Release 5.22

December 2021

New in this release

Offline QR Code Transaction Verification

IDaaS now supports offline transaction verification using Authentication API applications with the Entrust Identity soft token app when a client application submits transaction details.

Identity Provider Integrations

The following Identity Provider integrations are available.

• The Nets E-Ident broker service.

Identity Provider Enhancements

The following Identity Provider enhancements are available:

1. When configuring an Identity Provider, the userinfo endpoint is now optional. The claims used for authentication are based strictly on an ID token.
2. When configuring an Identity Provider, the configured groups are only associated with a user if a user is created at the time of the authentication. If a user already exists, the user's current group associations are not reset.
3. When configuring an Identity Provider, a new OIDC max age setting has been added.
4. When configuring an Identity Provider, a new OIDC authentication method request values setting has been added.
5. During an Identity Provider login from an OIDC client application, a Go Back button is now available on the login page. This allows a user to return to the OIDC client application without logging in.
6. During an Identity Provider login, the name of the Identity Provider is now included in the create user and modify user audits.
7. During an Identity Provider login, any errors during this processing now allow the user to continue and select a different type of authentication if they choose.
8. During an Identity Provider login, if a mapped IDaaS attribute value from a claim does not exist and a previous IDaaS attribute value exists, that value will remain as is.

OIDC/SAML Authentication Improvements

When a user is authenticating in IDaaS for OIDC or SAML, there is now a Go Back button on the login page. Pressing this button will return the user to the originating client.

When a user is reauthenticating and the existing login session has expired, the userId field will be prepopulated with the userId of the expired session.

Include Grid Expiry Date in Challenge

Select Include Grid Expiry in Challenge to display the grid expiry message. When authenticating with a grid card, a message appears on the authentication challenge page indicating the expiry date of the grid card.

Password Reset OTP Restrictions

Select Allow Email OTP delivery to send an OTP to a user's email address.

Note: This setting appears only if you select One Time Password as a second-factor allowed for password reset.

OTP Delivery Now Asynchronous

Previously, authentication challenge requests were blocked while delivering an OTP using SMS or Email. Now the challenge returns without waiting for the OTP to be delivered. This provides faster response time to the client. If delivery fails, an audit is generated.

Fixed in this release

The following issues have been fixed in this release.

1. Previously, if you configured and tested the connection for the Enterprise Gateway Proxy without authentication values for username and password and then attempted to retest the connection, it threw an "Unable to connect to proxy server" error. (27172).

2. Clicking back on the alternative authentication page does not unexpectedly bring you back to the username screen when only one type of OTP delivery is configured. (26419).

3. When a Group Policy included Machine Authenticator settings that required a device fingerprint, users failed to authenticate or view authenticators in the User Portal.

4. After restarting the Safari browser, the list of available Identity Providers displays correctly. Previously, if a prior IDaaS session existed prior to a Safari restart, the list of available Identity Providers did not display. (27169)

5. Some overridden machine authenticator settings in a group policy were ignored and the default settings were used instead. This has been fixed. (27320)

6. Group policy setting categories now display in sorted order. (27230)

7. Contact names shown on the OTP Settings page now display in sorted order. (25942)

8. Some smart credential options were still present in the admin portal for accounts with a Standard or PLUS bundle that do not support smart credentials. These options have been removed. (27146)

9. Permissions for actions that are not supported in accounts with a Standard or PLUS bundle no longer appear in the Role dialog. (26388)

10. Email templates for a Trial account with a customer email server can now be customized. (26859)

11. The list of applications shown in the Identity Provider dialog no longer includes OIDC Generic Server applications. They do not support user authentication. (26140)

12. The Delete Attribute dialogs for the My Profile page have been improved so that the name of the attribute being deleted always displays. (25923)

13. The Expire Time search criteria for Audit Archives has been changed to provide date options in the future. (27048)

14. Remove None as an option for the Date search criteria for Audit list. (27025)

15. The Password Expiry search criteria for User list did not show the correct value in the chip for some custom values. (26796)

16. The SIEM agent on the Enterprise Service Gateway has been modified to better handle a large backlog of audit. (27189)

Changes to Identity as a Service APIs

The following models have been added to the Authentication API:

• GridInfo includes information about a Grid, including expiryDate and serialNumber. A new attribute gridInfo
• TokenChallenge includes information about tokens available to answer a token challenge. A TokenChallenge includes a list of TokenInfo.
• TokenInfo includes information about a token available to answer a token challenge. Information returned for a token includes the token serial number. If an offline TVS transaction is being performed, the qrCode and qrCodeUrl values specifying the offline transaction are also included.

The following changes have been made to existing models in the Authentication API.

• gridInfo has been added to GridChallenge. This attribute specifies an array of GridInfo describing the grids that can be used to answer the challenge.
• tokenChallenge has been added to AuthenticatedResponse. This value is an instance of TokenChallenge and is populated for the response to a token challenge. It describes the tokens available to answer the challenge.
• offlineTVS has been added to UserAuthenticateParameters. Set this value to true if you are performing an offline TVS transaction.
• offlineTVS has been added to UserChallengeParameters. Set the value to true if you are performing an offline TVS transaction.

The following methods have been added to the Administration API:

• createMachineAuthenticatorUsingPOST creates a new machine authenticator for the specified user.

The following models have been added to the Administration API:

• createMachineAuthenticatorUsingPOSTreturns MachineAuthenticatorRegistrationResult and includes information about the new machine authenticator.
• MachineAuthenticatorRegistration defines the arguments passed to createMachineAuthenticatorUsingPOST.

Microsoft Internet Explorer 11 Deprecation Reversed

In previous releases, Entrust announced that IDaaS would no longer support Microsoft IE 11 starting in August 2021. This decision has been reversed and IDaaS will continue supporting IE11 until further notice. Entrust recommends that customers switch to other browsers.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.22 and the three previous releases 5.19, 5.20 and 5.21). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.