Release 5.19

August 2021

New in this release

OAuth Resource Server API Protection via OAuth Roles

Identity as a Service now supports OAuth roles which provides resource servers with role-based access control (RBAC). OAuth roles can be associated with resource server APIs and scopes. User can then be associated with these OAuth Roles.

A resource server API can be configured with RBAC enabled. In this case, the creation of OAuth access tokens is based on a user's OAuth roles and the scopes permitted by it.

An OAuth role can also extend another OAuth role to provide inheritance of scopes.

There will be a maximum number of 100 OAuth Roles and Resource Server APIs that can be configured in the system.

OAuth All Scope Request Support

Identity as a Service now supports the scope value all_scopes to indicate that all the scopes supported by a resource server API are being requested.

Identity Provider Authentication

Identity as a Service now allows a customer to define OIDC Identity Providers which can be used as alternative authentication to authenticate to the IDaaS portal, SAML applications and OIDC applications. Additionally, users can be created or updated in IDaaS based on the information returned from the Identity Provider.

Soft Token SDK Customized Push Message

Identify as a Service now supports customized push notification messages for customized soft token apps that use the entrust SDK. This feature does not apply to the Entrust Identifiy soft token app.

Push Notification Sound Notifications for iOS Devices

Identity as a Service now supports push notification with sound for iOS devices.

Email Customization

Previously only accounts with a custom email server defined could fully customize emails. Now, tier one production accounts can also fully customize emails even if they are using the default email server. Trial accounts and child accounts of service providers are still restricted.

Bulk Operations

Two new bulk operations have been added. The Set Users bulk operation supports updating users. It also includes an option to create users that do not exist. The Set Grids bulk operation supports updating the state of assigned grids. Additionally, an option has been added to the Import Users bulk operation to optionally update users that already exist.

AD Connector Improvements

A new version of AD Connector is available for use with IDaaS. IDaaS has been enhanced to display more information about the AD Connector instance, including the state (active/inactive), version, and hostname.

Smart Credential Push Signature

Two new APIs have been added to the IDaaS Admin API to support smart credential push signature. Push signature allows an application to sign data using a private key on the end user’s mobile smart credential using push transactions. Access to these new APIs is controlled by a new permission "SMARTCREDENTIALSSIGNATURE".

New SAML Integration

A new SAML application template has been added for New Relic.

Changes in this release

The following changes have been made to address issues or enhance existing functionality.

1. In 5.18 the behavior of the locked user search criteria changed. It no longer filters out users who were locked out but whose lockout has expired. However because those users are not locked, the unlock action was not available. The unlock action is now enabled for those users.
2. The group list dropdown in the Group Policy Edit page overlayed the title. This has been fixed.
3. Phone entry fields in both the admin and user portal have been improved to indicate the required phone number format.
4. The button in the Add Alias and Add Attribute dialogs in the user profile page has been renamed from Ok to Add.
5. Text entry in the Device Fingerprint dialog did not always register. This has been fixed.
6. The Group and Role selection when creating or editing a user in the Admin portal has been updated.
7. When the group membership in the user profile is modified, the Save button wasn't enabled. This has been fixed.
8. When adding and then removing a group from some group lists (for example, the user group membership) could result in the wrong group being removed.
9. When modifying the second-factor authenticators for Password Reset Settings, the Save button wasn't enabled. This has been fixed.
10. Exporting report files has been improved to support very large reports.
11. The Import User bulk operation has been improved to support importing a large number of users.
12. Issues with importing an IdentityGuard export file with names containing certain character sequences shave been addressed.
13. Issues with importing an IdentityGuard export file with non-North American phone numbers have been resolved.
14. The IdentityGuard Import and User Delete bulk operations now generate log files that can be downloaded. A sample bulk file is now provided for the user delete bulk operation.
15. The error message displayed by the Import User bulk operation when the administrator did not have access to the specified groups was not clear. This has been fixed.
16. The error message displayed by the Token Assign bulk operation when the user has the maximum number of allowed tokens has been improved.
17. An extra space included in the assigned grid export when the | separator is selected has been resolved.
18. Cloning the super admin role resulted in a role that did not have access to administrators. This has been fixed.
19. The Digital Ids listed for a PKIaaS CA were not sorted. This has been fixed.

Changes to Identity as a Service APIs

The following attributes have been added to models in the authentication API.

• pushMessageIdentifier has been added to UserChallengeParameters. This value allows an application to specify what custom push message should be used for a push authentication.

The following attributes have been added to models in the administration API.

• lock has been added to UserParms. This value allows an administrator to lock all authenticators for a user.
• oauthRoles has been added to User. This value specifies the list of OAuth roles a user has been associated with.
• oauthRoles has been added to UserParms. This value specifies the list of OAuth role ids a user should be associated with.

The following models have been added to the administration API.

• OAuthRole has been added for OAuth roles. This model specifies the attributes of an OAuth role.
• SmartCredentialStartSignParms has been added for smart credential push signature. This model specifies the parameters passed to the start signature operation.
• SmartCredentialStartSignResponse has been added for smart credential push signature. This model specifies the response returned from the start signature operation.
• SmartCredentialCompleteSignParms has been added for smart credential push signature. This model specifies the parameters passed to the complete signature operation.
• SmartCredentialCompleteSignResponse has been added for smart credential push signature. This model specifies the response returned from the complete signature operation.

The following APIs have been added to the administration API.

• modifyUserOAuthRoleAssociationsUsingPUT. This API updates the OAuth role ids associated with a user.
• listOAuthRolesUsingGET. This API lists the OAuth roles.
• startSignSmartCredentialUsingPUT. This API starts a smart credential push signature operation.
• completeSignSmartCredentialUsingPUT. This API complete a smart credential push signature operation.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation

In August 2021 Microsoft will no longer support Internet Explorer 11 for Office 365 (Microsoft's statement). At that time, Identity as a Service will also cease support for Internet Explorer 11.