Release 5.13
CORS Policy
In order to improve the security of the platform, the default CORS policy for Identity as a Service has been updated so that it is disabled by default. This may impact some customers who are calling the Identity as a Service APIs from their Web applications. If you are affected, enable CORS in the General Settings page of your Identity as a Service account and add your Web application's origin to the list of allowed Origins.
Email Template Customization
Identity as a Service has been enhanced to allow full customization of email templates when the account has been configured to use your own mail server. When your account is using the Identity as a Service mail server, only limited email customization is available.
New SAML Integrations
New SAML application templates have been added for Dell Boomi, Oracle EPM Cloud and Zendesk.
Unlock password without having to reset it
A new option has been added to the Password Settings to allow users to unlock their password without having to change it when it has been locked.
Password unlock is supported for local users and users synced from On-Premise Active Directory. Password unlock for users synced from Azure AD is not supported at this time.
Get Started Wizard
A Get Started Wizard has been added to the Dashboard page to help setup Identity as a Service.
Smart Credential Enhancements
The following enhancements have been made to smart credentials.
-
When configuring a smart credential definition, you can now specify the CA of the PIV Content Signer explicitly or you can have the PIV Content Signer come from the same CA as the digital id configurations which is the existing behavior.
-
A smart credential can be created without digital id configurations.
-
When activating a smart credential using the administration API, enrollment values can be specified. If the values are specified during activation rather than stored with the smart credential, the values are cached instead of stored in the database and are automatically removed after the smart credential is encoded. You may want to use this capability if you are encoding sensitive information onto the smart credential that you do not want stored in the Identity as a Service database.
-
A user image can be provided as an additional attribute when activating a smart credential. If present, the user image is encoded onto the mobile smart credential.
External Authentication Bypass Second-Factor Authentication
A new setting has been added to resource rules to allow users that do not exist in Entrust Identity as a Service to bypass second-factor authentication if the performed first-factor is external authentication.
OATH HOTP Token Support
Entrust Identity as a Service has added support for OATH HOTP (event-based) hardware tokens to be used as a second-factor authenticator. The event window and reset event window settings for OATH HOTP tokens can be configured in the Hardware Token settings.
Bulk Assign Hardware Tokens
A new bulk operation to assign hardware tokens to users has been added. The bulk upload is a CSV file containing "userId" and "serialNumber" columns. The following is a sample CSV for bulk assigning hardware tokens:
userId,serialNumber
user1,1234567
user2,2345678
user3,3456789
Service Provider Usage Reports
The Usage Report CSV file includes two new columns for Consumed and Previously Consumed Entitlements. The consumed column value depends on the entitlementType:
| entitlementType | The consumed column value represents |
|---|---|
| USERS | the number of ACTIVE users |
| SMSVOICE | the number of SMS/Voice credits used |
| IDPROOFING | the number of ID Proofing transactions completed |
| ISSUANCE | the number of credentials successfully printed |
The consumedPrevPeriod column value shows the same values as the consumed column but in the previous month.
The serviceBundle column value for the USERS entitlementType has changed from DEFAULT to PLUS.
Changes to Identity as a Service APIs
The following changes have been made to the Administration APIs:
- A new attribute
corsEnabledhas been added to theGeneralSettings. When enabled, cross-origin requests that match the values specified incorsOriginare allowed. When disabled, cross original requests are not allowed. - A new attribute
corsOriginshas been added to theGeneralSettings. When configuring CORS on the Settings page, it passes a list of allowed CORS origins. - A new attribute
showOnboardingWizardhas been added to theGeneralSettings. When enabled, the Onboarding Wizard will be shown on the Admin Portal Dashboard. - A new attribute
skipSecondFactorIfUserNotExisthas been added toResourceRule. When enabled, a user that does not exist will skip second-factor authentication. - A new attribute
algorithmTypehas been added toToken. This value specified the algorithm used by the token to generate OTPs. - A new attribute
additionalUserInfohas been added toActivateSmartCredentialParms. This attribute can be used to specify additional parameters passed to the smart credential when it is encoded.
API Deprecations
The following API endpoints are deprecated and will be removed in Identity as a Service 5.14:
| Name | Operation | Replacement |
|---|---|---|
| List Unassigned Hardware Tokens | listUnassignedTokensUsingGET | unassignedTokenPageUsingPOST |
| List Assigned Hardware Tokens | listAssignedTokensUsingGET | assignedTokenPageUsingPOST |