Release 5.25

June 2022

New in this release

Identity Provider Improvements

The following improvement has been made to Identity Providers:

• A new option has been added to require signature verification for responses to requests for user information.

SAML Username Parameter

IDaaS now supports optionally passing the IDaaS user ID as part of a SAML authentication request. The value can be passed as a configured parameter, for example "Username=jdoe".

IDP Social Login

Identity Providers in IDaaS now allows you to configure an Identity Provider with a type which prefills the well-known values. IDaaS also supports Facebook and Twitter as identity providers for you to authenticate now.

User Verification

Identity as a Service has been enhanced to support user verification before the user is allowed to access the IDaaS portal and other applications or register for authenticators. User verification is done by invoking an OIDC Identity Provider.

New settings for user verification have been added to the Registration Settings and Group Policy Settings pages.

A new Set Verification bulk operations for setting user verification for a user has been added to allow administrators to perform two additional actions:

• Upload a group file and require user verification in bulk
• Upload a group file and set user verification to not required in bulk

The header row in the CSV file contains only one column with Name as the value. Each row in the file must be an existing IDaaS group name. To Set User Verification for all users, use the system "All Users" group name with this new option.

Fixed in this release

The following issues have been fixed in this release.

1. Phone numbers from some countries were erroneously being rejected as invalid. (28841)
2. Issues with the regular expressions used to match attributes to be returned in SAML assertions have been fixed (28404)
3. The OTP expiry date is included in the information returned by the admin API createOTP and getOTP methods. (28332, 28289)
4. When synchronizing users from Azure AD, group names are now checked case insensitively. (28268)
5. Password authenticators for users synchronized from Azure AD were not being displayed with a proper state. (28296, 28251, 28248)
6. The authenticator filter on the user list page was showing some Token type values that were not applicable. These have been removed. (28255)
7. When the unassigned token list is refreshed, the group filter was not correctly applied. (28211)
8. Filters for the authenticator list in the user portal are now sorted by localized language. (28316)
9. The Loading... text for the authenticator list in the user portal is now localized. (28208)
10. The delete action in the assigned token list is now correctly labelled as Delete instead of delete. (28302)
11. For the assigned token list, when sorting or filtering on last used date, tokens that have a last used date of Never are now handled correctly. (28177)
12. When the message of the day is saved, unsupported HTML tags like script are automatically removed. Now, the version displayed on the customization page in the admin portal is now updated with the saved value. (27848)
13. Some of the wording on the Enroll Domain Controller Certificate dialog has been improved. (28199)
14. The audit for the Enroll Domain Controller Certificate action now includes the serial number of the certificate. (28184)
15. The option to use TCP for logging audits using the SIEM Agent in the gateway was being ignored. (28112)
16. An option to delete questions/answers from the user's knowledge-based authenticator has been added to the user portal. (28058)
17. A better error message is displayed for OAuth Device Verification if the session has expired. (27671)
18. Improved handling on the Identity Provider Add/Edit pages in the admin portal if the administrator does not have permission to list applications. (28326)

Changes to Identity as a Service APIs

The following changes have been made to the authentication API:

The following attributes have been added to models in the authentication API.

• the attribute verificationRequired has been added to UserAuthenticateQueryResponse. This attribute indicates if verification is required for the specified user.
• the attribute userVerificationRequired has been added to AuthenticatedResponse. This attribute indicates if verification is required for the specified user.

The following changes have been made to the administration API:

The following attributes have been added to models in the administration API.

• the attribute verificationEnabled has been added to User. This attribute indicates if verification is enabled for the specified user.
• the attribute verificationRequired has been added to User. This attribute indicates if verification is required for the specified user.
• the attribute emailVerification has been added to UserParms. This attribute indicates that an email should be sent to the user if the specified user is being updated to be verified and requires verification.
• the attribute verificationRequired has been added to UserParms. This attribute indicates if the specified user should be updated to be verified.
• the attribute otpExpiryDate has been added to OTP. This attribute specifies the expiry date of the OTP.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.25 and the three previous releases 5.22, 5.23 and 5.24). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.