Release 5.11

September 2020

IntelliTrust Rename

As of release 5.11, the name of IntelliTrust has been changed to Identity as a Service. There is no change in functionality of your existing instance of IntelliTrust apart from the features and functionalities mentioned in these release notes.

Transaction Context Risk Support with Resource-based Authentication

Risk-based authentication has been enhanced to verify whether transaction details included in an authentication request match the transaction rules defined in the resource rules. Transactions that do not match the transaction rules add risk to the authentication. Only authentications using the Authentication API support Transactions.

SAML Signing Certificate Enhancements

SAML Signing Certificates have been enhanced to support certificates issued by a CA and existing self-signed certificates. To replace the default self-signed certificate with a certificate issued by a CA, there is an option to generate a PKCS#10 certificate-signing request (CSR). Your CA uses the CSR to generate a certificate which is returned to Identity as a Service as either a PKCS#7 certificate response or a list of certificates. The existing Download option has been enhanced to support options to export the SAML certificate, the root CA certificate, or the entire PKCS#7 certificate chain.

SAML Integrations

New SAML application templates have been added for Coupa and WhiteSource.

Administration Restrictions based on Group Membership

Administration roles have been enhanced to include restrictions on the groups an administrator can access. A role can be configured to have access to all groups, own groups (the groups the administrator belongs to), or a specific list of groups. An administrator can only access users and user authenticators that belong to a group to which they have access. Additionally, unassigned grids and tokens can be assigned to groups with similar access restrictions. Related to these changes, the ability to filter by group has been added to the assigned and unassigned grid and token list pages.

Disable Single Sign-On for Portal Applications

It is now possible to disable Single Sign-On for portal applications. Previously, this was only available for SAML and OIDC applications. This option is enabled by default for new accounts.

Support user-based lock instead of authentication-based

The General Settings page includes a Lockout Mode setting. This settings controls whether a locked out authenticator locks the user or only locks the authenticator. Previously only the authenticator was locked out.

Changes to Identity as a Service APIs

The following changes have been made to the Authentication APIs:

• A new attribute transactionDetails has been added to the UserAuthenticateQueryParameters object.This attributes passes in transaction details for resource-based authentication based on transaction rules.

The following changes have been made to the Administration APIs:

• The validateUserPassword API response attribute adComplexity now returns true or false based on the contents of the password. Previously, if the AD Complexity password setting was disabled, the result would always return true.
• New objects TransactionContext and TransactionRuleRisk have been added as part of resource-based authentication support for transaction rules.
• A new attribute transactionContexts has been added to the ResourceRuleParms object. It defines the transaction rules with resource-based authentication.
• A new attribute transactionContexts has been added to the ResourceRule object. It associates transaction rules with resource-based authentication.
• A new API endpoint GET /api/web/v1/transactionrules (getTransactionRulesUsingGET) has been added that returns a list of configured transaction rules. A transaction rule is defined by a new object TransactionRuleDescription. Transaction rules are used with Resource-based authentication.
• A new API endpoint POST /api/web/v1/tokenspaged/unassigned (unassignedTokenPageUsingPOST) has been added. This endpoint provides the ability to list unassigned hardware tokens with server side searching and paging.
• A new API endpoint PUT /api/web/v1/tokens/{tokenid} (modifyTokenUsingPUT) and new object TokenParms has been added. This endpoint provides the ability to modify the group membership of an unassigned hardware token.
• A new API endpoint PUT /api/web/v2/grids/{gridid} (modifyUnassignedGridUsingPUT) and new object GridParms has been added. This endpoint provides the ability to modify the group membership of an unassigned grid.
• A new search criteria groupId is now supported in SearchParms when listing assigned or unassigned grids or tokens. This attribute allows you to list grids or tokens in a specified group.
• A new attribute groups has been added to Token. When fetching unassigned hardware tokens, the groups attribute returns the hardware token group membership.
• A new attribute groups has been added to Grid. When fetching unassigned grids, the groups attribute returns the grid group memberships.
• A new attribute groups has been added to GridCreateParms. When creating unassigned grids, the groups attribute can be used to optionally specify the group membership of the new grids.
• New attributes groupManagement and groupIds have been added to Role. When fetching a role these attributes specify the groups that the role can manage.
• A new attribute lockoutMode has been added to GeneralSettings. The attribute is returned when fetching general settings and can be set when modifying the general settings.

API Deprecations

The following API endpoints are deprecated and will be removed in Identity as a Service 5.14:

Name	Operation	Replacement
List Unassigned Hardware Tokens	listUnassignedTokensUsingGET	unassignedTokenPageUsingPOST
List Assigned Hardware Tokens	listAssignedTokensUsingGET	assignedTokenPageUsingPOST