RSA® Release Notes - Cloud Authentication Service and Authenticators

These release notes include product updates and bug fixes.

For additional information, see:

  • SecurID Product Release Notes, a portal to all release notes for the Cloud Authentication Service, Authentication Manager, authentication agents, and authenticators.

  • RSA Link, to access all SecurID product documentation.

November 2023 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).

Manage User Consent to OpenID Connect (OIDC) Applications

In the Cloud Administration Console, administrators can configure whether users will be prompted to consent to share data with an OIDC-based application. Administrators can now enable or disable the option for users to provide consent for private information disclosure. Users can now grant consent once for an OIDC application and revoke consent on My Page.

Enable Verbose Logging for User Event Monitor

In the Cloud Administration Console, administrators can now include verbose logging to view all user events required for analysis. To view verbose logs for user events, open the Cloud Administration Console, click Users > User Event Monitor, and then select Include Verbose Logs.

Support for Windows Server 2019 and 2022 in Integrated Windows Authentication (IWA) Connector

The SecurID Integrated Windows Authentication (IWA) Connector is now supported for use with .NET Framework 4.7 and 4.8 on Windows Server 2019 and 2022, respectively.

Change the Default Icon for a Cloud Identity Provider (IdP)

The Cloud Administration Console allows administrators to change the default icon of any Cloud identity provider. To change the default icon, open the Cloud Administration Console, and on the required Cloud identity provider page, click Change Icon to upload a new one.

Audit Logging Improvements

The following improvements have been made to the User Event Log API and the Authentication Audit Logs API:

  • deviceId field in the User Event Log API will now correctly log a unique identifier for each device.

  • policyId field in the User Event Log API will return null and will eventually be removed from the API.

  • policyName in the User Event Log API will correctly log the name of the policy when a policy is evaluated.

  • deviceName in the User Event Log API and the Authentication Audit Logs API will log the devices' names when known.

  • customerName in the User Event Log API and the Authentication Audit Logs API will log the organization subdomain.

  • sourceIPAddress in the User Event Log API and the Authentication Audit Logs API will continue to log null.

  • application in the Authentication Audit Logs API will log the target application name more consistently.

  • applicationName in the User Event Log API will log the target application name more consistently.

For more information, see User Event Log API and Retrieve Authentication Audit Logs API.

MFA Agent Citrix StoreFront V3.0 - Coming Soon!

MFA Agent Citrix StoreFront V3.0 will include the following features:

  • Enhanced Agent settings interface to allow easy configurations relevant to the Cloud Authentication Service and Authentication Manager using the Server and Advanced tabs.

  • Support for Emergency Access Code as a new method and enhanced Approve and Biometrics methods to support Confirmation Code.

  • Ability to enable WPI either during installation or by using configuration settings after installation.

  • Support silent mode installation and upgrade.

  • Deprecated UDP connection to Authentication Manager and risk-based authentication (RBA) support. For more information, see Deprecated Features for RSA MFA Agents.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
Authenticator for macOS 5.0 Mar 2024 No
Authentication Agent for Citrix StoreFront 2.0.x Mar 2024 No
Authenticate App for iOS and Android 3.9.x Mar 2024 No
Authenticator for iOS 4.1.5 Jan 2024 No
4.1.0
Authenticator for Android 4.1.6 Jan 2024 No
4.1.0

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see SecurID Integrations on the RSA Community.

  • HashiCorp Vault (new) – added support for the Authentication Manager and the Cloud Authentication Service using RADIUS.

  • Microsoft Azure AD as an IDP (new) – added support for using Microsoft Azure Active Directory (AAD) as an IDP for the Cloud Authentication Service Administration Console and RSA My Page using SAML.

  • Salesforce (new) – added support for the Cloud Authentication Service using OIDC.

  • Smartsheet (new) – added support for the Cloud Authentication Service using SAML.

Fixed Issue

The following table lists the issue that is fixed for this release:

Fixed Issue Description
NGX-129947

A customer was unable to access the Identity Sources page in the Cloud Administration Console. The directory servers linked to some of their AD/LDAP identity sources were deleted. Now, customers can access the Identity Sources page and view all of them, including the problematic ones.

In a future release, administrators will be able to edit, synchronize, or delete any problematic identity sources.

October 2023 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections provide the highlights of the new and enhanced features of the Cloud Authentication Service (CAS).

Enable My Page Passwordless Authentication with Access Policy 2.0

RSA introduces Access Policy 2.0 to offer users a secure passwordless authentication experience for My Page. With the 2.0 Access Policy, in the Cloud Administration Console, you can now define the default primary authentication method and the alternate methods (additional or step-up authentication methods) for a set of users that use the same policy at one time. Access Policy 2.0 saves you time and gives you the flexibility to configure multiple passwordless methods. For example, QR Code can now be used as a primary authentication method with 2.0 Policies.

For more information, see Access Policy 2.0 : Easily Rollout Passwordless to the Masses.

Enhancements to User Import CSV File

The user import CSV file has been enhanced with two new columns: "Password Delivery Method" and "Initial Password Delivery Location" to share passwords with new users using their specified email addresses.

Disabled Options and Settings If No Identity Router Deployed

In the Cloud Administration Console, when there is no deployed identity router (IDR), all the options and settings related to identity routers will be disabled by default to avoid confusion. For example, if there is no deployed identity router, you cannot add an application through IDR SSO Service Identity Providers. Once you deploy an identity router (IDR), all the IDR-related options and settings will be enabled by default.

Secure User Enrollment with ID Proofing

Identity proofing is now part of the secure enrollment process through RSA My Page. Identity proofing is the process of establishing elevated trust through verifying a user’s identity using independent high-assurance verification methods. If this feature is enabled, when users sign into My Page to register their first RSA credential, a new ID verification screen will appear after users enter their username and password. Upon successful completion of verification, a user is given access to My Page to proceed with credential registration. In the Cloud Administration Console, an administrator can add user verification identity providers and configure attributes mapping and scopes.

This feature is currently available in limited release. If you are interested in securely enrolling users to their RSA authenticators with an ID Proofing method, please contact your RSA Sales Representative.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
Authenticator for macOS 5.0 Mar 2024 No
Authentication Agent for Citrix StoreFront 2.0.x Mar 2024 No
Authenticate App for iOS and Android 3.9.x Mar 2024 No
Authenticator for iOS 4.1.5 Jan 2024 No
4.1.0
Authenticator for Android 4.1.6 Jan 2024 No
4.1.0

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-120479 In the Cloud Administration Console, an administrator could use the Password Reset and Enrollment features and select the Send the Reset Code to this Email or Send Enrollment Code to this Email options on the User Management page even though the Code for Reset Password or Enrollment Code options on the My Account > Company Settings > Email Notifications page were not enabled.
NGX-122515 The security level of the Identity Router connection cipher, ECDHE-RSA-AES256-SHA384, has been changed from HIGH to MEDIUM for both INCOMING and OUTGOING connections due to a customer-reported issue. For more information on this change, see Security-Level Update for IDR Cipher.

September 2023 - Cloud Authentication Service

Cloud Authentication Service (CAS) Updates

The following subsections provide the highlights of the new and enhanced features of the Cloud Authentication Service (CAS):

Disable FIDO Synced Passkeys

In the past, FIDO only allowed a single copy of each FIDO credential. FIDO Synced Passkeys are a new type of FIDO credential that are automatically synced to multiple computing devices (e.g., computer, mobile, and tablet) owned by a user.

The Cloud Authentication Service now provides a mechanism to disable the use of FIDO Synced Passkeys in the registration and use for authentication in the Cloud Administration Console on the Access > FIDO Authentication page. Once synced passkeys are disabled, it is possible to set a grace period, so authentication will still work for users who have previously registered FIDO synced passkeys, and this will enable them to log into My Page > My Authenticators and register a new credential that is not a FIDO Synced Passkey.

RSA recommends that customers with high security use cases carefully consider the security reduction and potential regulatory implications of using FIDO Synced Passkeys in their deployments. FIDO Synced Passkeys offer convenience, but the security implications need to be fully understood before using them.

Note: In a future release, this setting will be disabled by default with a grace period set to allow time for existing users to register new authentication methods.

View Admin Event Monitor from the Cloud Administration Console

You can now view the audit log messages that describe Super Admin activities and their details from the Cloud Administration Console. You no longer need to use the Event Log API to retrieve audit log events. You can track and search for admin events for the past 90 days from Platform > Admin Event Monitor.

Configure Enrollment Settings for My Page

In the Cloud Administration Console, you can now configure the Enrollment settings for My Page. You can generate a one-time code and provide an enrollment URL to users to enroll their first authenticator device in the Self-Service Console.

Set Up your RSA Mobile Lock Console Account

You can use the Cloud Administration Console to create an account to access the RSA Mobile Lock Console. After you verify your email address or corporate email ID, you will receive an email from Zimperium, RSA Partner for delivering the RSA Mobile Lock capability, to activate your account and set your password.

Note: This feature will be available if you have the Mobile Lock add-on included in your plan.

Updated Titles in the Cloud Administration Console

In the Cloud Administration Console, a couple of titles have been changed for clarity and consistency. In the Cloud Administration Console, click Platform, the Audit Logging page has been renamed to IDR Audit Logging. The SSO Service Identity Providers title has been renamed to IDR SSO Service Identity Providers on the Users > Identity Providers page.

Rate Limiting the Cloud Administration APIs

API throttling controls the amount of traffic that Cloud Administration APIs can handle and limits how many calls can be made per second. When a request exceeds a rate limit, the request is throttled, and an HTTP 429 (too many requests) status code is returned.

RSA Authenticator 4.3 for iOS and Android - Coming Soon!

RSA Authenticator app V4.3 for iOS and Android will be released shortly. The new release is rebranded with the RSA logo and color schemes, and it supports code matching feature for Approve push notifications.

RSA Announces Availability of RSA Authentication Manager 8.7 SP1 Language Packs

The following table provides details about the available language packs in RSA Authentication Manager 8.7 SP1:

Summary

RSA Authentication Manager 8.7 SP1 language packs are now available. Language packs provide translated versions of the Authentication Manager 8.7 SP1 user interfaces, online help, and selected documentation.

The following languages are now supported:

  • Simplified Chinese

  • French

  • German

  • Japanese

  • Brazilian Portuguese

  • Spanish

Affected Products RSA Authentication Manager 8.7 SP1
Details For additional documentation, downloads and more, visit the RSA Community page on RSA Link.
End of Primary Support (EOPS) Policy RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
Authenticator for macOS 5.0 Mar 2024 No
Authentication Agent for Citrix StoreFront 2.0.x Mar 2024 No
Authenticate App for iOS and Android 3.9.x Mar 2024 No
Authenticator for iOS 4.1.5 Jan 2024 No
4.1.0
Authenticator for Android 4.1.6 Jan 2024 No
4.1.0

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see SecurID Integrations on the RSA Community.

  • DocuSign (update) – updated support for the Cloud Authentication Service using SAML.

  • Okta as an IDP (new) – added support for using Okta as an IDP for the Cloud Authentication Service Administration Console and RSA My Page.

  • Ping as an IDP (new) – added support for using Ping as an IDP for the Cloud Authentication Service Administration Console and RSA My Page.

  • Sekoia XDR (new) – SIEM provider can now ingest the Authentication Manager logs via API.

  • Zendesk (update) – updated support for the Cloud Authentication Service using SAML.

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-125456 A Help Desk administrator was unable to generate a password reset code. The following error message was displayed: "Password Reset Card is disabled".
NGX-124222 A customer reported that the “ValidUntil” expiry data was not reset when the “Data Input Method” was changed from “Import Metadata” to “Enter Manually” or if a metadata file without a “ValidUntil” parameter was uploaded.

August 2023 - Cloud Authentication Service

Cloud Authentication Service Updates

Rebranding of My Page and the Cloud Administration Console

My Page and the Cloud Administration Console have been rebranded from "SecurID" to "RSA". Both have been updated with the new RSA logo and colors. The following example screen shows the rebranded dashboard of the Cloud Administration Console.

securid_rsa_cloudadminconsole_770x400.png

RSA My Page Single Sign-On (SSO) Is Now OpenID Connect Certified!

You can now protect access to your OpenID Connect (OIDC) based applications with the OpenID Connect certified connector of RSA My Page. For more information about OpenID Connect Certification, see the following links:

securid_openid_certified_logo_325x177.png

Rebranded Risk AI Dashboard and Adjustable Identity Confidence Threshold

In the Cloud Administration Console, the Identity Confidence Dashboard has been rebranded as the Risk AI Dashboard. You can now modify the Identity Confidence Threshold value calculated by the Risk Engine. The effective threshold will be the sum of the dynamic threshold and the adjusted threshold values. In the Risk AI Dashboard, the “User Behavior Over Time" line graph reflects the Effective Threshold in addition to the Identity Confidence Score and the Dynamic Calculated Threshold, indicating the contributing factors.

New Region-Based Domain Names for Identity Routers

New region-specific domain names have been added for primary and alternate regions as a part of a future plan to reduce the overall failover time. Therefore, you need to whitelist these new domain names if you are using name-based firewall rules so that in the future your identity routers can connect to the Cloud using these new region-specific domain names.

Note: The domain names used in other URLs (e.g., Cloud Administration Console, REST API URLs, or a URL that AM connects to) remain the same.

The identity routers have been enhanced to perform periodic connectivity checks to the Cloud using these new region-specific domain names, and the results are shown in the Cloud Administration Console. To check the connectivity statuses of the Software Update Service, the Adapter Update Service, and the Cloud Authentication Service Connection to the primary and alternate regions using these new domain names, navigate to Platform > Identity Routers in the Cloud Administration Console.

Logout URL Support for All Primary Authentication Methods

The Logout URL field on the Cloud Administration Console > Access > My Page can now be configured irrespective of the selection made in the Primary Authentication Method. This was previously allowed only for the "Performed by Cloud Identity Provider" authentication method.

RSA Authenticator App 4.3 for iOS and Android – Coming Soon!

RSA Authenticator app V4.3 for iOS and Android has a new design and additional features to improve the experience of users. For more information, see RSA Authenticator 4.3 for iOS and Android – Coming in August 2023 with New Look and More.

RSA SDK 4.0 for iOS and Android - Coming Soon!

RSA SDK 4.0 for iOS and Android will be released by the end of August. This release provides full database encryption. It supports data migration from SDK versions 3.0 and 3.1. In this release, the QR code authentication method is supported. This release also includes bug fixes.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
Authenticator for iOS 4.1.5 Jan 2024 No
4.1.0
Authenticator for Android 4.1.6 Jan 2024 No
4.1.0

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description


AU: 08/28/2023

EU / IN: 08/30/2023

NA: 08/31/2023

Gov: 08/31/2023

Updated identity router software is available to all customers.
10/14/2023 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
11/11/2023

If you postponed the default date, this is the last day when updates can be performed.

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-121526 A customer was unable to sign into My Page, and the page kept loading when there was no available authentication method for the customer to complete.
NGX-121011 When users signed into My Page configured with a third-party identity provider (IdP), there was an error generating signed authentication requests for the IdP. This could cause the third-party IdP to reject the signature of the request and result in a failed authentication.
NGX-119590 A customer encountered an error with updating My Page single-sign on portal and could not access Company Settings page.

July 2023 - Cloud Authentication Service

SAML Application Supports Multiple Assertion Consumer Service (ACS) URLs

SAML Application configuration now supports defining multiple Assertion Consumer Service (ACS) URLs. Each URL is assigned with an index number. The URL with index 0 is considered as the default URL. The URLs can be reordered and deleted.

Enhancements to Risk AI

Enhancements have been made to enable the risk engine to adapt more quickly to changes in user behavior. Recent authentication activity is now weighted more when calculating the Identity Confidence Threshold.

Configure Methods of Code Confirmation

You can now set up how users can respond to sign-in requests notifications on their devices when they receive a confirmation code. In the Cloud Administration Console, you can select one of the following methods for code confirmation:

  • Input: A user can manually input the confirmation code.

  • Selection: A user can select the received confirmation code from a list of codes.

  • Visual Confirmation: A user can visually verify the displayed confirmation code and then can Approve or Reject the code on their device.

  • None: A user can only perform the Approve or Reject actions.

Note: The new "Input" and "Selection" confirmation methods are only supported in RSA Mobile Authenticator V4.3 for iOS and Android, scheduled for release in August 2023.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
Authenticator for iOS 4.1.5 Jan 2024 No
4.1.0
Authenticator for Android 4.1.6 Jan 2024 No
4.1.0

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see SecurID Integrations on the RSA Community.

  • Citrix Sharefile (update) – updated support for the Cloud Authentication Service using SAML.

  • Crestron Electronics (new) – support for the RSA Authentication Manager using RADIUS.

  • M-Files (update) – updated support for the Cloud Authentication Service using SAML.

  • ServiceNow ITSM (update) – updated support for the Cloud Authentication Service using SAML.

  • Vena (new) - support for the Cloud Authentication Service using SAML.

Fixed Issue

The following table lists the issue that is fixed for this release:

Fixed Issue Description
NGX-121010 Authentication failed when a customer signed into My Page using a third-party identity provider (IdP) as their primary login method. The following error message was displayed: Unsuccessful Authentication. This issue has been fixed, and customers can select the Sign Request option when configuring an IdP.

June 2023 - Cloud Authentication Service

Publish Changes to the Cloud Authentication Service Without a Deployed Identity Router

Deploying on-premise identity routers (IDRs) is now optional. In the Cloud Administration Console, you can now publish your changes, and the settings will be synchronized with the Cloud Authentication Service without a registered IDR.

Reset Your Users’ Passwords

If users do not remember their current password, they can contact their IT administrator for a password reset. In the Cloud Administration Console, you can now generate a reset code and share it with users to enter a one-time password (OTP) and reset their passwords. You can reset a user's password by sending a password reset email to the user's email address. The password reset feature is available for ID Plus E2 and E3 subscriptions.

View Pending Changes Before Publishing

Before publishing your changes, you now have visibility into pending changes made by you and other administrators. In the Cloud Administration Console, you can now view a list of pending changes and their details. You can get an overview of who changed what and when for the last 90 days.

Manage the Entire User Life Cycle Using SCIM APIs

You can now use the SCIM operations to search, create, modify, or delete users in the Unified Directory. The SCIM API allows you to search for users, and you can use the search endpoints to filter the rows in the result.

Set Up Initial Passwords for Users in the Unified Directory

You can now control the settings of the initial user passwords for identity sources in the Unified Directory. When creating a user in the Cloud Administration Console, you can provide an initial password or generate it using the Cloud Authentication Service. You can add users' email addresses, and the Cloud Authentication Service will email initial passwords to them.

RSA My Page Supports Single Sign-On to OpenID Connect (OIDC) Applications

RSA My Page now supports single sign-on (SSO) to OpenID Connect (OIDC) applications. Users can sign into My Page and access all OIDC applications, with the same authentication and assurance levels, without the need to re-login. Administrators can define the scopes and claims for applications in the Cloud Administration Console. Users can then consent to the permissions requested by an application. The consent form has been enhanced for better usability and user experience.

Changes to OpenID Connect (OIDC) Relying Party Claims

Please note the following changes to claims that can be used for adding OpenID Connect (OIDC) Relying Party:

  • Claim names do not allow the following forbidden characters: " (double-quote), \ (backslash), ' (single-quote), and whitespace. Those characters will be removed automatically during the upgrade to the June release.

  • All claims marked as Essential are linked to the scope “openid” and the Essential flag is removed. The scope “openid” provides the same functionality as the Essential flag and is linked to all OIDC relying parties that have at least one Essential claim.

  • Claims with the same name across all OIDC relying parties are synchronized to the one that is edited last. This is required to move the claims into their centralized definitions that the June release is going to introduce. For example, if the claim “a” exists in the OIDC relying party “RP1” and in the OIDC relying party “RP2”, the copy that was edited last is used to synchronize the definition into both relying parties.

  • Claim names have become case-sensitive to match the official OIDC specifications.

Removal of Error URL from Single Sign-On Settings When Using a Cloud Identity Provider

When users encounter an error during authentication, they will no longer be navigated to the error URL configured in the My Page settings. Users remain on the RSA authentication pages. In a future release, the optional Error URL field will be removed from the SSO Portal Settings in the Cloud Administration Console.

Removal of a Primary Authentication Option When Configuring a SAML Service Provider

When adding or editing the authentication details of a SAML relying party, the Determined by Service Provider at Run Time option has been removed from the Primary Authentication Method list. This option is no longer available for primary authentication when configuring a service provider.

Authentication Manager 8.7 SP1 Supports VMware ESXi 8.0

Authentication Manager 8.7 SP1 can now be deployed on VMware ESXi 8.0 (VMware vSphere Hypervisor 8.0). For more information on deployment, see RSA Authentication Manager 8.7 SP1 Setup and Configuration Guide.

Upcoming End of Primary Support (EOPS) Details

The following table provides a summary view of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
Authentication Manager (AM) 8.5 Jul 2022 Jul 2023 / No
8.4 Dec 2021 Dec 2022 / Jul 2023
MFA Agent for Microsoft Windows 2.0.x Jul 2023 No
MFA Agent for macOS 1.3.x Jul 2023 No
Authenticator for iOS 4.1.5 Jan 2024 No
4.1.0
Authenticator for Android 4.1.6 Jan 2024 No
4.1.0

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the RSA Community.

  • RSA EMC Unisphere for PowerMax (new) – support for Authentication Manager using RSA MFA API (REST).

  • Federated Directory (new) – support for the Cloud Authentication Service using SAML.

  • IBM Hardware Management Console (new) – support for Authentication Manager using RADIUS.

  • Salesforce (update) – updated support for the Cloud Authentication Service using SAML.

Fixed Issue

The following table lists the issue that is fixed for this release:

Fixed Issue Description
NGX-111079 A customer reported an information-level vulnerability in a third-party library. This issue has been fixed.

Known Issues

The following table lists the issues that users may encounter, as well as possible workarounds for these issues:

Known Issue Description
NGX-117920

Problem: The password reset sometimes fails with an unknown error.

Workaround: Users can try to reset their passwords again, and the password will be changed successfully. The fix for this issue will be included in the next identity router (IDR) release.

NGX-118991

Problem: Users are redirected to an error page when trying to access the reset password link.

Workaround: To redirect users to the reset password page, if My Page is already enabled, in the Cloud Administration Console, click Access > My Page , and click Save without making any changes. In case My Page is not enabled, in the Cloud Administration Console, enable My Page from Access > My Page , select Enable under Self Service, and click Save. Then, publish changes. If the issue still persists, please contact RSA Customer Support.

May 2023 - Cloud Authentication Service

Customize My Page and Authentication Pages

My Page customizations can now be applied to all authentication prompts and sign-in pages. The customization option is available only for ID Plus E2 and E3 subscriptions.

Download User Import Error Report

When importing users from a CSV file, you might encounter some errors. You can now download and view a detailed error report to fix the errors and try to import your users CSV file again. The "Errors" column describes the errors and how to fix them.

Update and Delete Users with the SCIM API

You can use the SCIM API to manage users for identity sources in the Unified Directory. The SCIM API allows you not only to create users but also to update and delete them.

Add SCIM Managed and Azure Active Directory (SCIM) Identity Sources

Using the Cloud Administration Console, you can now add SCIM managed and Azure Active Directory (SCIM) identity sources. You can use the SCIM API for provisioning and managing users in these identity sources from SCIM clients.

Upcoming End of Primary Support (EOPS) Details

The following table provides a summary view of the RSA products reaching the end of support within the next six months:

Product Version EOPS Date Extended Support Level 1/ Level 2
SecurID Authentication Manager (AM) 8.5 Jul 2022 Jul 2023 / No
8.4 Dec 2021 Dec 2022 / Jul 2023
SecurID MFA Agent for Microsoft Windows 2.0.x Jul 2023 No
SecurID MFA Agent for macOS 1.3.x Jul 2023 No
1.2 Jun 2023 No
SecurID Authenticator for iOS / Android 4.0 Jun 2023 No

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-115133 After successfully logging into My Page, users could not view their assigned authenticators when the access policy was configured with a trusted location condition. The access policy failed due to insufficient location data.
NGX-112810 A customer encountered an issue with publishing after renaming an identity source to the name of a deleted one.

April 2023 - Cloud Authentication Service

Manage Local Identity Sources

In the Cloud Administration Console, administrators can now add, edit, or delete local identity sources. Administrators can add users to local identity sources through the "Add User" option in the Cloud Administration Console (From Users > Management), CSV file upload, or via the SCIM API.

Import Users via CSV Upload

The Cloud Authentication Service supports importing new local users using CSV file upload. In the Cloud Administration Console, administrators can now upload a CSV file to import new users. This option is only available for local identity sources within the Unified Directory.

Secure Amazon Workspace with My Page Single Sign-On (SSO)

Using My Page single sign-on (SSO), administrators can now secure AWS workspace with the identity provider (IdP) initiated SSO SAML support. In the Cloud Administration Console, you can set the optional “Default Relay State.” If a SAML request message contains dynamic Relay State data, then the SAML responder will return its SAML protocol response using a binding that also supports a dynamic Relay State mechanism. If there is no Relay State in an IdP-initiated request, the default Relay State will return in the SAML response.

Cloud Config API Added for the Epic Hyperdrive

To secure login to the Epic Hyperdrive, a new "cloudconfigs" API has been added to return additional cloud configurations related to the Epic Hyperdrive to support it during multi-factor authentication (MFA) proxy requests from Epic Hyperdrive agents.

Modified Validation Rules for the RADIUS Name and Description

The validation rules of the RADIUS Name and Description fields have been modified to match the configurations used for Authentication Manager. When you add a RADIUS client, the Name field can now contain spaces and dots, and the length of the Description field has been increased to 255 characters.

Enhanced Event Logs and Authentication Tracking

The Cloud Authentication Service now tracks which authentication method(s) a user has used instead of which assurance levels were met to access a protected resource. The Event Monitor logs will now help you to monitor the log events when users are automatically allowed access to an app based on the used authentication methods.

Removal of Ciphers in June 2023

The following table lists the ciphers for incoming and outgoing connections that will be removed or renamed in the Cloud Authentication Service June 2023 release. These ciphers were not working in the previous releases, and hence these are removed or renamed. If you find these ciphers configured, update (remove or rename) them based on the following table. The cipher update will not affect the environment since other working ciphers were configured.

Cipher Connection Action
ECDHE-ECDSA-AES256-SHA Incoming Removed
ECDHE-ECDSA-AES128-SHA256 Incoming Removed
ECDHE-ECDSA-AES128-SHA Incoming Removed
ECDHE-ECDSA-AES128-GCM-SHA256 Incoming Removed
RSA-AES128-GCM-SHA Outgoing Removed
ECDH-RSA-AES128-GCM-SHA Outgoing Removed
ECDH-ECDSA-AES128-GCM-SHA Outgoing Removed
ECDHE-RSA-AES128-GCM-SHA Outgoing Removed
ECDHE-ECDSA-AES128-GCM-SHA Outgoing Removed
RSA-AES128-SHA256 Outgoing Renamed to AES128-SHA256
RSA-AES128-SHA Outgoing Renamed to AES128-SHA

RSA Authentication Agent 7.4.6 for Windows Agent

RSA Authentication Agent 7.4.6 includes display message corrections in language packs.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description


AU: 5/2/2023

EU / IN: 5/4/2023

NA: 5/4/2023

Gov: 5/5/2023

Updated identity router software is available to all customers.
05/27/2023 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
06/25/2023

If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.18.1.0
Amazon Cloud RSA_Identity_Router 12.18.1.0

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the RSA Community.

  • CSP Authenticator (update) – updated support for Authentication Manager using RSA MFA API (REST).

  • RSA iDRAC (new) – added support for Authentication Manager using RSA MFA API (REST).

  • Endace (new) – added support for Authentication Manager using RSA MFA API (REST).

  • ForgeRock Access Management (new) – added support for Authentication Manager using RSA MFA API (REST). Support for the Cloud Authentication Service is coming soon.

  • HelpSystems FoxT Server Control (update) – updated support for Authentication Manager using RSA MFA API (REST).

  • IBM DS8000 (new) - added support for Authentication Manager using RSA MFA API (REST).

  • IBM Guardium Data Security (new) - added support for Authentication Manager using RSA MFA API (REST).

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-114626 The SAML assertion failed for cloud local users when the NameID was mapped to the "mail" attribute in the relying party configuration. This issue has been fixed.
NGX-96146 A customer had reported that the relationship status of their cross-site cluster went offline and did not recover. Sometimes due to this issue, their newly created users could not authenticate to the WebPortal. This issue has been fixed.
NGX-111285 Accessing RSA Application Portal via thick client displayed a script error.
NGX-110954 After authentication, a customer could not access an application in an iframe. An error occurred while redirecting the customer to the application URL.
NGX-110945 Identity router (IDR) RADIUS service was down for the customers with a self-signed certificate after upgrading the IDR.
NGX-108771
NGX-101093
A couple of security vulnerabilities have been fixed.

March 2023 - Cloud Authentication Service

Enable or Disable Mobile Lock

RSA Mobile Lock is an optional add-on to the ID Plus service. It can detect certain critical threats to a mobile device where RSA Authenticator for iOS and Android app is installed and registered to the Cloud Authentication Service. It restricts the user’s ability to authenticate until the threat issue is resolved. Administrators can now enable or disable Mobile Lock in the Cloud Administration Console for customers who requested for this enhanced mobile protection. This setting is disabled by default.

Allow Users to Change Passwords

An option to allow users to change their passwords is now available in the Cloud Administration Console. Additionally, administrators can define the password policy requirements they want when users change their passwords. Users can view these password policy details and change their password in the Change Password section on My Page.

UI-Based Creation of Local Users in RSA Unified Directory

In addition to the capability of creating local users through the SCIM API, the Cloud Authentication Service now supports creating users through the user interface (From Users > Management). Users can change the administrator-assigned password on My Page. This feature is currently available in limited release. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

Optimized “Remember This Browser” Prompt

When the users are authenticated to access a protected resource, they will be prompted to "Remember This Browser" only once during a browser session, irrespective of the selection of the Remember This Browser option.

RSA MFA Agent 2.0 for Epic Hyperdrive - Coming Soon!

RSA® MFA Agent 2.0 for Epic Hyperdrive will support the Cloud Authentication Service. RSA® MFA Agent 2.0 for Epic Hyperdrive will come with a new and intuitive user interface to ensure a streamlined authentication workflow with better accessibility.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program:

  • Check Point Gateway (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and added certification for SAML (Cloud Authentication Service).

  • Cisco ISE (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and SAML (Cloud Authentication Service).

  • Cisco Nexus (update) – updated certification for Radius (Authentication Manager) and added certification for Radius (Cloud Authentication Service).

  • Fortinet FortiGate (update) – updated certification for Radius (Authentication Manager and Cloud Authentication Service) and new certification for SAML (Cloud Authentication Service).

  • Fortinet FortiManager (new) – new certification for Radius (Authentication Manager and Cloud Authentication Service) and for SAML (Cloud Authentication Service).

  • Palo Alto PANOS10 (update) - updated certification for Radius (Authentication Manager and Cloud Authentication Service), REST (Cloud), and SAML (Cloud Authentication Service).

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-110152 A customer encountered an error in Active Directory Federation Services (ADFS) due to failed authentication with the SAML identity provider (IdP).
NGX-109470 An administrator could not unlock the Approve method for a user's re-enrolled mobile device when the Approve method was already locked out.

February 2023 - Cloud Authentication Service

Add Epic Hyperdrive as a Relying Party

The Cloud Authentication Service can act as the authorization server for the Epic Hyperdrive relying party. In the Cloud Administration Console, from the Authentication Clients > Relying Parties page, administrators can now add the basic information of the Epic Hyperdrive relying party and configure its connection profile.

Fixed Issues

The following table lists the issues that have been fixed in this release:

Fixed Issue Description
NGX-106516 A customer was unable to edit or delete a WS Federation application.
NGX-105458 A customer was unable to update a SAML certificate for an application. The following error message was displayed: There was an error with your application setup. Correct the items in red.

January 2023 - Cloud Authentication Service

Allow Authentication for Embedded Iframe Pages

Multi-factor authentication is now available for the web pages or apps embedded in an iframe. To allow authentication for embedded iframe pages, administrators can add sites to the allowed domains list on the Company Settings page, under Sessions & Authentication tab, in the Content Security section. To make the embedded iframe pages more secure, administrators need to provide HTTPs based URLs.

Track Usage Information in the Cloud Authentication Service

The Cloud Authentication Service dashboard has been updated with the count of active end users who either have a registered authenticator or who authenticated successfully in the last six months to gain a deeper insight about the actual number of users authorized to use the Cloud Authentication Service. In addition, the “All Users” report has been enhanced with Active User License Used, Registered Credential, Active Users in last 6 months, and Local User columns to better track the actual number of users using the Cloud Authentication Service.

Cloud Authentication Service as Authorization Server for Generic OIDC Relying Party

Cloud Authentication Service can act as the authorization server for a generic OpenID Connect (OIDC) relying party application. Administrators can configure this in the Cloud Administration Console under Authentication Client > Relying Parties.

Step-Up Authentication with QR Code is Available!

The Cloud Authentication Service now supports a new step-up authentication method: QR code. To use this new authentication method, open the Cloud Administration Console, select Access > Assurance Levels page, and click Add in the required level. Using this authentication method will require downloading SecurID Authenticator app V4.2 for iOS and Android, scheduled for release by end January 2023. Multi-factor authentication (MFA) API also supports QR code authentication method. However, QR code authentication method does not support RADIUS or a any MFA agents. Support for QR code as a primary authentication method will be added in a future release.

Lockout Push Notifications for Authentication Methods

In the Cloud Administration Console, the existing settings controlling authentication method lockout have been extended to cover Approve and Device Biometrics authentication methods. In accordance with these settings, the Cloud Authentication Service now automatically stops sending push notifications to users who deny a login request for a specified number of times. This is to avoid multi-factor authentication (MFA) fatigue attack.

Local User Support via RSA Unified Directory

Unified Directory is a new user identity store for the RSA Cloud Authentication Service that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can manage local users from the Cloud Administration Console. Users can manage themselves using the My Page self-service portal. Local user passwords are validated completely within the Cloud Authentication Service. This feature is currently available in limited release. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

RSA Authenticator 4.2.0 for iOS and Android - Coming Soon!

  • RSA Authenticator v4.2.0 for iOS and Android app enables users to migrate their credentials from the RSA Authenticate app to the RSA Authenticator app. When users first open the RSA Authenticator 4.2 app or register their credentials, they will be prompted to migrate their existing credentials from RSA Authenticate app to RSA Authenticator app.

  • QR code can be used as a step-up authentication method. If this method was enabled by their organizations, users will be able to authenticate to My Page by simply scanning the QR code with their registered Authenticator app.

SecurID Authenticator 5.1 for macOS - Coming Soon!

  • SecurID Authenticator 5.1 for macOS app will be enhanced with standardized terminologies to align and streamline with the other RSA products and the authentication industry.

  • Users will be able to migrate all their software tokens from the existing SecurID Software Token 4.2.3 app to the new SecurID Authenticator 5.1 for macOS. With this migration, users will be able to manage all their credentials within the new macOS Authenticator.

  • Users will be able to set their own device passwords in the SecurID Authenticator 5.1 for macOS to secure the operations performed on AM managed OTP, such as entering a PIN, renaming a software token, or deleting it.

  • SecurID Authenticator 5.1 for macOS app will support macOS Ventura, which was released on October 24, 2022.

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue Description
NGX-102750 During the configuration of a SAML relying party, an attribute extension of “Constant” type was not saved correctly. This issue has been fixed.
NGX-105192 In the IDP-initiated flows, the value of "subjectNameIdFormat" field was incorrect in the SSO context. This issue has been fixed.
NGX-104053 A customer was prompted to re-authenticate to access a SAML application although My Page session had not expired. This issue has been fixed.

For release notes prior to January 2023, see Release Notes Archive - Cloud Authentication Service and Authenticators.