Release 5.17

May 2021

Feature Bundles

Identity as a Service tenants are now assigned a feature bundle. The bundle determines the Identity as a Service features available to the Tenant account. See About Service Provider bundles in the Service Provider guide for more information.

Mobile Device Fingerprint

Identity as a Service now supports validation of machine authentication with Android and iOS device fingerprints.

Enhanced OTP-based authentication with the ability to choose delivery contact

Administrators can now create custom attributes to allow users to use alternate email, voice, or SMS delivery options for OTP authentication. When configured, an alternative OTP delivery attribute can be set as the default delivery method. If a user has both a default delivery contact and an alternate delivery contact, the user can click Alternative Authentication on the second-factor log in screen and choose another OTP delivery contact.

The OTP delivery options appear on the user login screen with masked values. For email addresses, the first three characters and the domain name are not masked. For example "support@entrust.com" is shown as "sup***@entrust.com". For phone numbers, the last 4 digits are not masked. For example "+12345678910" is shown as "******8910". Note that for short email addresses the actual address may be visible.

SIEM Syslog Application

SIEM integration with Identity as a Service allows audit logs to be sent to syslog through an Enterprise Service
Gateway. The Syslog SIEM application downloads audit logs from Identity as a Service into your Enterprise Service Gateway and publishes them to your on-premise SIEM syslog server.

There are two known limitations with this feature:

• the date for the audit logged with SIEM is the time that the audit was written to SIEM rather than the time the audit was generated in Identity as a Service.
• communication from the SIEM agent on the Enterprise Service Gateway to the SIEM system does not use the network proxy if it is configured for the gateway.

Unlock Rate Limitation

To keep accounts safe, Identity as a Service now only allows unlock password once within a certain period of time. Users must now wait 15 minutes between each password unlock request. A warning appears if the request is issued before the waiting period elapses.
When enabled, users receive an email notification for any password lock, unlock, or unlock attempt action on their account.

New Service Provider Roles

This release includes two new Service Provider roles:

• Users with the Customer Support Agent role can reset resource rules, unlock administrators, view usage reports, and view account entitlements.

• The API Account On-boarding role can add tenants using the administration API calls.

Changes to Administration Portal

The following enhancements have been made to the administration portal:

• The risk-based authentication (RBA) expected locations table now includes a filter option to search by country and a delete option for each row.

New SAML Integrations

New SAML application templates have been added for Asana Enterprise, Expensify, monday.com, Sumo Logic and Workfront.

Changes to Identity as a Service APIs

The following changes have been made to the authentication API:

The following attributes have been added to models in the authentication API.

• otpContactValues has been added to OTPDetails. This attribute lists the contact values that are available for delivering an OTP returned from userAuthenticateQuery.
• otpDeliveryAttribute has been added to OTPDetails. This attribute specifies the default OTP delivery attribute and is returned from userAuthenticateQuery.
• supportChoosingOtpDelivery has been added to UserAuthenticateQueryParameters. If a client supports selecting which contact value to use for delivering the OTP, this attribute should be set to true.
• otpDeliveryAttribute has been added to UserChallengeParameters. It specifies the name of the OTP contact value to use to delivery the OTP if selected by the client.

The following changes have been made to the administration API:

The version of the following administration APIs have been changed to v4. The create tenant and set entitlement APIs now require the bundle type attribute to be set which was previously ignored. The other APIs have not been changed and the versions have only changed to be consistent.

• createTenantsUsingPOST
• removeTenantUsingDELETE
• getTenantUsingGET
• getTenantsPageUsingPOST
• lockTenantUsingPUT
• unlockTenantUsingPUT
• getTenantEntitlementsUsingGET
• getTenantEntitlementUsingGET
• setTenantEntitlementUsingPUT
• getEntitlementUsageInfoUsingPOST

A new value NONE was added to the enumerated type OTPDeliveryType in OTPAuthenticatorSettings. A new version v3 was created for the APIs getOTPAuthenticatorSettingsUsingGET and updateOTPAuthenticatorSettingsUsingPUT to support the enumerated type change.

The following attributes have been added to models in the administration API to support OTP contact value changes.

• otpDefaultDeliveryAttribute has been added to OTPAuthenticatorSettings. This setting specifies the user attribute to be used to deliver the OTP when no attribute is specified.
• showOtpDeliveryContact has been added to OTPAuthenticatorSettings. This setting specifies if the value of the OTP contact value should be shown by the client.
• userExtraAttributes has been added to User and UserParms. These attributes are used to manage the extra OTP contact values for a user.
• type has been added to UserAttribute and UserAttributeParms. This attribute specifies the type of a user attribute indicating if it is phone number or email address when used as an OTP contact value.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.