additional authentication, unauthorized users can gain access.

For complete information on RADIUS features, see RADIUS for the Cloud Authentication Service Overview.

Retries Supported During RADIUS Authentication

If users enter a tokencode incorrectly or if a method times out before the user completes authentication, the user can choose to retry the same method. Previously, the method disappeared from the list of choices.

SecurID Log Events API

To ensure audit log compliance with industry standards, the Cloud Authentication Service now supports a REST API to retrieve Administration logs from the service. For the complete list of events, click here.

The SecurID Log Events API Software Developer Kit (SDK) contains a REST client command line tool that generates an Administration API access token and exports logs using the generated access token. To download the Software Development Kit, click here.

HTTPS Strict Transport Security (HSTS) for Standard and Custom Web Application Portals

HSTS forces compatible browsers to interact with the application portal and web applications using only the HTTPS protocol, which helps to protect these interactions against threats such as protocol downgrade attacks and cookie hijacking. It is enabled by default for standard and custom portals, but can be disabled on the Access > Portal Settings page of the Cloud Administration Console.

Updated Definitions for Identity Router Security Levels

The latest identity router version updates the encryption ciphers supported by the Medium and Low security levels for incoming connections, and adds the High security level, which allows only the most secure ciphers and encryption options.

Improved Visibility of NTP Service Synchronization

To assist with troubleshooting system issues, you can view NTP service synchronization status in two locations:

  • Identity Router Setup Console in Diagnostics > View Network Diagnostics

  • Identity Router Status Servlet in System Services

Improved Troubleshooting During Identity Router Setup

To more quickly identify network connection issues, when you connect an identity router to the Cloud Administration Console, the Identity Router Setup Console checks for connections to the Cloud Administration Console and Cloud Authentication Service that are required for authentication and product maintenance. If the identity router cannot connect to these URLs, the connection process is not successful and the Identity Router Setup Console lists the URLs to which it cannot connect.

Improved Look and Feel of SecurID Authenticate Apps

SecurID Authenticate 1.7.0 for iOS and SecurID Authenticate 1.6.1 for Android contain the following updates:

  • Improved look and feel of the Approve authentication option

  • Bug fixes

Fixed Issues

NGX-15746. Previously, when you changed the IP address of the identity router management or proxy interface using the VMWare Console, the address was not updated intermittently. This problem has been fixed.

NGX-17649. Previously, when you signed into the Cloud Administration Console, the publish status sometimes displayed a success message even if the last publish operation had failed. Now, when you sign in to the console, the publish status message is always accurate.

NGX-18622. When one or more identity providers are configured for automatic authentication on the Authentication Sources page of the Cloud Administration Console and a user cancels the first automatic identity provider authentication prompt that appears when attempting to access the application portal, the user is not automatically prompted to authenticate again during the same session. This is expected behavior.

NGX-18737. You no longer need to enter a value in the Portal Hostname field when adding an identity router to the Cloud Administration Console in order to set up an identity router.

NGX-18807. If you enter an invalid static route in the Identity Router Setup Console, a message indicates the static route is invalid.

NGX-19024. Previously, a time format mismatch caused failed connections and time and date errors when integrating the Cloud Authentication Service with RSA Authentication Manager if the Authentication Manager instance was deployed in certain time zones. This problem has been fixed.

NGX-19183. Communication issues that previously occurred between the identity routers due to DNS intermittency, connectivity, and timeout errors have been fixed.

NGX-19357. The identity source settings in the Cloud Administration Console and in the documentation have been updated to indicate more clearly that you must click the User Attributes tab and select the Synchronize the selected policy attributes with the Cloud Authentication Service checkbox. This setting ensures that user attributes are synchronized, which is required for additional authentication to succeed.

NGX-19497. Previously, when a user’s userPrincipalName (UPN) had a different suffix (@<domain>) than the user-joined domain, the user's IWA sign-in failed. This problem has been fixed.

NGX-19537. You can now reuse identity source names that were previously used for identity sources that have been deleted.

June 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Microsoft AD FS Agents Provide Cloud-Based, Multifactor Authentication

The RSA Authentication Agent for Microsoft AD FS now supports cloud-based multifactor authentication methods such as Device Biometrics and push notifications by connecting your AD FS server and the Cloud Authentication Service.

Simplified Access Policy Wizard for Authentication Conditions

To improve ease of use, the Access Policy wizard has been simplified to reduce the number of steps necessary to configure authentication conditions.

Additional Condition Attributes for SecurID Authenticate Device Registration Policy

To provide more control over which users can complete SecurID Authenticate device registration, you can now use the Authentication Source, IP Address, and Trusted Network condition attributes in the SecurID Authenticate Device Registration policy. For example, you might allow only users from certain IP addresses to complete device registration.

New System Event Monitor Improves Visibility

The System Event Monitor provides visibility into system-generated and managed events to aid in troubleshooting. You can filter the results according to Event Code, timeframe, and event type.

Restore Users Who Are Pending Deletion

You can use a bulk operation to undelete users who are Pending Deletion and restore them to their previous Disabled state. Disabled users can be re-enabled by the administrator or during synchronization. Undeleting prevents the users from being automatically purged from the Cloud Authentication Service. For example, this is useful if you deleted too many users from the Cloud and you want to restore those users.

SecurID Authentication API Enhancements

The SecurID Authentication API contains the following enhancements:

  • Initialize request supports specifying an assurance level outside of an access policy.

  • The keepAttempt parameter in the Initialize request applies to both completed and canceled authentication attempts.

  • The removeAttemptId parameter has been added to the Cancel request. The parameter requests to remove the authentication attempt ID as a part of this call.

Fixed Issues

NGX-19557. You can use the Delete Now button on the Users > Management page to immediately remove a user from the Cloud Authentication Service. This function is intended for emergency situations. For example, suppose you are trying to synchronize a record that has the same email address as a slightly different record for the same user that already exists in the Cloud Authentication Service. The user record fails to synchronize and the user cannot authenticate. You must delete the existing record from the Cloud Authentication Service and resynchronize in order to recreate the user record correctly so the user can complete authentication.

NGX-19521. Adding an identity router and saving a static DNS entry without an associated alias value no longer causes identity router registration to fail.

NGX-19074. Previously, under certain circumstances, you were unable to save an identity source after deleting one of the directory servers. This has now been fixed.

May 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Approve Authentication Method Available with Device Unlock

You can now require users to unlock their devices before completing authentication using the Approve method. When this feature is enabled, users receive a notification on their registered devices, tap Approve, and are prompted to unlock their devices before authentication is completed.

Before enabling this option, instruct your users to update to the latest version of the SecurID Authenticate app:

  • Android: 1.6.0

  • iOS: 1.6.0

  • Windows: 2.1.0

When this feature is enabled, after users update the app, the first time that they try to use Approve they must open the app, pull down to get the notification, and Approve from within the app. After the first use, Approve will work normally. Older app versions do not display a push notification and users must always open the app and pull down to respond to an Approve request.

Protected SecurID Authenticate Device Registration

To help increase the security of end-user device registration, you can now use an access policy to control which users are allowed to complete device registration. You might want to use this access policy to allow only a subset of your users (for example, your Sales organization) to use the Authenticate app for additional authentication. When you enable the SecurID Authenticate Device Registration policy you can specify identity source user attributes to define the target population for device registration. To learn more about this feature, click here.

Improved Management for User Deletion

You now have increased control when deleting a user from the Cloud Authentication Service. First, you mark the disabled user for deletion, which changes the user's account status to Pending Deletion. You can still view the user's detail information in the Cloud Authentication Service and synchronize a user who is Pending Deletion. After seven days, the user is automatically deleted from the Cloud Authentication Service. The user cannot register a device or authenticate to the Cloud Authentication Service while pending deletion or after deletion has taken place. Deletion removes all information and devices associated with the user from the Cloud Authentication Service.

You can also undelete a user who is pending deletion, which changes the user’s status from Pending Deletion to Disabled.

For instructions on deleting and undeleting users, click here.

LDAPv3 Account Status Now Synchronized with the Cloud Authentication Service

Users who have been disabled or expired in an LDAPv3 directory server are automatically disabled in the Cloud Authentication Service after manual, scheduled, or just-in-time synchronization. Disabled users cannot authenticate through the Cloud Authentication Service or register devices. You must manually map attributes for account status synchronization to happen. To learn more about identity source synchronization, click here and here.

Note: Make sure all LDAPv3 users who need to use the Cloud Authentication Service are active and enabled in the LDAPv3 directory server.

Additional Enhancements to User Account Synchronization

User account status in the Cloud Authentication Service is now more closely tied to the user account status in the Active Directory and LDAPv3 directory servers. The following enhancements were implemented:

  • Users who are disabled in any directory server and who do not have existing records in the Cloud Authentication Service are not added to the Cloud Authentication Service during synchronization.

  • Users who were re-enabled in the directory server or who are no longer expired, but are pending deletion in the Cloud Authentication Service, become re-enabled in the Cloud Authentication Service after synchronization.

Users who were manually disabled in the Cloud Authentication Service remain disabled and are not overridden during synchronization.

Simplified Planning and Setup Content

To help streamline the initial setup of your production deployment, the planning and setup content has been reorganized and simplified. The updated Planning Guide focuses on understanding the Cloud Authentication Service at a high level. Quick Setup Guides, available for each deployment type, walk you through both planning and setup. The guides are available here:

With these changes, the Solution Architecture Workbook and Setup and Configuration Guide are no longer available.

Additional Improvements

  • For custom security requirements, you can now specify the minimum PIN length if you require PIN or Device Biometrics to view the Authenticate Tokencode. The default PIN length is four. If users have registered the SecurID Authenticate app with multiple companies, the PIN applies to the SecurID Authenticate Tokencodes for all companies, and the minimum PIN length is the longest minimum PIN length of these companies.

  • To simplify user rollout, users can now complete SecurID Authenticate device registration on devices that do not allow push notifications for the app. However, RSA recommends enabling or allowing push notifications for the SecurID Authenticate options like Approve or Biometrics. This feature is useful in certain environments which have locked down push notifications, but want to use the SecurID Authenticate OTP.

SecurID Authenticate App iOS Upgrade

New minimum iOS operating system of version 10.0 for the SecurID Authenticate for iOS app. Encourage your end users to upgrade to iOS version 10.0 or higher so they can continue using the app and take advantage of the latest improvements and bug fixes.

Incorrect Publish Status Message After the May Cloud Authentication Service Upgrade

After the Cloud Authentication Service is upgraded, the Changes Pending message appears in the Publish Status bar even if no changes are waiting to be published. You can safely ignore this message and it will disappear after your next publish operation.

Fixed Issues

NGX-19012. The User Event Monitor now reports errors for unsuccessful authentication attempts to SSO Agent applications when the identity router time and the Cloud Authentication Service time are out of synch.

NGX-19088. In the Cloud Administration Console, when you click My Account > Administrators to edit an administrator, in the API Configuration section, the examples provided for the IP Address and Netmask fields are now accurate and the fields are marked as required.

NGX-19066. Identity routers that are updated in debug mode no longer remain in the Updating phase.

NGX-19072. iOS and Windows users can now complete SecurID Authenticate device registration if the Authenticate app or their devices do not receive push notifications.

NGX-19102. In the Cloud Administration Console, clearing the Enable the Identity Router REST API checkbox on the My Account > Administrators page correctly disables the API for an administrator.

NGX-19175. Unintentional audit logging changes are no longer saved to the Cloud Administration Console when Portal Settings are saved.

NGX-19176. RSA Support can now be enabled if a backup is added but not saved.

NGX-19177. Multiple audit log entries are no longer saved to the Cloud Administration Console if the backup schedule is changed and RSA Support is enabled.

NGX-19350. The Approve authentication method was failing intermittently to send notifications to Android mobile devices, resulting in failed authentications. This problem no longer occurs.

NGX-19397 and NGX-19431. Previously, when you edited and saved some existing SAML direct templates, extra attribute rows were created. This problem no longer occurs.

NGX-19494. If you are synchronizing identities from Active Directory Global Catalog, RSA recommends that you include accountExpires in the Partial Attribute Set to ensure that user accounts in the Cloud Authentication Service are enabled or disabled to match the directory server after synchronization. You no longer need to include the accountExpires attribute in the Partial Attribute Set to successfully synchronize the Cloud Authentication Service to an Active Directory Global Catalog.

April 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Active Directory Account Status Now Synchronized with the Cloud Authentication Service

Users who have been disabled or expired in Active Directory are automatically disabled in the Cloud Authentication Service after manual, scheduled, or just-in-time synchronization. Disabled users cannot authenticate through the Cloud Authentication Service or register devices.

The next time you perform a publish operation and synchronize your Active Directory identity sources following the Cloud Authentication Service update on April 21, the Cloud Authentication Service will disable any cloud users whose accounts are already disabled or expired in Active Directory. This capability is not configurable. Support for LDAPv3 directory servers is expected in the near future.

Users who are disabled in Active Directory and who do not have existing records in the Cloud Authentication Service are not added to the Cloud Authentication Service during synchronization.

Note: Make sure all Active Directory users who need to use the Cloud Authentication Service are active and enabled in Active Directory.

Administrators Can Override User Account Status in the Cloud Authentication Service

You can use the Cloud Administration Console to manually enable and disable users. This feature applies to users from Active Directory and LDAPv3 directory servers. For information about user disablement and identity source synchronization, click here.

Enhanced Authentication Options Available in SecurID Authenticate 2.0.1 for Windows

SecurID Authenticate 2.0.1 for Windows adds support for the Approve and Biometrics options. As part of leveraging native biometric authentication capabilities, the Biometrics option supports any Windows Hello sign-in option.

Also, if you require additional authentication before viewing the Authenticate Tokencode, the tokencode can now be protected with an app-specific PIN, instead of Windows Hello. When a user tries to view the tokencode, the app prompts the user to create this PIN.

Users should update to this version when it is released.

SSO Agent Web Server User Traffic Uses Only https://

The Cloud Administration Console now ensures that all IDR SSO Agent web server configurations use https:// for traffic between users and identity routers. You can no longer configure http:// for user traffic. You can still configure web servers to connect to backend application web servers over https:// or http:// as necessary. Also, the console has been improved to clarify steps for the IDR SSO Agent web server configuration.

Identity Router Update Available

A new identity router update is now available with the following improvements:

  • Improved handling for environments with unreliable time synchronization.

  • Improved handling of out-of-memory conditions in cluster replication.

If you are using the IDR SSO Agent, RSA recommends that you apply this update to your identity routers. If you have updated your identity routers after February 2018, your identity routers do not display OUT_OF_DATE, but you can update the cluster now using these instructions. If you do not take any action, these improvements are not applied to your identity routers until your next scheduled update.

Fixed Issues

NGX-17578. In the Cloud Administration Console, the Forgot Password popup has been improved to specify that the administrator must enter the same email address that belongs to Username.

NGX-18600. Single sign-on no longer fails if you accidentally add a leading or trailing space to an access policy name.

NGX-18889. IWA connector uses global catalog to search for users in the Active Directory forest and can now find a user based on the user's domain, even when multiple user records have the same sAMAccountName in the forest.

NGX-19037. When you search for a user by entering the user’s exact email address, the user, if found, appears at the top of the list.

NGX-19079. In the Cloud Administration Console, on the My Applications page, you are no longer prevented from editing an application if you added a SAML application before adding an identity source.

March 2018 - Cloud Authentication Service

SecurID Authenticate 1.5.6 for iOS and SecurID Authenticate 1.5.8 for Android contain the following updates:

  • To ensure that your users have a consistent and familiar experience and to leverage the native biometric authentication capabilities of mobile devices, Eyeprint ID has been removed from the apps. Eyeprint biometric data stored within the apps on these devices is removed. As a reminder, RSA does not store any biometric data in the Cloud Authentication Service.

    If Eyeprint ID is an authentication option in your assurance levels, remove it. If users are prompted to use Eyeprint ID, the apps present a message instructing the users to select a different option in the browser or VPN.

  • As part of this change, Face ID is now officially supported as an option for the Device Biometrics authentication method, along with Touch ID and Android fingerprint.

  • Bug fixes.

February 28, 2018 - SecurID Authenticate Apps

SecurID Authenticate 1.5.7 for Android includes bug fixes.

February 23, 2018 - Identity Router Update Available

If you downloaded the identity router template or applied the identity router update between February 10, 2018 and today, certain browsers, including Chrome and Internet Explorer on Windows, might reject the self-signed certificate presented by the Identity Router Setup Console. This issue prevents you from accessing the Setup Console.

This issue does not affect you if you did not update your identity routers using the February 10 release. When you do update your identity routers, the fix for this issue will be included in the update.

If you encounter this issue, you can fix it by performing the following actions:

  • If you downloaded the virtual machine image on or after February 10 but have not yet deployed or registered it, you must download and use the latest the image. For instructions, click here.
  • If you updated and registered your identity router on or after February 10 but did not upload your own certificate, you must perform the update again, as described here. The identity router does not show OUT_OF_DATE status, but you must still update it with the latest patch to resolve this issue.

February 2018 - Cloud Authentication Service

The Cloud Authentication Service includes the following features and bug fixes.

Note: RSA strongly recommends that you deploy this update on identity routers in your test environment and become familiar with all changes before updating identity routers in your production environment. For questions or to report issues, contact RSA Customer Support.

Enhanced Authentication Method Availability

SMS Tokencode and Voice Tokencode are now available as authentication methods in RADIUS and IDR SSO Agent deployments. You must update your cluster to allow this capability.

FIDO Tokens are now available as an authentication method in relying party deployments. In IDR SSO Agent deployments, you must update your cluster to continue using FIDO Tokens, and existing FIDO Token users will need to re-register their FIDO Tokens.

Additional Authentication Screens Presented in IDR SSO Agent Deployments

The Cloud Authentication Service now presents the browser-based additional authentication screens to users in both IDR SSO Agent and relying party deployments. In the past, the identity router presented these screens to IDR SSO Agent deployment users, although the Cloud Authentication Service verified the users. As a result of this, users' default authentication preferences are reset. After the reset, authentication behaves the same as in the previous release, described here: https://community.rsa.com/docs/DOC-75855. Also, if you have restrictive internet access policies, you must ensure that users are allowed to access your company's authentication service domain. To view your authentication service domain, click Platform > Identity Routers > Edit (to the right of an identity router) > Registration.

Improved Cluster Mapping for Authentication Requests

Identity routers now send authentication requests only to the directory servers that are assigned to the cluster for that identity router. You do not need to perform additional configuration to make this happen.

Support for IP Address-Based Conditions in Access Policies for Office 365 STS Apps

The identity router can access client IP addresses from header information provided by Microsoft for Office 365 ActiveSync and Outlook clients that use legacy authentication. You can use conditions in access policies to configure access and authentication requirements based on these client IP addresses. For more information, see the Microsoft Office 365 STS - RSA WS-Federation Implementation Guide on RSA Link.

SecurID Authenticate App Releases

SecurID Authenticate 1.5.5 for iOS and SecurID Authenticate 1.5.6 for Android include increased reliability of push notifications from the Cloud Authentication Service and bug fixes.

Cloud Administration Console Improvements

The Cloud Administration Console was enhanced to improve reliability and failover. Additional improvements include:

  • The console sign-in page has been modified to improve usability.
  • The dashboard page provides monthly usage information for SMS Tokencode and Voice Tokencode.
  • On the Users > Management page, a Super Admin or Help Desk Admin can click a refresh button to synchronize an individual user from an identity source.

Terminology Update

In the user authentication interface for RADIUS, relying parties, and IDR SSO Agent, the term Fingerprint has been replaced with Device Biometric. Device Biometric includes Fingerprint and Face ID.

Fixed Issues

NGX-17834. When a user authenticates to an HFED application and SecurID does not receive a response from the application, SecurID displays an appropriate timeout error.

NGX-17855. If you test the identity source connection, click Refresh Attributes on the User Attributes page, save changes, publish, and synchronize, you no longer see a failed synchronization message if the LDAP directory server is running and SSL certificates are invalid. Instead, a message instructs you to check the SSL configuration and certificates.

NGX-17883. If the IP address of a RADIUS client device is translated using Network Address Translation (NAT) before connecting to the identity router RADIUS server, the server responds and no longer times out prematurely.

NGX-17928. If RSA Authentication Manager is connected to the Cloud Authentication Service but cannot be reached by the identity router, and a user attempts RADIUS authentication using an SecurID Token or an invalid SecurID Authenticate Tokencode, the User Event Monitor now displays an appropriate timeout message.

NGX-18434. When you deploy a custom portal and add a trusted header application to proxy the web traffic between users and the custom portal web server, the web servers created using HTTPS or Both (HTTP/HTTPS) now function correctly.

NGX-18518. Authentications from the identity router to HTTP Federation applications that were configured for HTTPS or BOTH and were incorrectly sent over HTTP are now configured and sent correctly.

NGX-18642. The initial publish to identity routers no longer fails after the Cloud Authentication Service has been upgraded.

November 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following feature and bug fixes.

Voice Tokencode

SecurID has a new authentication method, Voice Tokencode. When RSA enables this feature, a user can request SecurID to call the user’s phone and provide a six-digit code, which the user enters to access a protected resource. This method is handy for emergency access, for example, when the user cannot access a registered device or SecurID Token.

Device Biometrics

In the Cloud Administration Console, the Assurance Levels page (Access > Assurance Levels) has replaced the Fingerprint option with Device Biometrics. When you select Device Biometrics for an assurance level, users can select Biometrics as an authentication option and use fingerprint if they registered fingerprint on their devices. Other biometric methods will be supported in future releases.

Miscellaneous Upgrades

The November release will also include several miscellaneous infrastructure upgrades and bug fixes.

November 2017 - SecurID Authenticate Apps

SecurID Authenticate 1.0.4 for Windows contains bug fixes.

All users of this app should update to this version. Users who have installed the app on a PC can update on their own. Users of the app on Windows phones require administrative assistance. An administrator must first delete the users' Windows phones in the Cloud Administration Console, and then the users must complete device registration again.

October 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following feature and bug fixes.

Multifactor Authentication to Protect Microsoft Azure Active Directory

You can protect Microsoft Azure Active Directory applications, the Azure Active Directory application portal, and the Azure AD admin console with SecurID multifactor authentication. For instructions, see https://community.rsa.com/docs/DOC-81278.

End User Toolkit Update

The End User Toolkit now contains step-by-step instructions for SecurID Authenticate device registration, available in HTML, PDF, and video. See https://community.rsa.com/docs/DOC-75817.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17664 - After a user successfully authenticates with an SecurID token in New PIN Mode, the message “3006 Device deletion failed” is no longer logged in the User Event Monitor.

NGX-17927 - If the name configured for an application in the Cloud Administration Console contains more than 32 characters, the SecurID Authenticate app no longer truncates the name when prompting users for authentication credentials.

NGX-17960 - On the User Management page, if you highlight all or part of the user’s SMS phone number while updating it, the Save button is now activated after you type the replacement number.

NGX- 17964 - If an Android user is trying to authenticate with Fingerprint or Eyeprint Verification to an authentication client or custom client developed with the SecurID Authentication API, SecurID no longer sends an actionable notification (Approve/Deny) to the user.

NGX-17986 - When a user reaches the limit for failed authentication attempts using SecurID Authenticate Tokencode, the audit trail now continues to record additional authentication attempts after the method is locked.

NGX-18007 - In an IDR SSO Agent deployment, when configuring an application to use SP-initiated SAML with the HTTP REDIRECT binding, the Choose File button for certificate upload is now disabled to reflect that signed SAML requests are not supported for the redirect binding method.

NGX-18137 - In an IDR SSO Agent deployment, importing metadata from an XML file for a new SAML Direct application created from a template now works properly in Internet Explorer 10 and 11.

NGX-18261 - The +ADD buttons on the Access > Assurance Levels page of the Cloud Administration Console no longer appear inactive in some deployments, and new assurance levels can be added normally.

October 2017 - SecurID Authenticate Apps

SecurID Authenticate 1.5.4 for Android contains the following updates:

  • Qualified on Android 8.0 (Android O)
  • Bug fixes

September 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following new features and enhancements.

Support for Installing Identity Routers as Microsoft Hyper-V® Virtual Machines

SecurID supports installing identity routers as Microsoft Hyper-V-based virtual machines. You can use the Cloud Administration Console to download a Microsoft Hyper-V Virtual Hard Disk (VHD) image, which includes all necessary identity router applications.

Download User Reports

You can use the Cloud Administration Console to create a report listing all users who have been synchronized from identity sources to the Cloud Authentication Service and download the report to a .CSV file. The report provides dates for user account creation and update, and information about user devices and authenticators.

Improved Visibility of Authentication Options When Configuring Access Policies

When you select the assurance level for an access policy, the Cloud Administration Console displays the authentication options for the level that you selected and all higher levels. For example, if you select Low, the console displays options from the Low, Medium, and High assurance levels. End users may see options for all levels but are not presented with options they cannot complete.

New Videos for End Users

The SecurID End User Toolkit now includes two YouTube videos that you can use to show your users how to authenticate with the Approve and Fingerprint authentication methods.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17635 - When a user authenticates to an authentication client or a custom client developed with the SecurID Authentication API, the User Event Monitor no longer displays unnecessary "Device registration succeeded" and "Device deletion succeeded" messages.

NGX-17934 - After you modify administrator API settings in the Cloud Administration Console, the publishing status bar no longer displays “Changes Pending” to indicate that the new settings must be published.

NGX-18264 - You can now edit, delete, and export metadata from a configuration for a SAML 2 Generic Direct SP application with an expired certificate. Open the edit page in the Cloud Administration Console and upload a new certificate if necessary.

August 2017 - Cloud Authentication Service

The Cloud Authentication Service includes the following new features and enhancements:

  • Improved authentication experience during single sign-on
  • RADIUS events sent to Syslog (user authentication, start and stop)
  • RADIUS support for Fingerprint and Eyeprint ID
  • SMS Tokencode authentication method
  • Additional authentication for the Cloud Administration Console
  • Just-in-time synchronization for LDAP user records
  • Configurable security levels for identity router connection ciphers
  • Authenticate app updates
  • Numerous additional improvements

Note: To take full advantage of new features, make sure you update your identity router. For instructions, see https://community.rsa.com/docs/DOC-54075 on RSA Link.

For the latest product documentation, see the SecurID Documentation page at https://community.rsa.com/community/products/securid/securid-access.

Improved Authentication Experience During Single Sign-On

The authentication experience for users trying to access a protected application in an IDR SSO Agent deployment has been improved by displaying more options to complete authentication. Users can select options from the required assurance level and higher assurance levels. For example, if an application has a policy that requires a certain set of users to use the Low assurance level, then those users accessing the application can authenticate using an authentication method defined for the Low, Medium, or High level.

RADIUS Improvements

RADIUS for the Cloud Authentication Service provides the following improvements.

Improvement Description
RADIUS events (such as user authentication and start and stop events) are sent to Syslog. The identity router sends RADIUS events to the Syslog server if you enable logging for identity router system events in the Cloud Administration Console.
Support for Fingerprint and Eyeprint ID authentication RADIUS supports the Fingerprint and Eyeprint ID authentication methods. Users with registered compatible mobile devices can use these methods for RADIUS authentication if allowed by the access policy for the RADIUS client.

SMS Tokencode Authentication Method

SecurID has a new authentication method, SMS Tokencode. When SecurID enables this feature, the Cloud Authentication Service can send a six-digit code to the user's mobile phone in a text message. This method is useful for emergency access, for example, when the user cannot locate the device used to register the Authenticate app. SMS Tokencodes can be sent to phone numbers that are synchronized from LDAP directory servers, or administrators can enter user phone numbers manually. Contact SecurID Customer Support for more information.

Additional Authentication for the Cloud Administration Console

You can require additional authentication factors, such as tokencodes or push notifications, to protect the Cloud Administration Console. Passwords are still required. You configure an access policy to set up authentication requirements for the console just as you do for other resources. Use the policy to specify different access requirements for administrators based on identity source attributes and conditional attributes.

Just-in-Time Synchronization for LDAP User Records

Just-in-time synchronization automatically adds or updates user records in the Cloud Authentication Service when users attempt to register a device or access a protected resource. When this feature is enabled, the user records and related attributes in the Cloud Authentication Service stay up-to-date without administrative action. An administrator never needs to add user records through manual or scheduled synchronization. Contact SecurID Customer Support to enable just-in-time synchronization.

Configurable Security Levels for Identity Router Connection Ciphers

Security levels determine the cipher requirements for connections between the identity router and other components such as user browsers and load balancers. Using the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming connections.

Authenticate App Updates

SecurID Authenticate 1.5.3 for Android, SecurID Authenticate 1.5.4 for iOS, and SecurID Authenticate 1.0.3 for Windows 10 contain the following updates:

  • (Android only) New minimum Android operating system of version 5.0. With the release of SecurID Authenticate 1.5.3 for Android, earlier versions of the app will no longer be supported, and the app will no longer be available in Google Play for devices that do not meet this new minimum OS requirement. Encourage your end users to upgrade to Android version 5.0 or higher.

  • Improved backup support for communication between the app and SecurID.
  • Updated SecurID logo.

  • Bug fixes.

Additional Improvements

The Cloud Authentication Service contains the following additional improvements:

  • The Welcome page of the Identity Router VMware Console includes detailed instructions for navigation, selection, and saving configuration changes. When you save your settings, the console displays a progress bar and status messages.
  • In the Cloud Administration Console, service providers are now managed in Authentication Clients > Relying Parties.
  • There is now only one SecurID Solution Architecture Workbook. The region-specific information is available within the workbook.

Fixed Issues

The Cloud Authentication Service includes numerous fixes, including the following.

NGX-17207 - If an identity router is originally configured as part of a non-default cluster, changing settings for that identity router in the Cloud Administration Console no longer resets the cluster back to default when you navigated back to the Basic Information page for the identity router.

NGX-17456 - After you complete an initial setup option, the dashboard now shows the System Summary screen.

NGX-17603 - When you set up an identity router with single sign-on (SSO) disabled, you are no longer required to enter a Portal Hostname.

NGX-17615 - When you connect to the identity router through SSH using the idradmin account, messages regarding the Enterprise Connector no longer appear.

NGX-16883 - This fix applies when an identity source is configured for multiple replica directory servers and each server is assigned to a different cluster. When a user signs in to the application portal, the identity router authenticates the user through the directory servers in the cluster to which the identity router belongs.

NGX-17333 - If a user attempts to access two applications from the application portal on two different browsers using the same mobile authentication method, and the user successfully responds to both mobile notifications, each application can authenticate successfully.

If a user attempts to access two applications from the application portal on the same browser and both applications are protected by the same assurance level, and the user successfully responds to the authentication prompt, only the first tab where the user clicks Continue on the Remember This Browser screen can be opened. The second attempt displays an error message. The user must launch the second application from the application portal again, but is not required to provide additional authentication.

NGX-17660 - If the user selects an authentication method from the list of available options, the selected method reliably persists when clicked, and authentication begins.

NGX-17700 - A user with an Android device with a time delay of two minutes or more can now complete device registration using SecurID Authenticate versions 1.4 through 1.5.1.