SecurID® Release Notes - Cloud Authentication Service and Authenticators

These release notes include product updates and bug fixes.

For additional information, see:

  • SecurID Product Release Notes, a portal to all release notes for the Cloud Authentication Service, Authentication Manager, authentication agents, and authenticators.

  • RSA Link, to access all SecurID product documentation.

September 2022 - Cloud Authentication Service

DS100 Next Generation Hardware Authenticator Availability

The DS100 is a cloud-managed, multi-functional hardware authenticator that supports SecurID one-time password (OTP) and passwordless FIDO2 authentication. With dynamic seeding and self-registration, administrators can secure users as they transition from SecurID OTP to FIDO2 without changing their authenticator. The DS100 authenticator supports OTP generation when unplugged from a device to support high security environments without USB connectivity.

Cloud Administration Generate and Download Reports APIs

Administrators can now use secure APIs to generate and download the available reports in the Cloud Authentication Service Administration Console.

SecurID Authenticator 4.1.5 for iOS and Android - Coming Soon!

  • SecurID apps and their related software development kits (SDKs) will support iOS 16 and Android 13.

  • In iOS devices, users will be able to approve or deny the sign-in requests before the Face ID authentication is completed.

  • Users will be able to share information logs and binding IDs not only via the default email client, but also via any of the installed apps on their devices.

  • Users will be able to approve the push notifications received from the SecurID Authenticator app on their Android watches.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-91477 Using the SecurID Authenticator app on iOS devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses.
NGX-92339 Using the SecurID Authenticator app on Android devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses.
NGX-97267

In August release, the entity ID was incorrect, and it was replaced with the following instead: https://<customersubdomain>/sso/saml/<guid of specific application>

NGX-97488 A customer was unable to download the SAML request signing certificate for an Identity Provider (IdP)and received the following error message: Error downloading certificate.


August 2022 - Cloud Authentication Service

App Name and App Version Columns in All Synchronized Users Report

The "All Synchronized Users" report has been enhanced by adding App Name and App Version columns for all the admin roles to track which Software Authenticator application, either "SecurID Authenticator" or "RSA Authenticate App", each user is currently using.

Standardized Product Terminologies

The pages of the Cloud Administration Console and My Page self-service portal Authenticator management have been modified with standardized product terminologies and icons to align with the other SecurID products and the authentication industry.

Note: The login pages of My Page will be updated in a future release.

The following table lists the most important old and new terms:

Old Term New Term
Company ID Organization ID
Account Credential
Token

Based on the usage, the term has been replaced by one of the following terms:

  • Credential or OTP credential (Generic description)

  • SecurID OTP credential (Full description)

  • SecurID software OTP credential (Full description for software)

  • SecurID hardware OTP credential (Full description for hardware)

Software Token

Based on the usage, the term has been replaced by one of the following terms:

  • SecurID software OTP credential (Complete description)

  • SecurID OTP credential (When already in the context of software credentials)

  • Software OTP credential (General category description)

View Tokencode

Based on the usage, the term has been replaced by one of the following terms:

  • View SecurID OTP

  • View Authenticate OTP

Authenticate Tokencode Authenticate OTP
Emergency Tokencode Emergency Access Code
SMS Tokencode SMS OTP
Voice Tokencode Voice OTP

Automatic Deletion of Users from Cloud Authentication Service Based on User Changes in the Identity Source

Users who have a registered software or hardware authenticator in the Cloud Authentication Service, but have not synced in the last 30 days, will be automatically Just In Time (JIT) synced from the directory server. JIT will disable the users who are out of the scope of the identity source or disabled in the directory server. Users will be marked for deletion 90 days after being disabled by auto-sync. Then, they will be deleted seven days after being marked for deletion.

Users are checked in the Identity Source to verify that they still meet the following conditions:

  • User is present in the Identity Source

  • User is active

  • User is in scope to be synchronized to the Cloud Authentication Service

If all the three conditions are not true, then the user is marked for automatic deletion in the Cloud Authentication Service.

Metadata Service Version 3 in SecurID FIDO Implementation

Metadata Service (MDS) is a centralized web repository of the Metadata Statement. The service was upgraded by the FIDO Alliance as a replacement to the deprecated MDS2. SecurID FIDO implementation upgraded the MDS2 to MDS3 to better work through the security notifications to ensure effective incident response.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-94453 When the msDS-PrincipalName (domain\username format) attribute was used as the alternate username, Just In Time sync could not onboard new users to the Cloud Authentication Service.
NGX-94868 For My Page, the users received Access Denied error while using the Trusted Location attribute in the access policy to protect the access.
NGX-95254 Applying Custom Domain Name for OIDC for Azure AD configuration did not work due to the limitation of Microsoft Azure requirement of registering allow list for redirect URLs.

Known Issues

The following table lists the known issue in this release.

Known Issue Description
NGX-97371

For some of the newly provisioned customers who have never opened and saved the My Account > Company Settings > Company Information page, their QR code device enrollment screens display 'company' and the QR code registration for their users fails.

Workaround

Administrator can open the My Account > Company Settings > Company Information page and click Save Settings.

July 2022 - Cloud Authentication Service

Periodic User Refresh Process

To keep the user repository of the Cloud Authentication Service in sync with the underlying directory server, a periodic user refresh process has been implemented. This will refresh the users who have not been authenticated or synchronized to the cloud recently.

Distinguished Name Column in All Synchronized Users Report

The All Synchronized Users report has been enhanced with a column for Distinguished Name to enable organizations with a large and distributed userbase to identify their users.

SecurID Authenticator 6.1 for Windows - Coming Soon!

SecurID Authenticator for Windows is a single authentication app on Windows that supports both the SecurID Authentication Manager (AM) One Time Password (OTP) credentials and ID Plus cloud-based OTP credentials and push authentication to manage all your authentication needs. SecurID Authenticator 6.1 for Windows will be released soon with RSA DS100 Hardware Authenticator management, including OTP credential registration and firmware upgrade. It can perform FIDO management on the DS100 and third-party FIDO Security Keys.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-89553 The following error banner was displayed on the Connection Profile page of the IDR SAML application. "There was an error with your application setup. Correct the items in red". However, none of the fields were highlighted in red. This issue occurred when an expired certificate was used in the Encrypt Assertion section and the Encrypt Assertion check box was disabled.
NGX-90985 When users accessed relying party and performed mobile authentication on the same device, authentication failed intermittently.
NGX-93473 Organization ID was not showing any value during the device registration on My Page until Company Settings page was edited.

June 2022 - Cloud Authentication Service

New Cloud-Based My Page Portal with Single Sign-On Experience is Available

A fully redesigned cloud-based My Page portal with a reliable and highly available single sign-on experience is now available. This allows users to manage the self-service of their authenticators in the My Authenticators tab and single sign-on (SSO) access to their protected applications in the My Applications tab. It provides a unified on-site and off-site user-friendly experience that is rebrandable, customizable , and accessible.

  • Existing customers with the HTTP Federation Proxy, Trusted Headers, NTLM, and Bookmark applications deployed on Identity Router based portal can easily migrate to the cloud-based portal.

    • SAML applications need to be created again in the cloud-based portal if you migrate from Identity Router based portal.

    • WS Federation applications are not supported in the cloud-based portal.

    • Identity Router based portal cannot be enabled going forward. This does not impact the customers who are already using the Identity Router based portal.

  • Administrators can now customize and configure domain name (CNAME). This is supported for HTTP Federation Proxy, Trusted Headers, NTLM, SAML, and Bookmark applications.

  • The user interface text and labels have been standardized to align with other SecurID products.

  • Users can sign in to the portal once and access multiple authorized applications, including cloud and on-premise applications, SAML-enabled and non-SAML enabled applications.

  • The My Page portal now supports the Italian language.

Enable or Disable Agent Inventory Report

To allow customers to control the information that is tracked in the Cloud Authentication Service, the agent data collection can now be enabled or disabled. The default for this setting is 'disabled'.

Cleaning Up of Unused User Records

To increase the efficiency of the Cloud Authentication Service, a clean-up process has been implemented to remove the data for users who have never used the Cloud Authentication Service. This includes identifying the users who have not used Cloud Authentication Service for at least 30 days after their user records were initially created in the Cloud Authentication Service, disabling and marking them for deletion, and deleting their data. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion for seven days. The deleted user records can be added back if the users want to use the Cloud Authentication Service.

SecurID Authenticator 6.0 for Windows - Coming Soon!

A single authentication app on Windows that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-premises, cloud, or hybrid infrastructure, you will have one single application to manage authentications effectively. By adding support for cloud MFA for Windows users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily migrate to the SecurID Authenticator 6.0 by simply re-importing their tokens.

Authentication Agent 1.0 for Epic Hyperdrive - Coming Soon!

Epic is moving its current primary end user application, 'Hyperspace', to a web-based framework, 'Hyperdrive'. RSA will release a new authentication agent to secure the new Epic Hyperdrive login and workflows.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Microsoft OWA 2013 (update, Cloud Authentication Service) – updated support for the HTTP Federation method type.

  • Prove (update, AuthMgr) – updated support for OTP via SMS.

  • Radiant Logic RadiantOne (update, AuthMgr) – updated support for REST method.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-90059 Customer was unable to edit access policies when the MFA license flag was turned off.
NGX-90040 Errors occurred during post tenant moveall ALA monitoring.
NGX-88921 Customer could not save identity source attributes.

May 2022 - Cloud Authentication Service

Authenticator 4.1 App for iOS and Android - Coming Soon!

SecurID app for iOS and Android has been renamed as Authenticator and its 4.1 version will be released soon with enhanced usability and accessibility. The user interface text and labels are standardized to align with other SecurID products.

Agent Inventory Report

A new report for exporting the list of cloud-connected Authentication Agents for compliance and reporting purposes is available now. From the June release, customers will be able to control the availability of the report. By default, the report will be disabled.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

AU: 06/07/2022

EU: 06/09/2022

NA and Gov: 06/14/2022

Updated identity router software is available to all customers.
07/16/2022 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
08/06/2022 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.15.0.0
Amazon Cloud RSA_Identity_Router 12.15.0.0

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • VMware Horizon (update, AuthMgr & Cloud Authentication Service) – updated support for SecurID Authentication (REST) API and Radius method types.

  • VMware UAG (update, AuthMgr & Cloud Authentication Service) – updated support for SecurID Authentication (REST) API and Radius method types.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-89939 A customer had reported that all the users in the tenant were receiving delayed MFA push notification.
NGX-86858 Error occurred while assigning a FIDO token to a user.
NGX-86779 Customer had reported flooding of MFA notifications.
NGX-85970 SecurID app could not scan QR codes on older iPhone with smaller screen.
NGX-83462 The 'Identity router memory usage exceeds the threshold limit' error was reported by a customer.
NGX-83269 Inconsistent messages were displayed when access to the application was denied for a user on Application portal.
NGX-82341 A customer was unable to publish the changes after editing NGX Auth ID.

Known Issues

The following table lists the known issues in this release.

Known Issue Description
NGX-82988

This release contains changes that will prevent Identity Router SSO Agent intra-cluster session replication from working until all Identity Routers in the cluster are running on this release.

This affects customers who have:

  • An Identity Router cluster running a mix of older and newer 12.15.0.0 release Identity Routers.

  • Both SSO Agent and Intra-cluster session replication turned on for the Identity Router cluster.

When an Identity Router becomes unavailable, the session will end for the users who logged into that Identity Router, and they will be asked to re-authenticate.

Workaround

Once all Identity Routers in the cluster are upgraded to the May release, this will work again as expected. This will not cause auth failures or prevent other Identity Router functionality from working correctly.

NGX-90704 Customers may notice a new report titled ALL_TRACKED_MFA_CLIENTS for a short duration. This report is not ready for use until they are upgraded to the May 2022 release. Attempting to run this report before the upgrade completes will display an error message.

April 2022 - Cloud Authentication Service

SecurID 700 Hardware Tokens Available for All Customers

After a successful pilot with a limited set of customers, management of SecurID 700 Tokens in the Cloud Authentication Services is now available by default for all customers.

Cloud Migration for SecurID 700 Hardware Tokens – Coming Soon!

Using RSA Authentication Manager 8.7, SecurID 700 Hardware Tokens managed in Authentication Manager can be easily migrated to the Cloud Authentication Service. Administrators can decide which tokens to migrate and which tokens to retain within Authentication Manager, based on multiple factors.

For the migrated tokens:

  • Administrators can then manage them using the Cloud Administration Console without impacting their on-premises infrastructure.

  • Authentication Manager 8.7 will still be able to manage authentication if the cloud authentication service is unreachable.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Archer (update, Cloud Authentication Service) – ESG and Integrated Risk Management, updated support for authentication method types SAML via Cloud SSO and Relying Party.

  • SecurID G&L (update, Cloud Authentication Service) – Identity Governance and Administration, updated support for authentication method types SAML via Cloud SSO and Relying Party.

  • IBM MFA for z/OS (update, Authentication Manager) – alternate authentication mechanisms for z/OS networks, added support for REST API.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-85886 A customer was unable to change the SAML NameID value. The issue was that change in the NameID identifier type was not getting retained even after saving and publishing the updates. This issue has been fixed now.
NGX-86023 Customers reported an authentication outage after tenants were moved to the March Cloud release. The issue is fixed now.

March 2022 - Cloud Authentication Service

SecurID Authenticator 5.0 for macOS is Available!

SecurID Authenticator 5.0 for macOS is a new app that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-prem, cloud, or hybrid infrastructure, you will now have one single app to manage effectively.

The app is distributed through platform-specific public Apple's App Store and a SecurID Link for a side-loading, customers can download the app package from the link.

Please see the SecurID Authenticator 5.0 for macOS Release Notes and Advisories for additional information about the contents of this release.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Cisco ASA (update, Authentication Manager, and Cloud Authentication Service) – updated support for authentication method types SAML and Radius.

  • PingFederate (update, Authentication Manager, and Cloud Authentication Service) – updated support for authentication method types SecurID Authentication API and SAML.

  • Prove (update, Authentication Manager) – update to configuration for SMS Gateway provider Prove; originally listed as Authentify.

  • Stormshield (new, Authentication Manager and Cloud Authentication Service) – new support for SSL VPN provider via authentication method types Radius and SAML.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-85005 The customer was unable to publish changes and the page was loading for a long time. This problem has been fixed.
NGX-85007 The customer was unable to edit or sync identity sources in the Production Environment. This problem has been fixed.

February 2022 - Cloud Authentication Service

SecurID Authenticator 5.0 for macOS is Coming!

SecurID Authenticator 5.0 for macOS is a new app that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-prem, cloud or hybrid infrastructure, you will now have one single app to manage effectively. By adding support for cloud MFA for macOS users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily move to the SecurID Authenticator 5.0 by simply re-importing their tokens. Migration of software tokens from the RSA Software Token 4.2.3 desktop is not currently supported.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed by RSA or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Fortanix Data Security Manager (DSM) SaaS (new, Cloud Authentication Service) – provides integrated data security with encryption, multi-cloud key management, tokenization, and other capabilities from one platform, delivered-as-a-service. Now supports SecurID MFA via SAML including SSO and Relying Party.

  • Microsoft Azure AD (new, Cloud Authentication Service) – can be used as a 3rd party IDP for MFA access to SecurID Cloud Admin Console via SAML.

  • VMware Cloud Director (new, Cloud Authentication Service) – a leading cloud service-delivery platform used by cloud providers to operate & manage successful cloud-service businesses. Now supports SecurID MFA via SAML including SSO and Relying Party.

  • VMware vSphere (new, Authentication Manager) – VMware’s cloud computing virtualization platform. Supports 2FA with Authentication Manager via SecurID Authentication API for C and Java.

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java, by the end of 2022, to plan to support Authentication Manager – and the Cloud Authentication Service – using the SecurID Authentication API v1.x. Documentation and a YAML file (logon required) are available on SecurID Community. Contact SecurID Partner Engineering for questions and technical support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-81437

Improved the performance of the Policies page. A customer had reported that the page could take several minutes to load a large number of access policies when an assurance level was empty.

January 2022 - Cloud Authentication Service

Cloud Administration Console URLs Are Changing in January 2022

The Cloud Administration Console URLs for your company are changing to include your company subdomain. For example, if you previously accessed the Console with https://na2.access.securid.com/and your company subdomain is example, you will now access the Console with https://example.access.securid.com. The Cloud Authentication Service can dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The shared URLs in use prior to January 2022 are available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to be supported for at least a year but might not offer all capabilities or perform as well as the new company-specific URLs.

To find the region and service where your Cloud Authentication Service is deployed, sign into the Cloud Administration Console and find the blue hyperlink next to Hello <administrator's name> near the top left of the Dashboard page. You need to know the region and service when checking the Cloud Authentication Service status page, uptime page, and notifications for maintenance and service incidents.

Action Required if You Have a Third-Party Identity Provider Protecting Access to the Cloud Administration Console

If your deployment configured a third-party identity provider (IdP) to protect access to the Cloud Administration Console, the shared console URLs are saved as the SAML Sign-In URL and the Assertion Consumer Service URL. SecurID recommends that you update these URLs to point to the new company-specific URLs for best performance. To view the company-specific URLs, open the Cloud Administration Console and click My Account > Company Settings > Sessions & Authentication tab. The new URLs are automatically provided in the SAML Sign-In URL and Assertion Consumer Service URL fields. Copy these URLs to your IdP configuration.

Whitelisting URLs Accessed by the Identity Router

The repository URLs accessed by the identity router will change to become company-specific. Therefore, make sure any whitelisting you have in place reflects these new URLs. For best practices, we recommend that you whitelist *.securid.com and *.securidgov.com instead.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed by RSA or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations.

  • Firehydrant.io (new, Cloud Authentication Service) – incident management platform supports SecurID MFA via SAML including SSO and Relying Party.

  • goCanvas (new, Cloud Authentication Service) - provides mobile apps and forms for data collection and sharing. Supports SSO or relying party.

  • Juniper Networks JunOS vSRX (new, Authentication Manager) – virtual NGFW supports SecurID authentication via Radius with Authentication Manager.

  • McAfee MVISION (new, Cloud Authentication Service) - protects data and stops threats in the Cloud across SaaS, PaaS, and IaaS from a single, cloud-native enforcement point. Supports SSO.

  • Microsoft Office 365 (update, Cloud Authentication Service) – updated CAS support for MFA into Microsoft 365 including SSO and Relying Party.

  • Microsoft Sharepoint 2019 (new, Cloud Authentication Service) – SSO Agent for SecurID authentication via SAML.

  • Specops uReset (new, Authentication Manager/Cloud Authentication Service) – self-service password reset supports SecurID authentication via REST API.

  • SUSE Rancher (new, Cloud Authentication Service) – unifies Kubernetes clusters to ensure consistent operations, workload management, and enterprise grade security. Supports SSO or relying party.

We would like to remind Technology Partners about the SecurID Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through RSA Authentication Manager and the Cloud Authentication Service.

The SecurID Authentication API was released in 2019 and is one of the supported methods to integrate your client applications with the Cloud Authentication Service, in addition to SAML2 and RADIUS. It replaces SecurID Authentication API 8.7 for C and Java to communicate with Authentication Manager. As of June 2021, version 8.7 is now End of Primary Support Level 2, which means there are no hot fixes available and only best effort support is provided.

To remain RSA Ready, all Technology Partners should plan to support the Cloud Authentication Service in your applications by the end of 2022. If you use version 8.7 or older, you may update to the SecurID Authentication API. Documentation and a YAML file (Logon required) are available on RSA Link. Contact SecurID Partner Engineering for questions and technical support, rsapesupport@securid.com.

Removed the Ability to Request a Cloud Authentication Service Account Through the Authentication Manager Security Console

SecurID no longer supports requesting a Cloud Authentication Service account through the Security Console. If you try to request an account, your patch level determines the error message that you receive.

You can continue to use your existing Cloud Authentication Service accounts. If you need a new Cloud Authentication Service account, call SecurID Sales at 1 800 995 5095.

SecurID 4.0 App is Available!

SecurID 4.0 app for iOS and Android adds cloud-based multifactor authentication to the software token functionality already present in the SecurID 3.0 app. Users have one convenient authenticator to safely sign into their company accounts. This enhancement helps your company move authentication to the cloud and effectively manage a hybrid deployment. See Announcing the Release of SecurID 4.0 app for iOS and Android.

Fixed Issues

Fixed Issue Description
NGX-75573 Documentation was updated to include hostnames and IP addresses (primary and failover), and the identity router download URL for the SecurID Federal region.
NGX-74407 The date encoding issue that occurred when using the Administration Rest API Client command line tool has been resolved in version 2.7.2 of the Cloud Administration SDK.
NGX-72907

A customer was unable to use the Cloud Administration Console to share the Amazon Machine Image (AMI) with multiple Amazon account IDs. This problem has been fixed.

October 2021 - Cloud Authentication Service

Automatic Unlock for Tokencodes

End users no longer have to call their IT Help Desk to unlock their tokencodes. You can configure the Cloud Authentication Service to automatically unlock tokencodes after a specified period of time has elapsed. Each tokencode is locked and unlocked separately. For more information, see Configure Tokencodes.

Multiple SecurID 700 Tokens per User

You can assign to each user up to five active SecurID 700 hardware tokens that are managed in the Cloud Administration Console. Users can register and activate their tokens on My Page. With this feature, the Cloud Authentication Service is closer to providing the same capabilities as Authentication Manager. For more information, see SecurID Hardware Tokens.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

EU: 11/11/2021

ANZ, US, Gov: 11/16/2021

Updated identity router software is available to all customers.
1/08/2022 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
1/29/22 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.13.0.0
Amazon Cloud RSA_Identity_Router 12.13.0.0

Fixed Issues

Fixed Issue Description
NGX-74406 A customer reported that the hardware token authentications failed on Azure Active Directory. This problem has been fixed.
NGX-74375 Identity router went down after a software update. This problem has been fixed.
NGX-73521 A customer observed the identity router status changed to Distressed status. This problem has been fixed.
NGX-72070 Identity router memory usage is no longer going high.
NGX-71933 A customer reported that the sign-in through Integrated Windows Authentication (IWA) failed when a domain controller was down. This problem has been fixed.
NGX-71773 IWA authentication no longer fails for the Application Portal sign-in.
NGX-70822 A customer reported that the Identity Router showed unhealthy Cloud Authentication Service connections for both the primary and backup IP of the Cloud Authentication Service. This problem has been fixed.
NGX-68830 A customer observed few vulnerabilities being reported after running penetration testing on the SSO portal. This problem has been fixed.
NGX-68042 Cloud Authentication Service and identity router no longer requires anonymous bind to connect and search rootDSE (root of the directory data tree on a directory server). LDAP synchronization will no longer fail in a customer environment that blocks anonymous bind to rootDSE.
NGX-67189 In the Cloud Administration Console, a customer was unable to successfully publish the generated wildcard certificate to the identity router. This problem has been fixed.

For release notes prior to October 2021, see Release Notes Archive - Cloud Authentication Service and Authenticators.