Release 5.11
IntelliTrust Rename
As of release 5.11, the name of IntelliTrust has been changed to Identity as a Service. There is no change in functionality of your existing instance of IntelliTrust apart from the features and functionalities mentioned in these release notes.
Transaction Context Risk Support with Resource-based Authentication
Risk-based authentication has been enhanced to verify whether transaction details included in an authentication request match the transaction rules defined in the resource rules. Transactions that do not match the transaction rules add risk to the authentication. Only authentications using the Authentication API support Transactions.
SAML Signing Certificate Enhancements
SAML Signing Certificates have been enhanced to support certificates issued by a CA and existing self-signed certificates. To replace the default self-signed certificate with a certificate issued by a CA, there is an option to generate a PKCS#10 certificate-signing request (CSR). Your CA uses the CSR to generate a certificate which is returned to Identity as a Service as either a PKCS#7 certificate response or a list of certificates. The existing Download option has been enhanced to support options to export the SAML certificate, the root CA certificate, or the entire PKCS#7 certificate chain.
SAML Integrations
New SAML application templates have been added for Coupa and WhiteSource.
Administration Restrictions based on Group Membership
Administration roles have been enhanced to include restrictions on the groups an administrator can access. A role can be configured to have access to all groups, own groups (the groups the administrator belongs to), or a specific list of groups. An administrator can only access users and user authenticators that belong to a group to which they have access. Additionally, unassigned grids and tokens can be assigned to groups with similar access restrictions. Related to these changes, the ability to filter by group has been added to the assigned and unassigned grid and token list pages.
Disable Single Sign-On for Portal Applications
It is now possible to disable Single Sign-On for portal applications. Previously, this was only available for SAML and OIDC applications. This option is enabled by default for new accounts.
Support user-based lock instead of authentication-based
The General Settings page includes a Lockout Mode setting. This settings controls whether a locked out authenticator locks the user or only locks the authenticator. Previously only the authenticator was locked out.
Changes to Identity as a Service APIs
The following changes have been made to the Authentication APIs:
- A new attribute
transactionDetails
has been added to theUserAuthenticateQueryParameters
object.This attributes passes in transaction details for resource-based authentication based on transaction rules.
The following changes have been made to the Administration APIs:
- The
validateUserPassword
API response attribute adComplexity now returnstrue
orfalse
based on the contents of the password. Previously, if the AD Complexity password setting was disabled, the result would always returntrue
. - New objects
TransactionContext
andTransactionRuleRisk
have been added as part of resource-based authentication support for transaction rules. - A new attribute
transactionContexts
has been added to theResourceRuleParms
object. It defines the transaction rules with resource-based authentication. - A new attribute
transactionContexts
has been added to theResourceRule
object. It associates transaction rules with resource-based authentication. - A new API endpoint
GET /api/web/v1/transactionrules
(getTransactionRulesUsingGET
) has been added that returns a list of configured transaction rules. A transaction rule is defined by a new objectTransactionRuleDescription
. Transaction rules are used with Resource-based authentication. - A new API endpoint
POST /api/web/v1/tokenspaged/unassigned
(unassignedTokenPageUsingPOST
) has been added. This endpoint provides the ability to list unassigned hardware tokens with server side searching and paging. - A new API endpoint
PUT /api/web/v1/tokens/{tokenid}
(modifyTokenUsingPUT
) and new objectTokenParms
has been added. This endpoint provides the ability to modify the group membership of an unassigned hardware token. - A new API endpoint
PUT /api/web/v2/grids/{gridid}
(modifyUnassignedGridUsingPUT
) and new objectGridParms
has been added. This endpoint provides the ability to modify the group membership of an unassigned grid. - A new search criteria
groupId
is now supported inSearchParms
when listing assigned or unassigned grids or tokens. This attribute allows you to list grids or tokens in a specified group. - A new attribute
groups
has been added toToken
. When fetching unassigned hardware tokens, thegroups
attribute returns the hardware token group membership. - A new attribute
groups
has been added toGrid
. When fetching unassigned grids, thegroups
attribute returns the grid group memberships. - A new attribute
groups
has been added toGridCreateParms
. When creating unassigned grids, thegroups
attribute can be used to optionally specify the group membership of the new grids. - New attributes
groupManagement
andgroupIds
have been added toRole
. When fetching a role these attributes specify the groups that the role can manage. - A new attribute
lockoutMode
has been added toGeneralSettings
. The attribute is returned when fetching general settings and can be set when modifying the general settings.
API Deprecations
The following API endpoints are deprecated and will be removed in Identity as a Service 5.14:
Name | Operation | Replacement |
---|---|---|
List Unassigned Hardware Tokens | listUnassignedTokensUsingGET | unassignedTokenPageUsingPOST |
List Assigned Hardware Tokens | listAssignedTokensUsingGET | assignedTokenPageUsingPOST |