Release 5.16

April 2021

Support PKI as a Service (PKIaaS)

Entrust now provides a new PKI as a Service (PKIaaS) capability as described here. For Identity as a Service customers who have purchased the Smart Login capability, they now have the option to use PKI as a Service as the CA used to issue certificates to their smart credentials. A PKI as a Service CA can be provisioned and managed from Identity as a Service without additional setup as is required for the other CAs supported by Identity as a Service.

OAuth Resource Server API Protection

Identity as a Service now supports OAuth (OAuth 2.0 and 2.1) Resource Server API protection. Resource Server APIs and associated scopes can be defined and used with various OAuth use cases, including Authorization Code and Client Credentials grants to issue OAuth access tokens. The existing OpenID Connect (OIDC) applications are now classified as either Web, Single-Page App (SPA), or Server applications. These applications can now also be used with OAuth. Additionally, refresh tokens can now be issued with both OIDC and OAuth access tokens. Refresh tokens can also be revoked.

The following OIDC/OAuth endpoints are deprecated. They will be removed in a future Identity as a Service release. They are replaced with the corresponding endpoints.

• /api/oidc/OIDC/authorize -> /api/oidc/authorize
• /api/oidc/OIDC/token -> /api/oidc/token
• /api/oidc/OIDC/userinfo -> /api/oidc/userinfo
• /api/oidc/OIDC/error -> /api/oidc/errors
• /api/oidc/OIDC/logout -> /api/oidc/endsession

OIDC Grant Type Deprecation

The Implicit grant type has security implications. It will not be supported with OAuth application flows. It is currently supported with OpenID Connect (OIDC) but is deprecated. It will be removed in a future Identity as a Service release. Applications using the Implicit grant type should use the Authorization Code grant type with Proof Key for Code Exchange (PKCE) instead.

Support for Entrust Mobile Soft Token Transaction Queueing

Entrust Identity as a Service can now be configured to allow Mobile Soft Token transactions to be queued. Previously, if a transaction was not confirmed before another one was received, the first transaction would be overwritten. Additionally, transactions may now be prioritized as well.

New SAML Integrations and Rebranding

New SAML application templates have been added for Awardco, Citrix Workspace, Datadog, KnowBe4, Smartsheet and Zoho One. CitrixOnline has been rebranded as LogMeIn GoTo Apps and G Suite has been rebranded as Google Workspace.

SMS OTP Message Changed

The format of the SMS OTP Message has changed from

12345678 is your Entrust Identity as a Service OTP.

to

Your Entrust Identity as a Service OTP is 12345678.

The service name (Entrust Identity as a Service) can be customized.

Changes to Administration Portal

The following enhancements have been made to the administration portal:

• for service providers, the last super admin user in the account can no longer be deleted
• when an administrator creates a password for a user, "Change is required on first use" is now checked by default.
• the Unassign action is now available for hardware tokens listed in a user's authenticators list. Previously, Unassign was only available from the Assigned Tokens list.

Changes to IdentityGuard Agent

The IdentityGuard Agent in the 5.16 gateway has been changed as follows:

• Improved interoperability with IdentityGuard clients performing token push authentication when fallback to token authentication is required.
• Support for TLS versions 1.0 and 1.1 has been removed.
• Support for the TLS ciphers TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, and SSL_RSA_WITH_3DES_EDE_CBC_SHA that don't support perfect forward secrecy have been removed.

Service Provider Expired Trial Account Removal

Expired Trial accounts are automatically locked and they can no longer be accessed by tenants. Identity as a Service has a new daily process that scans these accounts and performs the following actions:

• Removes Trial accounts that are locked and that have been expired for 180 days. No recovery is possible when this happens.
• Sends an email with the list of accounts that have been removed or that will be removed shortly. Notifications are sent 14 and 7 days before removal. Note that this requires that the service provider account has notifications enabled (see Settings > Notifications).

Changes to Identity as a Service APIs

The following changes have been made to the authentication API:

• a new attribute priority has been added to the UserChallengeParameters. This attribute can be used to specify the priority of a push transaction.

The following APIs have been added to the administration API. These APIs are currently only supported for certificates associated with smart credentials issued from a PKIaaS CA.

• exportCertificateUsingGET. This API exports a certificate associated with a smart credential.
• holdCertificateUsingPUT. Put a certificate associated with a smart credential on hold.
• revokeCertificateUsingPUT. Revoke a certificate associated with a smart credential.
• unholdCertificateUsingPUT. Remove a certificate associated with a smart credential from hold.

The following APIs have been modified in the administration API.

• a new boolean attribute revocationInfo has been added to the API getSmartCredentialUsingGET. If specified as true, the current revocation status of all the certificates associated with the smart credential being fetched is retrieved from the CA. If the attribute is not specified, it defaults to false. This attribute is only supported for smart credentials issued from a PKIaaS CA.

The following attributes have been added to models in the administration API.

• digitalIdType has been added to DigitalIdCert. This value specifies whether the certificate is associated with the PIV Card Holder or PIV Card Digital ID of the smart credential.
• pivContainer has been added to DigitalIdCert. This value specifies the name of the PIV Container on the Smart Credential in which this certificate (and its private key) is stored.
• status has been added to DigitalIdCert. This value specifies the revocation status of the certificate if retrieved from the CA. Currently this value is only supported for certificates issued from a PKIaaS CA.
• maxNumberOfPushTransactionsQueued has been added to GeneralSettings. This value specifies the maximum number of push transactions that can be queued.
• pushTransactionLifetime has been added to GeneralSettings. This value specifies the lifetime of a push transaction.

Browser Deprecation

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.