Release 5.17
Feature Bundles
Identity as a Service tenants are now assigned a feature bundle. The bundle determines the Identity as a Service features available to the Tenant account. See About Service Provider bundles in the Service Provider guide for more information.
Mobile Device Fingerprint
Identity as a Service now supports validation of machine authentication with Android and iOS device fingerprints.
Enhanced OTP-based authentication with the ability to choose delivery contact
Administrators can now create custom attributes to allow users to use alternate email, voice, or SMS delivery options for OTP authentication. When configured, an alternative OTP delivery attribute can be set as the default delivery method. If a user has both a default delivery contact and an alternate delivery contact, the user can click Alternative Authentication on the second-factor log in screen and choose another OTP delivery contact.
The OTP delivery options appear on the user login screen with masked values. For email addresses, the first three characters and the domain name are not masked. For example "support@entrust.com" is shown as "sup***@entrust.com". For phone numbers, the last 4 digits are not masked. For example "+12345678910" is shown as "******8910". Note that for short email addresses the actual address may be visible.
SIEM Syslog Application
SIEM integration with Identity as a Service allows audit logs to be sent to syslog through an Enterprise Service
Gateway. The Syslog SIEM application downloads audit logs from Identity as a Service into your Enterprise Service Gateway and publishes them to your on-premise SIEM syslog server.
There are two known limitations with this feature:
- the date for the audit logged with SIEM is the time that the audit was written to SIEM rather than the time the audit was generated in Identity as a Service.
- communication from the SIEM agent on the Enterprise Service Gateway to the SIEM system does not use the network proxy if it is configured for the gateway.
Unlock Rate Limitation
To keep accounts safe, Identity as a Service now only allows unlock password once within a certain period of time. Users must now wait 15 minutes between each password unlock request. A warning appears if the request is issued before the waiting period elapses.
When enabled, users receive an email notification for any password lock, unlock, or unlock attempt action on their account.
New Service Provider Roles
This release includes two new Service Provider roles:
-
Users with the Customer Support Agent role can reset resource rules, unlock administrators, view usage reports, and view account entitlements.
-
The API Account On-boarding role can add tenants using the administration API calls.
Changes to Administration Portal
The following enhancements have been made to the administration portal:
- The risk-based authentication (RBA) expected locations table now includes a filter option to search by country and a delete option for each row.
New SAML Integrations
New SAML application templates have been added for Asana Enterprise, Expensify, monday.com, Sumo Logic and Workfront.
Changes to Identity as a Service APIs
The following changes have been made to the authentication API:
The following attributes have been added to models in the authentication API.
otpContactValues
has been added to OTPDetails. This attribute lists the contact values that are available for delivering an OTP returned fromuserAuthenticateQuery
.otpDeliveryAttribute
has been added to OTPDetails. This attribute specifies the default OTP delivery attribute and is returned fromuserAuthenticateQuery
.supportChoosingOtpDelivery
has been added to UserAuthenticateQueryParameters. If a client supports selecting which contact value to use for delivering the OTP, this attribute should be set to true.otpDeliveryAttribute
has been added to UserChallengeParameters. It specifies the name of the OTP contact value to use to delivery the OTP if selected by the client.
The following changes have been made to the administration API:
The version of the following administration APIs have been changed to v4. The create tenant and set entitlement APIs now require the bundle type attribute to be set which was previously ignored. The other APIs have not been changed and the versions have only changed to be consistent.
createTenantsUsingPOST
removeTenantUsingDELETE
getTenantUsingGET
getTenantsPageUsingPOST
lockTenantUsingPUT
unlockTenantUsingPUT
getTenantEntitlementsUsingGET
getTenantEntitlementUsingGET
setTenantEntitlementUsingPUT
getEntitlementUsageInfoUsingPOST
A new value NONE
was added to the enumerated type OTPDeliveryType
in OTPAuthenticatorSettings
. A new version v3 was created for the APIs getOTPAuthenticatorSettingsUsingGET
and updateOTPAuthenticatorSettingsUsingPUT
to support the enumerated type change.
The following attributes have been added to models in the administration API to support OTP contact value changes.
otpDefaultDeliveryAttribute
has been added toOTPAuthenticatorSettings
. This setting specifies the user attribute to be used to deliver the OTP when no attribute is specified.showOtpDeliveryContact
has been added toOTPAuthenticatorSettings
. This setting specifies if the value of the OTP contact value should be shown by the client.userExtraAttributes
has been added toUser
andUserParms
. These attributes are used to manage the extra OTP contact values for a user.type
has been added toUserAttribute
andUserAttributeParms
. This attribute specifies the type of a user attribute indicating if it is phone number or email address when used as an OTP contact value.
Enterprise Service Gateway Deprecation
Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.
Browser Deprecation
In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.