Release 5.20

September 2021

New in this release

Custom Mail Server with OAuth

Identity as a Service now supports configuring Custom Mail Server settings using OAuth to authenticate a SMTP connection.

Set User Registration in Bulk

This feature is enhanced to allow administrators to perform two additional actions:

• Upload a group file and require user registration in bulk
• Upload a group file and set user registration to not required in bulk

The header row in the CSV file contains only one column with Name as the value. Each row in the file must be an existing IDaaS group name. To Set User Registration for all users, use the system "All Users" group name with this new option.

Group Policy Registration Settings

The "Re-Register" action used to force all users to re-register after changing your registration configuration is now removed from the Registration Settings page. The same functionality can be achieved by using the new group-based Set User Registration (see above under new features).

RADIUS Application User ID Domain Processing Option

RADIUS applications include a new setting to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format "domain\username" and the IDaaS user ID is in the format "username". The latest version of the Enterprise Service Gateway is required for this feature.

OIDC Logout Redirect Capability

Identity as a Service now allows a customer to specify a redirect uri from client applications issuing an OIDC logout.

Location History UI Improvements

The user location history page has been updated. It now includes the location history expiry date and highlights the value for expired locations.

OTP Audit Improvements

The audits generated when an OTP authentication is performed have been enhanced to include the address to which the OTP was sent.

SMS OTP Enhancement

A new option has been added to the OTP settings that allows the customer to optionally include the expiry date of the OTP in the SMS message sent to the end user.

Search Users by Password Expiry

A new search option "Password Expiry" has been added to the user list search filter. This option allows an administrator to search for users whose passwords will expire in a specified time range. To search on the expiry date of AD passwords, the latest version of the Entrust Service Gateway is required. This feature is only available for Microsoft Active Directory.

Email Customization

Previously, only Tier 1 production accounts were allowed to fully customize emails when using the IDaaS EMail server. Now all production accounts are allowed to fully customize emails when using the IDaaS EMail server.

Fixed in this release

The following items have been fixed in this release.

1. Add/Edit RBAC always has one API/URL selected.
2. The performance of user report downloads has been improved especially for very large reports.
3. Attempt to clear password history for an expired password results in an error.
4. Client Credentials Grant action goes back to user portal.
5. Duplicate audit when assigning or unassigning a token to a user.
6. Entrust Legacy Token assign/unassign audit missing.
7. Generate unassigned grid cards for the first time does not refresh the list page.
8. Error when deleting one of multiple resource rules for IntelliTrust AD FS.
9. Pressing "Enter" should log the user in on the KBA screen.
10. It displays “null” on the login page if “Show OTP Delivery Contact” is checked for password reset auth flow.
11. A newly added custom user attribute does not appear in the user portal.
12. Refactoring OTP Delivery Preferences UI.
13. Accounts with the standard feature bundle should not have the OIDC/OAuth token option for users.
14. Unexpected horizontal scroll bar in Add/Edit custom user attribute dialog.
15. RADIUS authentication fails when the RADIUS application is configured for external first-factor authentication and to challenge the user to select the second-factor authenticator. Upgrade to the latest version of the Enterprise Service Gateway for this fix.
16. RADIUS authentication fails when the RADIUS application is configured for fallback from token push or smart credential push authentication. Upgrade to the latest version of the Enterprise Service Gateway for this fix.
17. When configuring a resource rule with first factor password authentication and a second factor authenticator, IP location history for a user is not updated when using RADIUS authentication with a Citrix Netscaler client. Upgrade to the latest version of the Enterprise Service Gateway for this fix.

Changes to Identity as a Service APIs

The following attributes have been added to models in the administration API.

• includeOtpExpiryDate has been added to OTPAuthenticatorSettings. This new boolean settings indicates if the OTP expiry date should be included in OTP SMS messages.
• passwordExpirationTime has been added to User. This value specifies the expiry date of the user's password. If the user does not have a password or the password never expires this value will be null.
• expiryDate has been added to UserLocation. This value specifies the expiry date of a user location. If the user location does not expire this value will be null.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version and the three previous releases). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation

Identity as a Service no longer supports Internet Explorer 11.