RSA® Release Notes - Cloud Authentication Service and Authenticators

These release notes include product updates and bug fixes.

For additional information, see:

  • SecurID Product Release Notes, a portal to all release notes for the Cloud Authentication Service, Authentication Manager, authentication agents, and authenticators.

  • RSA Link, to access all SecurID product documentation.

May 2023 - Cloud Authentication Service

Customize My Page and Authentication Pages

My Page customizations can now be applied to all authentication prompts and sign-in pages. The customization option is available only for ID Plus E2 and E3 subscriptions.

Download User Import Error Report

When importing users from a CSV file, you might encounter some errors. You can now download and view a detailed error report to fix the errors and try to import your users CSV file again. The "Errors" column describes the errors and how to fix them.

Update and Delete Users with the SCIM API

You can use the SCIM API to manage users for identity sources in the Unified Directory. The SCIM API allows you not only to create users but also to update and delete them.

Add SCIM Managed and Azure Active Directory (SCIM) Identity Sources

Using the Cloud Administration Console, you can now add SCIM managed and Azure Active Directory (SCIM) identity sources. You can use the SCIM API for provisioning and managing users in these identity sources from SCIM clients.

Upcoming End of Primary Support (EOPS) Details

The following table provides a summary view of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
SecurID Authentication Manager (AM) 8.5 Jul 2022 Jul 2023 / No
8.4 Dec 2021 Dec 2022 / Jul 2023
SecurID MFA Agent for Microsoft Windows 2.0.x Jul 2023 No
SecurID MFA Agent for macOS 1.3.x Jul 2023 No
1.2 Jun 2023 No
SecurID Authenticator for iOS / Android 4.0 Jun 2023 No

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-115133 After successfully logging into My Page, users could not view their assigned authenticators when the access policy was configured with a trusted location condition. The access policy failed due to insufficient location data.
NGX-112810 A customer encountered an issue with publishing after renaming an identity source to the name of a deleted one.

April 2023 - Cloud Authentication Service

Manage Local Identity Sources

In the Cloud Administration Console, administrators can now add, edit, or delete local identity sources. Administrators can add users to local identity sources through the "Add User" option in the Cloud Administration Console (From Users > Management), CSV file upload, or via the SCIM API.

Import Users via CSV Upload

The Cloud Authentication Service supports importing new local users using CSV file upload. In the Cloud Administration Console, administrators can now upload a CSV file to import new users. This option is only available for local identity sources within the Unified Directory.

Secure Amazon Workspace with My Page Single Sign-On (SSO)

Using My Page single sign-on (SSO), administrators can now secure AWS workspace with the identity provider (IdP) initiated SSO SAML support. In the Cloud Administration Console, you can set the optional “Default Relay State.” If a SAML request message contains dynamic Relay State data, then the SAML responder will return its SAML protocol response using a binding that also supports a dynamic Relay State mechanism. If there is no Relay State in an IdP-initiated request, the default Relay State will return in the SAML response.

Cloud Config API Added for the Epic Hyperdrive

To secure login to the Epic Hyperdrive, a new "cloudconfigs" API has been added to return additional cloud configurations related to the Epic Hyperdrive to support it during multi-factor authentication (MFA) proxy requests from Epic Hyperdrive agents.

Modified Validation Rules for the RADIUS Name and Description

The validation rules of the RADIUS Name and Description fields have been modified to match the configurations used for Authentication Manager. When you add a RADIUS client, the Name field can now contain spaces and dots, and the length of the Description field has been increased to 255 characters.

Enhanced Event Logs and Authentication Tracking

The Cloud Authentication Service now tracks which authentication method(s) a user has used instead of which assurance levels were met to access a protected resource. The Event Monitor logs will now help you to monitor the log events when users are automatically allowed access to an app based on the used authentication methods.

Removal of Ciphers in June 2023

The following table lists the ciphers for incoming and outgoing connections that will be removed or renamed in the Cloud Authentication Service June 2023 release. These ciphers were not working in the previous releases, and hence these are removed or renamed. If you find these ciphers configured, update (remove or rename) them based on the following table. The cipher update will not affect the environment since other working ciphers were configured.

Cipher Connection Action
ECDHE-ECDSA-AES256-SHA Incoming Removed
ECDHE-ECDSA-AES128-SHA256 Incoming Removed
ECDHE-ECDSA-AES128-SHA Incoming Removed
ECDHE-ECDSA-AES128-GCM-SHA256 Incoming Removed
RSA-AES128-GCM-SHA Outgoing Removed
ECDH-RSA-AES128-GCM-SHA Outgoing Removed
ECDH-ECDSA-AES128-GCM-SHA Outgoing Removed
ECDHE-RSA-AES128-GCM-SHA Outgoing Removed
ECDHE-ECDSA-AES128-GCM-SHA Outgoing Removed
RSA-AES128-SHA256 Outgoing Renamed to AES128-SHA256
RSA-AES128-SHA Outgoing Renamed to AES128-SHA

RSA Authentication Agent 7.4.6 for Windows Agent

RSA Authentication Agent 7.4.6 includes display message corrections in language packs.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description


AU: 5/2/2023

EU / IN: 5/4/2023

NA: 5/4/2023

Gov: 5/5/2023

Updated identity router software is available to all customers.
05/27/2023 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
06/25/2023

If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.18.1.0
Amazon Cloud RSA_Identity_Router 12.18.1.0

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the RSA Community.

• CSP Authenticator (update) – updated support for Authentication Manager using RSA MFA API (REST).

• RSA iDRAC (new) – added support for Authentication Manager using RSA MFA API (REST).

• Endace (new) – added support for Authentication Manager using RSA MFA API (REST).

• ForgeRock Access Management (new) – added support for Authentication Manager using RSA MFA API (REST). Support for the Cloud Authentication Service is coming soon.

• HelpSystems FoxT Server Control (update) – updated support for Authentication Manager using RSA MFA API (REST).

• IBM DS8000 (new) - added support for Authentication Manager using RSA MFA API (REST).

• IBM Guardium Data Security (new) - added support for Authentication Manager using RSA MFA API (REST).

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-114626 The SAML assertion failed for cloud local users when the NameID was mapped to the "mail" attribute in the relying party configuration. This issue has been fixed.
NGX-96146 A customer had reported that the relationship status of their cross-site cluster went offline and did not recover. Sometimes due to this issue, their newly created users could not authenticate to the WebPortal. This issue has been fixed.
NGX-111285 Accessing RSA Application Portal via thick client displayed a script error.
NGX-110954 After authentication, a customer could not access an application in an iframe. An error occurred while redirecting the customer to the application URL.
NGX-110945 Identity router (IDR) RADIUS service was down for the customers with a self-signed certificate after upgrading the IDR.
NGX-108771
NGX-101093
A couple of security vulnerabilities have been fixed.

March 2023 - Cloud Authentication Service

Enable or Disable Mobile Lock

RSA Mobile Lock is an optional add-on to the ID Plus service. It can detect certain critical threats to a mobile device where RSA Authenticator for iOS and Android app is installed and registered to the Cloud Authentication Service. It restricts the user’s ability to authenticate until the threat issue is resolved. Administrators can now enable or disable Mobile Lock in the Cloud Administration Console for customers who requested for this enhanced mobile protection. This setting is disabled by default.

Allow Users to Change Passwords

An option to allow users to change their passwords is now available in the Cloud Administration Console. Additionally, administrators can define the password policy requirements they want when users change their passwords. Users can view these password policy details and change their password in the Change Password section on My Page.

UI-Based Creation of Local Users in RSA Unified Directory

In addition to the capability of creating local users through the SCIM API, the Cloud Authentication Service now supports creating users through the user interface (From Users > Management). Users can change the administrator-assigned password on My Page. This feature is currently available in limited release. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

Optimized “Remember This Browser” Prompt

When the users are authenticated to access a protected resource, they will be prompted to "Remember This Browser" only once during a browser session, irrespective of the selection of the Remember This Browser option.

RSA MFA Agent 2.0 for Epic Hyperdrive - Coming Soon!

RSA® MFA Agent 2.0 for Epic Hyperdrive will support the Cloud Authentication Service. RSA® MFA Agent 2.0 for Epic Hyperdrive will come with a new and intuitive user interface to ensure a streamlined authentication workflow with better accessibility.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program:

  • Check Point Gateway (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and added certification for SAML (Cloud Authentication Service).

  • Cisco ISE (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and SAML (Cloud Authentication Service).

  • Cisco Nexus (update) – updated certification for Radius (Authentication Manager) and added certification for Radius (Cloud Authentication Service).

  • Fortinet FortiGate (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and new certification for SAML (Cloud Authentication Service).

  • Fortinet FortiManager (new) – new certification for Radius (Authentication Manager and Cloud Authentication Service) and for SAML (Cloud Authentication Service).

  • Palo Alto PANOS10 (update) - updated certification for Radius (Authentication Manager and Cloud Authentication Service), REST (Cloud), and SAML (Cloud Authentication Service).

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-110152 A customer encountered an error in Active Directory Federation Services (ADFS) due to failed authentication with the SAML identity provider (IDP).
NGX-109470 An administrator could not unlock the Approve method for a user's re-enrolled mobile device when the Approve method was already locked out.

February 2023 - Cloud Authentication Service

Add Epic Hyperdrive as a Relying Party

The Cloud Authentication Service can act as the authorization server for the Epic Hyperdrive relying party. In the Cloud Administration Console, from the Authentication Clients > Relying Parties page, administrators can now add the basic information of the Epic Hyperdrive relying party and configure its connection profile.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-106516 A customer was unable to edit or delete a WS Federation application.
NGX-105458 A customer was unable to update a SAML certificate for an application. The following error message was displayed: There was an error with your application setup. Correct the items in red.

January 2023 - Cloud Authentication Service

Allow Authentication for Embedded Iframe Pages

Multi-factor authentication is now available for the web pages or apps embedded in an iframe. To allow authentication for embedded iframe pages, administrators can add sites to the allowed domains list on the Company Settings page, under Sessions & Authentication tab, in the Content Security section. To make the embedded iframe pages more secure, administrators need to provide HTTPs based URLs.

Track Usage Information in the Cloud Authentication Service

The Cloud Authentication Service dashboard has been updated with the count of active end users who either have a registered authenticator or who authenticated successfully in the last six months to gain a deeper insight about the actual number of users authorized to use the Cloud Authentication Service. In addition, the “All Users” report has been enhanced with Active User License Used, Registered Credential, Active Users in last 6 months, and Local User columns to better track the actual number of users using the Cloud Authentication Service.

Cloud Authentication Service as Authorization Server for Generic OIDC Relying Party

Cloud Authentication Service can act as the authorization server for a generic OpenID Connect (OIDC) relying party application. Administrators can configure this in the Cloud Administration Console under Authentication Client > Relying Parties.

Step-Up Authentication with QR Code is Available!

The Cloud Authentication Service now supports a new step-up authentication method: QR code. To use this new authentication method, open the Cloud Administration Console, select Access > Assurance Levels page, and click Add in the required level. Using this authentication method will require downloading SecurID Authenticator app V4.2 for iOS and Android, scheduled for release by end January 2023. Multi-factor authentication (MFA) API also supports QR code authentication method. However, QR code authentication method does not support RADIUS or a any MFA agents. Support for QR code as a primary authentication method will be added in a future release.

Lockout Push Notifications for Authentication Methods

In the Cloud Administration Console, the existing settings controlling authentication method lockout have been extended to cover Approve and Device Biometrics authentication methods. In accordance with these settings, the Cloud Authentication Service now automatically stops sending push notifications to users who deny a login request for a specified number of times. This is to avoid multi-factor authentication (MFA) fatigue attack.

Local User Support via RSA Unified Directory

Unified Directory is a new user identity store for the RSA Cloud Authentication Service that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can manage local users from the Cloud Administration Console. Users can manage themselves using the My Page self-service portal. Local user passwords are validated completely within the Cloud Authentication Service. This feature is currently available in limited release. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

RSA Authenticator 4.2.0 for iOS and Android - Coming Soon!

  • RSA Authenticator v4.2.0 for iOS and Android app enables users to migrate their credentials from the RSA Authenticate app to the RSA Authenticator app. When users first open the RSA Authenticator 4.2 app or register their credentials, they will be prompted to migrate their existing credentials from RSA Authenticate app to RSA Authenticator app.

  • QR code can be used as a step-up authentication method. If this method was enabled by their organizations, users will be able to authenticate to My Page by simply scanning the QR code with their registered Authenticator app.

SecurID Authenticator 5.1 for macOS - Coming Soon!

  • SecurID Authenticator 5.1 for macOS app will be enhanced with standardized terminologies to align and streamline with the other RSA products and the authentication industry.

  • Users will be able to migrate all their software tokens from the existing SecurID Software Token 4.2.3 app to the new SecurID Authenticator 5.1 for macOS. With this migration, users will be able to manage all their credentials within the new macOS Authenticator.

  • Users will be able to set their own device passwords in the SecurID Authenticator 5.1 for macOS to secure the operations performed on AM managed OTP, such as entering a PIN, renaming a software token, or deleting it.

  • SecurID Authenticator 5.1 for macOS app will support macOS Ventura, which was released on October 24, 2022.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-102750 During the configuration of a SAML relying party, an attribute extension of “Constant” type was not saved correctly. This issue has been fixed.
NGX-105192 In the IDP-initiated flows, the value of "subjectNameIdFormat" field was incorrect in the SSO context. This issue has been fixed.
NGX-104053 A customer was prompted to re-authenticate to access a SAML application although My Page session had not expired. This issue has been fixed.

November 2022 - Cloud Authentication Service

Expand or Collapse Authentication Methods

Administrators can now control the appearance of the web authentication prompt, either keeping it collapsed, or expanding the prompt to display other authentication methods. The expanded view provides users easy access to all the available authentication methods. This setting can be controlled from the Company Settings page, under Sessions & Authentication tab, where administrators can select or clear Show more authentication factors by default check box. By default, this setting is cleared.

Allow Users to Reset Expired Passwords

An option to allow users to reset the expired passwords is now available in the Cloud Administration Console. To enable this setting, administrators can edit an identity source and then select Allow users to change password option in the Identity Source Details tab under SSL/TLS Certificates section. The administrators need to click Publish Changes to use this option in My Page. When a user’s password is expired, the user will be prompted to enter a new password upon logging to My Page. The new password must meet all the password policy requirements set by the administrator.

Terminology Changes in the Cloud Authentication Service

In the Cloud Authentication Service, the authentication pages have been updated with the new terminology used throughout the other RSA products to ensure consistency and alignment with the authentication industry.

FIDO Authenticator Manufacturer Column in All Synchronized Users Report

The All Synchronized Users report has been enhanced with a column for FIDO Authenticator Manufacturer to enable administrators to know the manufacturer details of the authenticators.

RSA Authentication Manager 8.7 Supports AWS Instance Type Upgrade

RSA Authentication Manager 8.7 customers can now install or upgrade the Amazon Web Services (AWS) EC2 instance from a supported M4 family to an M5 and/or M6i family. We recommend that you contact RSA Customer Support for details on how to upgrade the AWS EC2 instances. The following table contains the list of AWS instances that you can upgrade to.

M5 Family M6i Family
M5.large M6i.large
M5.xlarge M6i.xlarge
M5.2xlarge M6i.2xlarge

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description


GOV: 12/21/2022

AU: 01/3/2023

EU and IN: 01/5/2023

NA: 01/5/2023

Updated identity router software is available to all customers.
01/21/2023 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
02/18/2023

If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.17.0.0
Amazon Cloud RSA_Identity_Router-12.17.0.0

Extended End of Primary Support (EOPS) for Mobile SDKs

The End of Primary Support (EOPS) dates for Mobile SDK 2.5 (iOS), Mobile SDK 2.8 (Android), and Mobile SDK 3.1 (Android, iOS) have been extended to December 2023 in order to give customers time to migrate to Mobile SDK 4.0, scheduled for delivery during H1 2023.

SecurID Authenticator 5.1 for macOS - Coming Soon!

  • SecurID Authenticator 5.1 for macOS app will be modified with standardized terminologies to align and streamline with the other RSA products and the authentication industry.

  • Users will be able to migrate all their software tokens from the existing SecurID Software Token 4.2.3 app to the new SecurID Authenticator 5.1 for macOS. With this migration, users will be able to manage all their credentials within the new macOS Authenticator.

  • Users will be able to set their own device passwords in the SecurID Authenticator 5.1 for macOS to secure the operations performed on AM managed OTP, such as entering a PIN, renaming a software token, or deleting it.

  • SecurID Authenticator 5.1 for macOS app will support macOS Ventura, which was released on October 24, 2022.

SecurID Authenticator 6.1.2 for Windows - Coming Soon!

SecurID Authenticator 6.1.2 for Windows will be released soon. This new version resolves some bugs from the previous version, and it supports eight languages: French, German, Italian, Japanese, Korean, Portuguese, Simplified Chinese, and Spanish.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on RSA Community.

  • Citrix Cloud (new, Cloud Authentication Service) – a cloud management platform that allows organizations to deploy cloud-hosted desktops and apps to end users, support for authentication method type SAML via Cloud SSO and Relying Party.

  • Endace EndaceProbe (new, Authentication Manager) – always on, continuous packet capture, support for authentication method type REST API with Authentication Manager.

  • PingOne DaVinci (new, Cloud Authentication Service) – orchestration service for delivering seamless identity experiences, support for REST API with Cloud Authentication Service.

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-102130 A customer was unable to update the users’ phone numbers using the Cloud Administration Update SMS and Voice Phone API. A 400 error was returned. This issue has been fixed.
NGX-101368 In the Cloud Administration Console, a customer was unable to update the users’ phone numbers and received a warning message that the phone numbers cannot be confirmed as valid. This warning message was incorrectly displayed; it was shown even though the updated phone numbers were valid. This issue has been fixed.
NGX-100523 In the Cloud Administration Console, the “All Synchronized Users” report took several hours to generate and then eventually displayed the following error message: A system error occurred. The administrator could neither cancel the current report nor generate a new one.
NGX-99033 The email notification message sent to users after registering an authenticator included an invalid help link.
NGX-97963 After opening the FIDO Authentication page in the Cloud Administration Console, the publish status was “Changes pending” although no changes were performed.


October 2022 - Cloud Authentication Service

RSA Authenticate App for Android Version 3.9.1 – Coming Soon!

By the 1st of November, RSA Authenticate app for Android version 3.9.1 will be released. This new updated version is a maintenance release that addresses some minor issues.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-98035 A customer encountered an issue with editing the configuration settings of My Page. This issue happened to customers who had the license to customize portal and email. The following error message was displayed: An error occurred while saving the configuration. This issue has been fixed, and the customer can now edit the configuration settings.
NGX-99202 A customer was unable to edit or delete a SAML application from the Cloud Administration Console. This issue occurred due to marking an application as Cloud although it is deployed to IDR.

September 2022 - Cloud Authentication Service

DS100 Next Generation Hardware Authenticator Availability

The DS100 is a cloud-managed, multi-functional hardware authenticator that supports SecurID one-time password (OTP) and passwordless FIDO2 authentication. With dynamic seeding and self-registration, administrators can secure users as they transition from SecurID OTP to FIDO2 without changing their authenticator. The DS100 authenticator supports OTP generation when unplugged from a device to support high security environments without USB connectivity.

Cloud Administration Generate and Download Reports APIs

Administrators can now use secure APIs to generate and download the available reports in the Cloud Authentication Service Administration Console.

SecurID Authenticator 4.1.5 for iOS and Android - Coming Soon!

  • SecurID apps and their related software development kits (SDKs) will support iOS 16 and Android 13.

  • In iOS devices, users will be able to approve or deny the sign-in requests before the Face ID authentication is completed.

  • Users will be able to share information logs and binding IDs not only via the default email client, but also via any of the installed apps on their devices.

  • Users will be able to approve the push notifications received from the SecurID Authenticator app on their Android watches.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-91477 Using the SecurID Authenticator app on iOS devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses.
NGX-92339 Using the SecurID Authenticator app on Android devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses.
NGX-97267

In August release, the entity ID was incorrect, and it was replaced with the following instead: https://<customersubdomain>/sso/saml/<guid of specific application>

NGX-97488 A customer was unable to download the SAML request signing certificate for an Identity Provider (IdP)and received the following error message: Error downloading certificate.


August 2022 - Cloud Authentication Service

App Name and App Version Columns in All Synchronized Users Report

The "All Synchronized Users" report has been enhanced by adding App Name and App Version columns for all the admin roles to track which Software Authenticator application, either "SecurID Authenticator" or "RSA Authenticate App", each user is currently using.

Standardized Product Terminologies

The pages of the Cloud Administration Console and My Page self-service portal Authenticator management have been modified with standardized product terminologies and icons to align with the other SecurID products and the authentication industry.

Note: The login pages of My Page will be updated in a future release.

The following table lists the most important old and new terms:

Old Term New Term
Company ID Organization ID
Account Credential
Token

Based on the usage, the term has been replaced by one of the following terms:

  • Credential or OTP credential (Generic description)

  • SecurID OTP credential (Full description)

  • SecurID software OTP credential (Full description for software)

  • SecurID hardware OTP credential (Full description for hardware)

Software Token

Based on the usage, the term has been replaced by one of the following terms:

  • SecurID software OTP credential (Complete description)

  • SecurID OTP credential (When already in the context of software credentials)

  • Software OTP credential (General category description)

View Tokencode

Based on the usage, the term has been replaced by one of the following terms:

  • View SecurID OTP

  • View Authenticate OTP

Authenticate Tokencode Authenticate OTP
Emergency Tokencode Emergency Access Code
SMS Tokencode SMS OTP
Voice Tokencode Voice OTP

Automatic Deletion of Users from Cloud Authentication Service Based on User Changes in the Identity Source

Users who have a registered software or hardware authenticator in the Cloud Authentication Service, but have not synced in the last 30 days, will be automatically Just In Time (JIT) synced from the directory server. JIT will disable the users who are out of the scope of the identity source or disabled in the directory server. Users will be marked for deletion 90 days after being disabled by auto-sync. Then, they will be deleted seven days after being marked for deletion.

Users are checked in the Identity Source to verify that they still meet the following conditions:

  • User is present in the Identity Source

  • User is active

  • User is in scope to be synchronized to the Cloud Authentication Service

If all the three conditions are not true, then the user is marked for automatic deletion in the Cloud Authentication Service.

Metadata Service Version 3 in SecurID FIDO Implementation

Metadata Service (MDS) is a centralized web repository of the Metadata Statement. The service was upgraded by the FIDO Alliance as a replacement to the deprecated MDS2. SecurID FIDO implementation upgraded the MDS2 to MDS3 to better work through the security notifications to ensure effective incident response.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-94453 When the msDS-PrincipalName (domain\username format) attribute was used as the alternate username, Just In Time sync could not onboard new users to the Cloud Authentication Service.
NGX-94868 For My Page, the users received Access Denied error while using the Trusted Location attribute in the access policy to protect the access.
NGX-95254 Applying Custom Domain Name for OIDC for Azure AD configuration did not work due to the limitation of Microsoft Azure requirement of registering allow list for redirect URLs.

Known Issues

The following table lists the known issue in this release.

Known Issue Description
NGX-97371

For some of the newly provisioned customers who have never opened and saved the My Account > Company Settings > Company Information page, their QR code device enrollment screens display 'company' and the QR code registration for their users fails.

Workaround

Administrator can open the My Account > Company Settings > Company Information page and click Save Settings.

July 2022 - Cloud Authentication Service

Periodic User Refresh Process

To keep the user repository of the Cloud Authentication Service in sync with the underlying directory server, a periodic user refresh process has been implemented. This will refresh the users who have not been authenticated or synchronized to the cloud recently.

Distinguished Name Column in All Synchronized Users Report

The All Synchronized Users report has been enhanced with a column for Distinguished Name to enable organizations with a large and distributed userbase to identify their users.

SecurID Authenticator 6.1 for Windows - Coming Soon!

SecurID Authenticator for Windows is a single authentication app on Windows that supports both the SecurID Authentication Manager (AM) One Time Password (OTP) credentials and ID Plus cloud-based OTP credentials and push authentication to manage all your authentication needs. SecurID Authenticator 6.1 for Windows will be released soon with RSA DS100 Hardware Authenticator management, including OTP credential registration and firmware upgrade. It can perform FIDO management on the DS100 and third-party FIDO Security Keys.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-89553 The following error banner was displayed on the Connection Profile page of the IDR SAML application. "There was an error with your application setup. Correct the items in red". However, none of the fields were highlighted in red. This issue occurred when an expired certificate was used in the Encrypt Assertion section and the Encrypt Assertion check box was disabled.
NGX-90985 When users accessed relying party and performed mobile authentication on the same device, authentication failed intermittently.
NGX-93473 Organization ID was not showing any value during the device registration on My Page until Company Settings page was edited.

June 2022 - Cloud Authentication Service

New Cloud-Based My Page Portal with Single Sign-On Experience is Available

A fully redesigned cloud-based My Page portal with a reliable and highly available single sign-on experience is now available. This allows users to manage the self-service of their authenticators in the My Authenticators tab and single sign-on (SSO) access to their protected applications in the My Applications tab. It provides a unified on-site and off-site user-friendly experience that is rebrandable, customizable , and accessible.

  • Existing customers with the HTTP Federation Proxy, Trusted Headers, NTLM, and Bookmark applications deployed on Identity Router based portal can easily migrate to the cloud-based portal.

    • SAML applications need to be created again in the cloud-based portal if you migrate from Identity Router based portal.

    • WS Federation applications are not supported in the cloud-based portal.

    • Identity Router based portal cannot be enabled going forward. This does not impact the customers who are already using the Identity Router based portal.

  • Administrators can now customize and configure domain name (CNAME). This is supported for HTTP Federation Proxy, Trusted Headers, NTLM, SAML, and Bookmark applications.

  • The user interface text and labels have been standardized to align with other SecurID products.

  • Users can sign in to the portal once and access multiple authorized applications, including cloud and on-premise applications, SAML-enabled and non-SAML enabled applications.

  • The My Page portal now supports the Italian language.

Enable or Disable Agent Inventory Report

To allow customers to control the information that is tracked in the Cloud Authentication Service, the agent data collection can now be enabled or disabled. The default for this setting is 'disabled'.

Cleaning Up of Unused User Records

To increase the efficiency of the Cloud Authentication Service, a clean-up process has been implemented to remove the data for users who have never used the Cloud Authentication Service. This includes identifying the users who have not used Cloud Authentication Service for at least 30 days after their user records were initially created in the Cloud Authentication Service, disabling and marking them for deletion, and deleting their data. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion for seven days. The deleted user records can be added back if the users want to use the Cloud Authentication Service.

SecurID Authenticator 6.0 for Windows - Coming Soon!

A single authentication app on Windows that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-premises, cloud, or hybrid infrastructure, you will have one single application to manage authentications effectively. By adding support for cloud MFA for Windows users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily migrate to the SecurID Authenticator 6.0 by simply re-importing their tokens.

Authentication Agent 1.0 for Epic Hyperdrive - Coming Soon!

Epic is moving its current primary end user application, 'Hyperspace', to a web-based framework, 'Hyperdrive'. RSA will release a new authentication agent to secure the new Epic Hyperdrive login and workflows.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Microsoft OWA 2013 (update, Cloud Authentication Service) – updated support for the HTTP Federation method type.

  • Prove (update, AuthMgr) – updated support for OTP via SMS.

  • Radiant Logic RadiantOne (update, AuthMgr) – updated support for REST method.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-90059 Customer was unable to edit access policies when the MFA license flag was turned off.
NGX-90040 Errors occurred during post tenant moveall ALA monitoring.
NGX-88921 Customer could not save identity source attributes.

For release notes prior to June 2022, see Release Notes Archive - Cloud Authentication Service and Authenticators.