Release 5.26

October 2022

New in this release

User Contact Notification

IDaaS now supports sending user notification emails when a user’s contact information has been changed.

As part of this feature, the preexisting user contact notification feature that sent a notification when the end user changed their contact and the corresponding email templates have been removed.

Entrust Service Gateway Changes

The command-line interface used to register the gateway has been removed. The browser-based UI is now the only supported interface for managing the gateway.

SAML Username Parameter

IDaaS has added support for passing the IDaaS user ID as part of a SAML authentication request using the SAML Request NameID element value. Set the SAML Username Parameter value to NameID to use this option.

SAML Session Timeout

IDaaS has added support for configuring the session timeout value for a SAML assertion. Set the SAML Session Timeout value to the timeout length in minutes. To exclude the session timeout in the SAML assertion, set the value to 0. The maximum is 720 minutes.

Enhanced Geolocation

IDaaS now provides an option to use enhanced geolocation information with more accurate locations for IP addresses and the detection of anonymous IP addresses. With this capability, tenants can configure resource rules to disallow anonymous IP addresses. Contact Entrust for details on enabling this feature.

User Onboarding

The user onboarding of Identity as a Service has been enhanced to support the mapping of groups or a role from an OIDC Identity Provider.

The following new settings have been added:

• New settings to request claims in an ID token or user information response. These settings can be used in addition to requesting claims using scopes.
• New settings for mapping groups or a role from an OIDC Identity Provider.

When configuring an OIDC Identity Provider note the following:

• Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP could be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large user base. Analyze the risks before enabling this option.
• Update user allows anyone with access to your chosen Identity Provider to update a user in your IDaaS account. Depending on your IDaaS configuration, updated users could be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large user base. Analyze the risks before enabling this option.
• Group Mapping allows anyone with access to your chosen Identity Provider to have their IDaaS groups include the groups defined by the Identity Provider. Groups set the policies applied to users. Enabling this setting could result in users having access to unexpected policies, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
• Role Mapping allows anyone with access to your chosen Identity Provider to have their IDaaS account role defined by the Identity Provider, including the super administrator role that has access to all the resources controlled by your IDaaS account. Enabling this setting could result in unexpected access, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.

Consumer Bundle Enhancement

Identity Provider capability is now supported for Consumer tenants.

Token Push Notification Authentication

Entrust Soft Token push notification authentication now supports mutual authentication.

YubiKey PIV Smart Cards

IDaaS now supports encoding smart credentials to YubiKey PIV Smart Cards.

To encode YubiKey smart cards, you must use Entrust Entelligence Security Provider for Windows version 10.0.91 build 30 or newer.

Token Labels

A label can now be set for assigned tokens. The label can be used by an administrator or the end user to give a meaningful label to the token.

Group Bulk Delete

A new group delete bulk operation has been added.

Directory Sync Enhancements

The following enhancements have been made to directory sync.

• When specifying group filters, a value with a value followed by a * (for example, Gr*) will match all groups that start with the specified value.
• When configuring directory sync an optional user unique attribute can be specified. If defined, the value specifies the name of the directory attribute that contains the directory entry unique id.

Documentation Enhancements

The integration documentation have been removed from the administration guide and are now in a separate Technical Integration Guide.

Admin/User Portal Improvements

The following improvements have been made to the portal.

• A link from user audits to the user profile has been added.
• The Smart Credential Details dialog has been refactored.
• A customized logo is now centered.
• All applications now appear on the User My Applications page.
• Validation on the Identity Provider configuration page has been improved.

New SAML Applications

A new SAML application template has been added for Zuora

Fixed in this release

The following issues have been fixed in this release:

1. Characters in userIDs or aliases that differ just by an accent character (for example, o and ö) should be treated as the same character, but they were not. This lead to unexpected errors when creating or synchronizing users. (29200, 28365, 29424)
2. When configuring Identity Providers, the JWKS URI value should be made mandatory for IDPs that require it. (28958)
3. The setting "Allow Facial Authentication" in Smart Credential Settings has been renamed to "Allow Biometric Authentication". (27006)
4. Expired grids should not be considered as a second-factor authenticator for registration. (28324)
5. Fixed an issue delivering push notification to iOS applications using the custom SDK. (27004)
6. The logging for the IdentityGuard import bulk operation has been improved. (27944)
7. The password reset dialog did not display the error returned when the password was not reset because the password was reused. (28729)
8. When creating a tenant from a Service Provider, the specified user count is now validated before the request is submitted. (28925)
9. The resource rule for an Entrust Desktop Credential Provider now allows the risk rule to be specified with no second-factor authenticator. (29094)
10. When viewing an Identity Provider as an Auditor, some fields were read/write even though the changes could not be saved. All fields should be read-only. (28864)
11. Modifying user location history was not allowed as a Help Desk administrator. The UI was checking for the wrong permission. (29485)
12. Error fetching second-factor challenge for users that do not have OTP authentication available. (29255, 29300)
13. Error submitting image for ID Proofing. (29306)
14. The maximum number of user location history entries has been increased from 10 to 30. (28514)
15. When specifying custom OAuth authorization scopes, the value did not allow the characters y or z or entrust. (28736)
16. The directory sync agent could block reading from the directory. This would cause the directory to become unresponsive without failing over to another instance. (29511)
17. When sending transaction details, the default transaction priority is now 9 instead of 0. (27979)
18. On the Customization page in the Admin portal, the Reset operation changed the language from EN to ES. (28801)
19. When getting a CA issued certificate for a SAML application, the CSR response was not accepted. (28264)
20. Address various issues in the Admin portal where an action was shown even though the administrator did not have permission to perform the action and the action failed when submitted. (28899, 28909, 28724)
21. Various audit improvements for actions, including IDP create/update and Admin API related actions. (28148, 27924, 28726)
22. The ability to create/update users when Facebook is used as an Identity Provider is now allowed. (28939)
23. Fixed an issue preventing the soft token activation lifetime from being modified. (29207)
24. Fixed an issue where the registration password is not returned when activating a soft token. (28738)
25. Fixed an issue where multiple SAML applications required authentication even though SSO was enabled. (29253)
26. Fixed an issue where the user entitlement count became out of sync with the actual number of users. (29161)
27. Identity Providers have been enhanced. When using an IDP, in addition to requesting scopes, a request can now also include id token claim names and userinfo token claim names. (28904)
28. Identity Provider authentication now works with SAML IDP initiated authentication. (28420)
29. Fixed an issue preventing creation of Mobile SDK per group policies. (28901)
30. Admins can view the user's authenticators without requiring password permissions. (29188)
31. Temporary Access Code settings now display an error for Alphabet when Replace Similar Characters is checked and duplicate characters are present. (28327)
32. Maximum Uses for Temporary Access Code is now added to a user's authenticators filter. (28328)
33. For a Twitter Identity Provider, the user related fields are no longer shown since they are not used. (28917)
34. For an OIDC Generic Device application, validation of the usercode mask in the UI has been improved. (28900)

Changes to Identity as a Service APIs

The following attributes have been added to models in the authentication API.

• tokenPushMutualChallengeEnabled has been added to UserChallengeParameters. This attribute is used to indicate whether the token push notification authentication has mutual challenge enabled.
• tokenPushMutualChallenge has been added to AuthenticatedResponse. This attribute is the value of the token push notification authentication mutual challenge.
• applicationInfo has been added to UserAuthenticateParameters. This attribute specifies a value that is included in the authentication audit.

The following methods have been added to the administration API.

• getSubscriberAccountActiveEntitlementsUsingGET. This method returns AccountEntitlement specifying information about the entitlements defined for the account.
• getPasswordResetSettingsUsingGET. This method returns PasswordResetSettings specifying password reset settings.
• updatePasswordResetSettingsUsingPUT. This method takes PasswordResetSettings as an argument and updates the existing password reset settings.
• modifyAssignedTokenUsingPUT. This method takes AssignedTokenParms as an argument and updates attributes of an assigned token.

The method usersPagedUsingPOST has been replaced with a new V4 version. The new version limits the attributes that are returned by default.

The following attributes have been added to models in the administration API.

• verificationRequired has been added to AuthApiApplication. This attribute indicates if verification is required for the specified user.
• verificationRequired has been added to AuthApiApplictionParms. This attribute indicates whether verification should be required for the specified user.
• mutualChallengeAlphabet has been added to EntrustSTAuthenticatorSettings. This attribute is the characters used for the mutual challenge in the token push notification authentication.
• mutualChallengeLength has been added to EntrustSTAuthenticatorSettings. This attribute is the length of the mutual challenge in the token push notification authentication.
• mutualChallengeEnabled has been added to EntrustSTAuthenticatorSettings. This attribute is used to indicate whether the token push notification authentication has mutual challenge enabled.
• mutualChallengeForPercentOfRequests has been added to EntrustSTAuthenticatorSettings. This attribute is the percentage of requests that will have mutual challenge enabled.
• mutualChallengeSize has been added to EntrustSTAuthenticatorSettings. This attribute is the size of the mutual challenge in the token push notification authentication.
• mobile has been added to ActivateSmartCredentialParms. This attribute allows the client to specify whether a mobile or physical smart credential is being activated so that the activation email can be set accordingly.
• userUniqueIDAttribute has been added to DirectorySync. This attribute specifies an optional LDAP attribute that will contain the UUID of the user in the directory.
• additionalFeatures has been added to Entitlement. This attribute specifies additional features enabled for the account.
• anonymousAllowed has been added to LocationContext. This attribute specifies whether anonymous IP addresses are allowed by a resource rule.
• label has been added to Token. This attribute specifies an optional label that can be defined for an assigned token.
• acasEndpoint, ozoneEndpoint, and usPassliveEndpoint have been added to IdProofingInitResult. These attributes are additional attributes returned to an ID Proofing client.

Enterprise Service Gateway Upgrade Issue

There is a bug in the 5.25 version of ESG that prevents it from upgrading. There are two ways of resolving this issue.

1. Instead of upgrading your existing ESG instance, you can create a new 5.26 ESG instance and delete your existing instance.

2. Before you upgrade your 5.25 ESG instance, log in to the ESG instance and run the following commands:

   • sudo sh -c 'rm -rf /usr/lib/python2.7/site-packages/certifi* /usr/lib/python2.7/site-packages/requests* /usr/lib/python2.7/site-packages/pam* /usr/lib/python2.7/site-packages/python_pam*'
   • sudo sh -c 'pip install python-pam==1.8.4 "requests<2.28" "certifi<=2020.4.5.1"'

   These commands can be run at any time prior to upgrading the ESG instance.

This issue only applies to the 5.25 version of ESG. There are no issues if you are upgrading from an earlier version of ESG.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.26 and the three previous releases 5.23, 5.24 and 5.25). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.