Release 5.23

February 2022

New in this release

Domain Controller Certificate Management

Identity as a Service now allows a customer to issue and domain controller certificates when using a PKIaaS CA.

Reset Mail Server

A new "Reset Mail Server" action has been added to the tenant list of service providers. This action allows a service provider to reset the Mail Server configuration of a tenant back to the default IDaaS mail server.

Temporary Access Code Admin. Contact Message

A message telling the end user to contact their administrator to receive their temporary access code can now be enabled in the Temporary Access Code policy. When enabled, a message displays on the Temporary Access Code login page during authentication.

SAML Application Improvements

The following improvements have been made to SAML applications:

• A new action "IDP initiated URLs" has been added to the SAML application list. This action lists the URLs for the SAML application and all of the defined relays states. It also provides an option for the administrator export them.
• On the application setup page there is now an Enable/Disable option for each relay state. Disabled relay states do not appear on the user's available application page.
• When exporting SAML metadata, there is now an option to specify the lifetime of the metadata.
• When defining attribute values for SAML applications, regular expressions can now be defined to filter values or to parse out a portion of the value. IDaaS Support user attribute manipulation before sending back the value for SAML applications.

Enterprise Service Gateway CA Gateway and Microsoft Certificate Authority Proxy Upgrades

The Enterprise Service Gateway CA Gateway Service and the Microsoft Certificate Authority (CA) Proxy have both been upgraded to versions 2.5.2. If you are using a Microsoft CA with Smart Credentials, you should upgrade the Microsoft Proxy to 2.5.2 and the Enterprise Service Gateway to 5.23.

See the Administration Guide for complete details on how to upgrade your Microsoft CA Proxy.

• Admin Guide

OIDC/OAuth Device Code Application Support

Identity as a Service now supports OIDC/OAuth device code flow applications.

The following OIDC/OAuth endpoint has been added for a client application to initiate the device code flow:

• /api/oidc/devicecode

New SAML Integrations

A new SAML application template has been added for ADP.

Fixed in this release

The following issues have been fixed in this release.

1. The SIEM agent on the gateway has been enhanced to better handle a large backlog of audits. (27189)
2. The SIEM agent on the gateway now includes modified attributes in the information logged to the SIEM. (27812)
3. A new password specified in the authentication API was ignored unless the current password was expired or set by an administrator for forced update. Now the password can be changed at any time as long as the minimum lifetime of the existing password has passed. (27333)
4. Group filtering in the Directory sync agent on the gateway did not work in some situations due to a case mismatch between the group names defined in the filter and the group names defined in the directory. (27400)
5. The Update KBA Questions dialog in the Admin portal has been refreshed. The old table layout has been replaced with new UI components. (27180)
6. The full name appears in the email notification when a user updates their contact information. (26901)
7. Country flags have been added next to the user's delivery contact information. (27078)
8. Help Desk Administrators are now able to unlock individual accounts. (27560)
9. Users are no longer redirected to My Profile page when refreshing on the following pages: Authorization, Identity Providers, and IP Lists. (27488)

Changes to Identity as a Service APIs

The following models have been added to the Authentication API:

• TempAccessCodeChallenge includes information about a temporary access code, including a flag indicating if the admin. contact message should be displayed.

The following changes have been made to existing models in the Authentication API.

• tempAccessCodeChallenge has been added to AuthenticatedResponse. This value is an instance of TempAccessCodeChallenge and is populated for the response to a temporary access code challenge.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.23 and the three previous releases 5.20, 5.21 and 5.22). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.