SecurID® Release Notes - Cloud Authentication Service and Authenticators

These release notes include product updates and bug fixes.

For additional information, see:

  • SecurID Product Release Notes, a portal to all release notes for the Cloud Authentication Service, Authentication Manager, authentication agents, and authenticators.

  • RSA Link, to access all SecurID product documentation.

March 2023 - Cloud Authentication Service

Enable or Disable Mobile Lock

RSA Mobile Lock is an optional add-on to the ID Plus service. It can detect certain critical threats to a mobile device where RSA Authenticator for iOS and Android app is installed and registered to the Cloud Authentication Service. It restricts the user’s ability to authenticate until the threat issue is resolved. Administrators can now enable or disable Mobile Lock in the Cloud Administration Console for customers who requested for this enhanced mobile protection. This setting is disabled by default.

Allow Users to Change Passwords

An option to allow users to change their passwords is now available in the Cloud Administration Console. Additionally, administrators can define the password policy requirements they want when users change their passwords. Users can view these password policy details and change their password in the Change Password section on My Page.

UI-Based Creation of Local Users in RSA Unified Directory

In addition to the capability of creating local users through the SCIM API, the Cloud Authentication Service now supports creating users through the user interface (From Users > Management). Users can change the administrator-assigned password on My Page. This feature is currently available in limited release. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

Optimized “Remember This Browser” Prompt

When the users are authenticated to access a protected resource, they will be prompted to "Remember This Browser" only once during a browser session, irrespective of the selection of the Remember This Browser option.

RSA MFA Agent 2.0 for Epic Hyperdrive - Coming Soon!

RSA® MFA Agent 2.0 for Epic Hyperdrive will support the Cloud Authentication Service. RSA® MFA Agent 2.0 for Epic Hyperdrive will come with a new and intuitive user interface to ensure a streamlined authentication workflow with better accessibility.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program:

  • Check Point Gateway (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and added certification for SAML (Cloud Authentication Service).

  • Cisco ISE (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and SAML (Cloud Authentication Service).

  • Cisco Nexus (update) – updated certification for Radius (Authentication Manager) and added certification for Radius (Cloud Authentication Service).

  • Fortinet FortiGate (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and new certification for SAML (Cloud Authentication Service).

  • Fortinet FortiManager (new) – new certification for Radius (Authentication Manager and Cloud Authentication Service) and for SAML (Cloud Authentication Service).

  • Palo Alto PANOS10 (update) - updated certification for Radius (Authentication Manager and Cloud Authentication Service), REST (Cloud), and SAML (Cloud Authentication Service).

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-110152 A customer encountered an error in Active Directory Federation Services (ADFS) due to failed authentication with the SAML identity provider (IDP).
NGX-109470 An administrator could not unlock the Approve method for a user's re-enrolled mobile device when the Approve method was already locked out.

February 2023 - Cloud Authentication Service

Add Epic Hyperdrive as a Relying Party

The Cloud Authentication Service can act as the authorization server for the Epic Hyperdrive relying party. In the Cloud Administration Console, from the Authentication Clients > Relying Parties page, administrators can now add the basic information of the Epic Hyperdrive relying party and configure its connection profile.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-106516 A customer was unable to edit or delete a WS Federation application.
NGX-105458 A customer was unable to update a SAML certificate for an application. The following error message was displayed: There was an error with your application setup. Correct the items in red.

January 2023 - Cloud Authentication Service

Allow Authentication for Embedded Iframe Pages

Multi-factor authentication is now available for the web pages or apps embedded in an iframe. To allow authentication for embedded iframe pages, administrators can add sites to the allowed domains list on the Company Settings page, under Sessions & Authentication tab, in the Content Security section. To make the embedded iframe pages more secure, administrators need to provide HTTPs based URLs.

Track Usage Information in the Cloud Authentication Service

The Cloud Authentication Service dashboard has been updated with the count of active end users who either have a registered authenticator or who authenticated successfully in the last six months to gain a deeper insight about the actual number of users authorized to use the Cloud Authentication Service. In addition, the “All Users” report has been enhanced with Active User License Used, Registered Credential, Active Users in last 6 months, and Local User columns to better track the actual number of users using the Cloud Authentication Service.

Cloud Authentication Service as Authorization Server for Generic OIDC Relying Party

Cloud Authentication Service can act as the authorization server for a generic OpenID Connect (OIDC) relying party application. Administrators can configure this in the Cloud Administration Console under Authentication Client > Relying Parties.

Step-Up Authentication with QR Code is Available!

The Cloud Authentication Service now supports a new step-up authentication method: QR code. To use this new authentication method, open the Cloud Administration Console, select Access > Assurance Levels page, and click Add in the required level. Using this authentication method will require downloading SecurID Authenticator app V4.2 for iOS and Android, scheduled for release by end January 2023. Multi-factor authentication (MFA) API also supports QR code authentication method. However, QR code authentication method does not support RADIUS or a any MFA agents. Support for QR code as a primary authentication method will be added in a future release.

Lockout Push Notifications for Authentication Methods

In the Cloud Administration Console, the existing settings controlling authentication method lockout have been extended to cover Approve and Device Biometrics authentication methods. In accordance with these settings, the Cloud Authentication Service now automatically stops sending push notifications to users who deny a login request for a specified number of times. This is to avoid multi-factor authentication (MFA) fatigue attack.

Local User Support via RSA Unified Directory

Unified Directory is a new user identity store for the RSA Cloud Authentication Service that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can manage local users from the Cloud Administration Console. Users can manage themselves using the My Page self-service portal. Local user passwords are validated completely within the Cloud Authentication Service. This feature is currently available in limited release. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

RSA Authenticator 4.2.0 for iOS and Android - Coming Soon!

  • RSA Authenticator v4.2.0 for iOS and Android app enables users to migrate their credentials from the RSA Authenticate app to the RSA Authenticator app. When users first open the RSA Authenticator 4.2 app or register their credentials, they will be prompted to migrate their existing credentials from RSA Authenticate app to RSA Authenticator app.

  • QR code can be used as a step-up authentication method. If this method was enabled by their organizations, users will be able to authenticate to My Page by simply scanning the QR code with their registered Authenticator app.

SecurID Authenticator 5.1 for macOS - Coming Soon!

  • SecurID Authenticator 5.1 for macOS app will be enhanced with standardized terminologies to align and streamline with the other RSA products and the authentication industry.

  • Users will be able to migrate all their software tokens from the existing SecurID Software Token 4.2.3 app to the new SecurID Authenticator 5.1 for macOS. With this migration, users will be able to manage all their credentials within the new macOS Authenticator.

  • Users will be able to set their own device passwords in the SecurID Authenticator 5.1 for macOS to secure the operations performed on AM managed OTP, such as entering a PIN, renaming a software token, or deleting it.

  • SecurID Authenticator 5.1 for macOS app will support macOS Ventura, which was released on October 24, 2022.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-102750 During the configuration of a SAML relying party, an attribute extension of “Constant” type was not saved correctly. This issue has been fixed.
NGX-105192 In the IDP-initiated flows, the value of "subjectNameIdFormat" field was incorrect in the SSO context. This issue has been fixed.
NGX-104053 A customer was prompted to re-authenticate to access a SAML application although My Page session had not expired. This issue has been fixed.

November 2022 - Cloud Authentication Service

Expand or Collapse Authentication Methods

Administrators can now control the appearance of the web authentication prompt, either keeping it collapsed, or expanding the prompt to display other authentication methods. The expanded view provides users easy access to all the available authentication methods. This setting can be controlled from the Company Settings page, under Sessions & Authentication tab, where administrators can select or clear Show more authentication factors by default check box. By default, this setting is cleared.

Allow Users to Reset Expired Passwords

An option to allow users to reset the expired passwords is now available in the Cloud Administration Console. To enable this setting, administrators can edit an identity source and then select Allow users to change password option in the Identity Source Details tab under SSL/TLS Certificates section. The administrators need to click Publish Changes to use this option in My Page. When a user’s password is expired, the user will be prompted to enter a new password upon logging to My Page. The new password must meet all the password policy requirements set by the administrator.

Terminology Changes in the Cloud Authentication Service

In the Cloud Authentication Service, the authentication pages have been updated with the new terminology used throughout the other RSA products to ensure consistency and alignment with the authentication industry.

FIDO Authenticator Manufacturer Column in All Synchronized Users Report

The All Synchronized Users report has been enhanced with a column for FIDO Authenticator Manufacturer to enable administrators to know the manufacturer details of the authenticators.

RSA Authentication Manager 8.7 Supports AWS Instance Type Upgrade

RSA Authentication Manager 8.7 customers can now install or upgrade the Amazon Web Services (AWS) EC2 instance from a supported M4 family to an M5 and/or M6i family. We recommend that you contact RSA Customer Support for details on how to upgrade the AWS EC2 instances. The following table contains the list of AWS instances that you can upgrade to.

M5 Family M6i Family
M5.large M6i.large
M5.xlarge M6i.xlarge
M5.2xlarge M6i.2xlarge

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description


GOV: 12/21/2022

AU: 01/3/2023

EU and IN: 01/5/2023

NA: 01/5/2023

Updated identity router software is available to all customers.
01/21/2023 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
02/18/2023

If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.17.0.0
Amazon Cloud RSA_Identity_Router-12.17.0.0

Extended End of Primary Support (EOPS) for Mobile SDKs

The End of Primary Support (EOPS) dates for Mobile SDK 2.5 (iOS), Mobile SDK 2.8 (Android), and Mobile SDK 3.1 (Android, iOS) have been extended to December 2023 in order to give customers time to migrate to Mobile SDK 4.0, scheduled for delivery during H1 2023.

SecurID Authenticator 5.1 for macOS - Coming Soon!

  • SecurID Authenticator 5.1 for macOS app will be modified with standardized terminologies to align and streamline with the other RSA products and the authentication industry.

  • Users will be able to migrate all their software tokens from the existing SecurID Software Token 4.2.3 app to the new SecurID Authenticator 5.1 for macOS. With this migration, users will be able to manage all their credentials within the new macOS Authenticator.

  • Users will be able to set their own device passwords in the SecurID Authenticator 5.1 for macOS to secure the operations performed on AM managed OTP, such as entering a PIN, renaming a software token, or deleting it.

  • SecurID Authenticator 5.1 for macOS app will support macOS Ventura, which was released on October 24, 2022.

SecurID Authenticator 6.1.2 for Windows - Coming Soon!

SecurID Authenticator 6.1.2 for Windows will be released soon. This new version resolves some bugs from the previous version, and it supports eight languages: French, German, Italian, Japanese, Korean, Portuguese, Simplified Chinese, and Spanish.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on RSA Community.

  • Citrix Cloud (new, Cloud Authentication Service) – a cloud management platform that allows organizations to deploy cloud-hosted desktops and apps to end users, support for authentication method type SAML via Cloud SSO and Relying Party.

  • Endace EndaceProbe (new, Authentication Manager) – always on, continuous packet capture, support for authentication method type REST API with Authentication Manager.

  • PingOne DaVinci (new, Cloud Authentication Service) – orchestration service for delivering seamless identity experiences, support for REST API with Cloud Authentication Service.

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-102130 A customer was unable to update the users’ phone numbers using the Cloud Administration Update SMS and Voice Phone API. A 400 error was returned. This issue has been fixed.
NGX-101368 In the Cloud Administration Console, a customer was unable to update the users’ phone numbers and received a warning message that the phone numbers cannot be confirmed as valid. This warning message was incorrectly displayed; it was shown even though the updated phone numbers were valid. This issue has been fixed.
NGX-100523 In the Cloud Administration Console, the “All Synchronized Users” report took several hours to generate and then eventually displayed the following error message: A system error occurred. The administrator could neither cancel the current report nor generate a new one.
NGX-99033 The email notification message sent to users after registering an authenticator included an invalid help link.
NGX-97963 After opening the FIDO Authentication page in the Cloud Administration Console, the publish status was “Changes pending” although no changes were performed.


October 2022 - Cloud Authentication Service

RSA Authenticate App for Android Version 3.9.1 – Coming Soon!

By the 1st of November, RSA Authenticate app for Android version 3.9.1 will be released. This new updated version is a maintenance release that addresses some minor issues.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-98035 A customer encountered an issue with editing the configuration settings of My Page. This issue happened to customers who had the license to customize portal and email. The following error message was displayed: An error occurred while saving the configuration. This issue has been fixed, and the customer can now edit the configuration settings.
NGX-99202 A customer was unable to edit or delete a SAML application from the Cloud Administration Console. This issue occurred due to marking an application as Cloud although it is deployed to IDR.

September 2022 - Cloud Authentication Service

DS100 Next Generation Hardware Authenticator Availability

The DS100 is a cloud-managed, multi-functional hardware authenticator that supports SecurID one-time password (OTP) and passwordless FIDO2 authentication. With dynamic seeding and self-registration, administrators can secure users as they transition from SecurID OTP to FIDO2 without changing their authenticator. The DS100 authenticator supports OTP generation when unplugged from a device to support high security environments without USB connectivity.

Cloud Administration Generate and Download Reports APIs

Administrators can now use secure APIs to generate and download the available reports in the Cloud Authentication Service Administration Console.

SecurID Authenticator 4.1.5 for iOS and Android - Coming Soon!

  • SecurID apps and their related software development kits (SDKs) will support iOS 16 and Android 13.

  • In iOS devices, users will be able to approve or deny the sign-in requests before the Face ID authentication is completed.

  • Users will be able to share information logs and binding IDs not only via the default email client, but also via any of the installed apps on their devices.

  • Users will be able to approve the push notifications received from the SecurID Authenticator app on their Android watches.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-91477 Using the SecurID Authenticator app on iOS devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses.
NGX-92339 Using the SecurID Authenticator app on Android devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses.
NGX-97267

In August release, the entity ID was incorrect, and it was replaced with the following instead: https://<customersubdomain>/sso/saml/<guid of specific application>

NGX-97488 A customer was unable to download the SAML request signing certificate for an Identity Provider (IdP)and received the following error message: Error downloading certificate.


August 2022 - Cloud Authentication Service

App Name and App Version Columns in All Synchronized Users Report

The "All Synchronized Users" report has been enhanced by adding App Name and App Version columns for all the admin roles to track which Software Authenticator application, either "SecurID Authenticator" or "RSA Authenticate App", each user is currently using.

Standardized Product Terminologies

The pages of the Cloud Administration Console and My Page self-service portal Authenticator management have been modified with standardized product terminologies and icons to align with the other SecurID products and the authentication industry.

Note: The login pages of My Page will be updated in a future release.

The following table lists the most important old and new terms:

Old Term New Term
Company ID Organization ID
Account Credential
Token

Based on the usage, the term has been replaced by one of the following terms:

  • Credential or OTP credential (Generic description)

  • SecurID OTP credential (Full description)

  • SecurID software OTP credential (Full description for software)

  • SecurID hardware OTP credential (Full description for hardware)

Software Token

Based on the usage, the term has been replaced by one of the following terms:

  • SecurID software OTP credential (Complete description)

  • SecurID OTP credential (When already in the context of software credentials)

  • Software OTP credential (General category description)

View Tokencode

Based on the usage, the term has been replaced by one of the following terms:

  • View SecurID OTP

  • View Authenticate OTP

Authenticate Tokencode Authenticate OTP
Emergency Tokencode Emergency Access Code
SMS Tokencode SMS OTP
Voice Tokencode Voice OTP

Automatic Deletion of Users from Cloud Authentication Service Based on User Changes in the Identity Source

Users who have a registered software or hardware authenticator in the Cloud Authentication Service, but have not synced in the last 30 days, will be automatically Just In Time (JIT) synced from the directory server. JIT will disable the users who are out of the scope of the identity source or disabled in the directory server. Users will be marked for deletion 90 days after being disabled by auto-sync. Then, they will be deleted seven days after being marked for deletion.

Users are checked in the Identity Source to verify that they still meet the following conditions:

  • User is present in the Identity Source

  • User is active

  • User is in scope to be synchronized to the Cloud Authentication Service

If all the three conditions are not true, then the user is marked for automatic deletion in the Cloud Authentication Service.

Metadata Service Version 3 in SecurID FIDO Implementation

Metadata Service (MDS) is a centralized web repository of the Metadata Statement. The service was upgraded by the FIDO Alliance as a replacement to the deprecated MDS2. SecurID FIDO implementation upgraded the MDS2 to MDS3 to better work through the security notifications to ensure effective incident response.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-94453 When the msDS-PrincipalName (domain\username format) attribute was used as the alternate username, Just In Time sync could not onboard new users to the Cloud Authentication Service.
NGX-94868 For My Page, the users received Access Denied error while using the Trusted Location attribute in the access policy to protect the access.
NGX-95254 Applying Custom Domain Name for OIDC for Azure AD configuration did not work due to the limitation of Microsoft Azure requirement of registering allow list for redirect URLs.

Known Issues

The following table lists the known issue in this release.

Known Issue Description
NGX-97371

For some of the newly provisioned customers who have never opened and saved the My Account > Company Settings > Company Information page, their QR code device enrollment screens display 'company' and the QR code registration for their users fails.

Workaround

Administrator can open the My Account > Company Settings > Company Information page and click Save Settings.

July 2022 - Cloud Authentication Service

Periodic User Refresh Process

To keep the user repository of the Cloud Authentication Service in sync with the underlying directory server, a periodic user refresh process has been implemented. This will refresh the users who have not been authenticated or synchronized to the cloud recently.

Distinguished Name Column in All Synchronized Users Report

The All Synchronized Users report has been enhanced with a column for Distinguished Name to enable organizations with a large and distributed userbase to identify their users.

SecurID Authenticator 6.1 for Windows - Coming Soon!

SecurID Authenticator for Windows is a single authentication app on Windows that supports both the SecurID Authentication Manager (AM) One Time Password (OTP) credentials and ID Plus cloud-based OTP credentials and push authentication to manage all your authentication needs. SecurID Authenticator 6.1 for Windows will be released soon with RSA DS100 Hardware Authenticator management, including OTP credential registration and firmware upgrade. It can perform FIDO management on the DS100 and third-party FIDO Security Keys.

Third-Party Integrations from RSA Ready

If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-89553 The following error banner was displayed on the Connection Profile page of the IDR SAML application. "There was an error with your application setup. Correct the items in red". However, none of the fields were highlighted in red. This issue occurred when an expired certificate was used in the Encrypt Assertion section and the Encrypt Assertion check box was disabled.
NGX-90985 When users accessed relying party and performed mobile authentication on the same device, authentication failed intermittently.
NGX-93473 Organization ID was not showing any value during the device registration on My Page until Company Settings page was edited.

June 2022 - Cloud Authentication Service

New Cloud-Based My Page Portal with Single Sign-On Experience is Available

A fully redesigned cloud-based My Page portal with a reliable and highly available single sign-on experience is now available. This allows users to manage the self-service of their authenticators in the My Authenticators tab and single sign-on (SSO) access to their protected applications in the My Applications tab. It provides a unified on-site and off-site user-friendly experience that is rebrandable, customizable , and accessible.

  • Existing customers with the HTTP Federation Proxy, Trusted Headers, NTLM, and Bookmark applications deployed on Identity Router based portal can easily migrate to the cloud-based portal.

    • SAML applications need to be created again in the cloud-based portal if you migrate from Identity Router based portal.

    • WS Federation applications are not supported in the cloud-based portal.

    • Identity Router based portal cannot be enabled going forward. This does not impact the customers who are already using the Identity Router based portal.

  • Administrators can now customize and configure domain name (CNAME). This is supported for HTTP Federation Proxy, Trusted Headers, NTLM, SAML, and Bookmark applications.

  • The user interface text and labels have been standardized to align with other SecurID products.

  • Users can sign in to the portal once and access multiple authorized applications, including cloud and on-premise applications, SAML-enabled and non-SAML enabled applications.

  • The My Page portal now supports the Italian language.

Enable or Disable Agent Inventory Report

To allow customers to control the information that is tracked in the Cloud Authentication Service, the agent data collection can now be enabled or disabled. The default for this setting is 'disabled'.

Cleaning Up of Unused User Records

To increase the efficiency of the Cloud Authentication Service, a clean-up process has been implemented to remove the data for users who have never used the Cloud Authentication Service. This includes identifying the users who have not used Cloud Authentication Service for at least 30 days after their user records were initially created in the Cloud Authentication Service, disabling and marking them for deletion, and deleting their data. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion for seven days. The deleted user records can be added back if the users want to use the Cloud Authentication Service.

SecurID Authenticator 6.0 for Windows - Coming Soon!

A single authentication app on Windows that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-premises, cloud, or hybrid infrastructure, you will have one single application to manage authentications effectively. By adding support for cloud MFA for Windows users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily migrate to the SecurID Authenticator 6.0 by simply re-importing their tokens.

Authentication Agent 1.0 for Epic Hyperdrive - Coming Soon!

Epic is moving its current primary end user application, 'Hyperspace', to a web-based framework, 'Hyperdrive'. RSA will release a new authentication agent to secure the new Epic Hyperdrive login and workflows.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Microsoft OWA 2013 (update, Cloud Authentication Service) – updated support for the HTTP Federation method type.

  • Prove (update, AuthMgr) – updated support for OTP via SMS.

  • Radiant Logic RadiantOne (update, AuthMgr) – updated support for REST method.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-90059 Customer was unable to edit access policies when the MFA license flag was turned off.
NGX-90040 Errors occurred during post tenant moveall ALA monitoring.
NGX-88921 Customer could not save identity source attributes.

May 2022 - Cloud Authentication Service

Authenticator 4.1 App for iOS and Android - Coming Soon!

SecurID app for iOS and Android has been renamed as Authenticator and its 4.1 version will be released soon with enhanced usability and accessibility. The user interface text and labels are standardized to align with other SecurID products.

Agent Inventory Report

A new report for exporting the list of cloud-connected Authentication Agents for compliance and reporting purposes is available now. From the June release, customers will be able to control the availability of the report. By default, the report will be disabled.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

AU: 06/07/2022

EU: 06/09/2022

NA and Gov: 06/14/2022

Updated identity router software is available to all customers.
07/16/2022 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
08/06/2022 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.15.0.0
Amazon Cloud RSA_Identity_Router 12.15.0.0

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • VMware Horizon (update, AuthMgr & Cloud Authentication Service) – updated support for SecurID Authentication (REST) API and Radius method types.

  • VMware UAG (update, AuthMgr & Cloud Authentication Service) – updated support for SecurID Authentication (REST) API and Radius method types.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

The following table lists the issues that have been fixed in this release.

Fixed Issue Description
NGX-89939 A customer had reported that all the users in the tenant were receiving delayed MFA push notification.
NGX-86858 Error occurred while assigning a FIDO token to a user.
NGX-86779 Customer had reported flooding of MFA notifications.
NGX-85970 SecurID app could not scan QR codes on older iPhone with smaller screen.
NGX-83462 The 'Identity router memory usage exceeds the threshold limit' error was reported by a customer.
NGX-83269 Inconsistent messages were displayed when access to the application was denied for a user on Application portal.
NGX-82341 A customer was unable to publish the changes after editing NGX Auth ID.

Known Issues

The following table lists the known issues in this release.

Known Issue Description
NGX-82988

This release contains changes that will prevent Identity Router SSO Agent intra-cluster session replication from working until all Identity Routers in the cluster are running on this release.

This affects customers who have:

  • An Identity Router cluster running a mix of older and newer 12.15.0.0 release Identity Routers.

  • Both SSO Agent and Intra-cluster session replication turned on for the Identity Router cluster.

When an Identity Router becomes unavailable, the session will end for the users who logged into that Identity Router, and they will be asked to re-authenticate.

Workaround

Once all Identity Routers in the cluster are upgraded to the May release, this will work again as expected. This will not cause auth failures or prevent other Identity Router functionality from working correctly.

NGX-90704 Customers may notice a new report titled ALL_TRACKED_MFA_CLIENTS for a short duration. This report is not ready for use until they are upgraded to the May 2022 release. Attempting to run this report before the upgrade completes will display an error message.

April 2022 - Cloud Authentication Service

SecurID 700 Hardware Tokens Available for All Customers

After a successful pilot with a limited set of customers, management of SecurID 700 Tokens in the Cloud Authentication Services is now available by default for all customers.

Cloud Migration for SecurID 700 Hardware Tokens – Coming Soon!

Using RSA Authentication Manager 8.7, SecurID 700 Hardware Tokens managed in Authentication Manager can be easily migrated to the Cloud Authentication Service. Administrators can decide which tokens to migrate and which tokens to retain within Authentication Manager, based on multiple factors.

For the migrated tokens:

  • Administrators can then manage them using the Cloud Administration Console without impacting their on-premises infrastructure.

  • Authentication Manager 8.7 will still be able to manage authentication if the cloud authentication service is unreachable.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Archer (update, Cloud Authentication Service) – ESG and Integrated Risk Management, updated support for authentication method types SAML via Cloud SSO and Relying Party.

  • SecurID G&L (update, Cloud Authentication Service) – Identity Governance and Administration, updated support for authentication method types SAML via Cloud SSO and Relying Party.

  • IBM MFA for z/OS (update, Authentication Manager) – alternate authentication mechanisms for z/OS networks, added support for REST API.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-85886 A customer was unable to change the SAML NameID value. The issue was that change in the NameID identifier type was not getting retained even after saving and publishing the updates. This issue has been fixed now.
NGX-86023 Customers reported an authentication outage after tenants were moved to the March Cloud release. The issue is fixed now.

For release notes prior to April 2022, see Release Notes Archive - Cloud Authentication Service and Authenticators.