Release 5.26

New in this release

User Contact Notification

IDaaS now supports sending user notification emails when a user’s contact information has been changed.

As part of this feature, the preexisting user contact notification feature that sent a notification when the end user changed their contact and the corresponding email templates have been removed.

Entrust Service Gateway Changes

The command-line interface used to register the gateway has been removed. The browser-based UI is now the only supported interface for managing the gateway.

SAML Username Parameter

IDaaS has added support for passing the IDaaS user ID as part of a SAML authentication request using the SAML Request NameID element value. Set the SAML Username Parameter value to NameID to use this option.

SAML Session Timeout

IDaaS has added support for configuring the session timeout value for a SAML assertion. Set the SAML Session Timeout value to the timeout length in minutes. To exclude the session timeout in the SAML assertion, set the value to 0. The maximum is 720 minutes.

Enhanced Geolocation

IDaaS now provides an option to use enhanced geolocation information with more accurate locations for IP addresses and the detection of anonymous IP addresses. With this capability, tenants can configure resource rules to disallow anonymous IP addresses. Contact Entrust for details on enabling this feature.

User Onboarding

The user onboarding of Identity as a Service has been enhanced to support the mapping of groups or a role from an OIDC Identity Provider.

The following new settings have been added:

When configuring an OIDC Identity Provider note the following:

Consumer Bundle Enhancement

Identity Provider capability is now supported for Consumer tenants.

Token Push Notification Authentication

Entrust Soft Token push notification authentication now supports mutual authentication.

YubiKey PIV Smart Cards

IDaaS now supports encoding smart credentials to YubiKey PIV Smart Cards.

To encode YubiKey smart cards, you must use Entrust Entelligence Security Provider for Windows version 10.0.91 build 30 or newer.

Token Labels

A label can now be set for assigned tokens. The label can be used by an administrator or the end user to give a meaningful label to the token.

Group Bulk Delete

A new group delete bulk operation has been added.

Directory Sync Enhancements

The following enhancements have been made to directory sync.

Documentation Enhancements

The integration documentation have been removed from the administration guide and are now in a separate Technical Integration Guide.

Admin/User Portal Improvements

The following improvements have been made to the portal.

New SAML Applications

A new SAML application template has been added for Zuora

Fixed in this release

The following issues have been fixed in this release:

  1. Characters in userIDs or aliases that differ just by an accent character (for example, o and ö) should be treated as the same character, but they were not. This lead to unexpected errors when creating or synchronizing users. (29200, 28365, 29424)
  2. When configuring Identity Providers, the JWKS URI value should be made mandatory for IDPs that require it. (28958)
  3. The setting "Allow Facial Authentication" in Smart Credential Settings has been renamed to "Allow Biometric Authentication". (27006)
  4. Expired grids should not be considered as a second-factor authenticator for registration. (28324)
  5. Fixed an issue delivering push notification to iOS applications using the custom SDK. (27004)
  6. The logging for the IdentityGuard import bulk operation has been improved. (27944)
  7. The password reset dialog did not display the error returned when the password was not reset because the password was reused. (28729)
  8. When creating a tenant from a Service Provider, the specified user count is now validated before the request is submitted. (28925)
  9. The resource rule for an Entrust Desktop Credential Provider now allows the risk rule to be specified with no second-factor authenticator. (29094)
  10. When viewing an Identity Provider as an Auditor, some fields were read/write even though the changes could not be saved. All fields should be read-only. (28864)
  11. Modifying user location history was not allowed as a Help Desk administrator. The UI was checking for the wrong permission. (29485)
  12. Error fetching second-factor challenge for users that do not have OTP authentication available. (29255, 29300)
  13. Error submitting image for ID Proofing. (29306)
  14. The maximum number of user location history entries has been increased from 10 to 30. (28514)
  15. When specifying custom OAuth authorization scopes, the value did not allow the characters y or z or entrust. (28736)
  16. The directory sync agent could block reading from the directory. This would cause the directory to become unresponsive without failing over to another instance. (29511)
  17. When sending transaction details, the default transaction priority is now 9 instead of 0. (27979)
  18. On the Customization page in the Admin portal, the Reset operation changed the language from EN to ES. (28801)
  19. When getting a CA issued certificate for a SAML application, the CSR response was not accepted. (28264)
  20. Address various issues in the Admin portal where an action was shown even though the administrator did not have permission to perform the action and the action failed when submitted. (28899, 28909, 28724)
  21. Various audit improvements for actions, including IDP create/update and Admin API related actions. (28148, 27924, 28726)
  22. The ability to create/update users when Facebook is used as an Identity Provider is now allowed. (28939)
  23. Fixed an issue preventing the soft token activation lifetime from being modified. (29207)
  24. Fixed an issue where the registration password is not returned when activating a soft token. (28738)
  25. Fixed an issue where multiple SAML applications required authentication even though SSO was enabled. (29253)
  26. Fixed an issue where the user entitlement count became out of sync with the actual number of users. (29161)
  27. Identity Providers have been enhanced. When using an IDP, in addition to requesting scopes, a request can now also include id token claim names and userinfo token claim names. (28904)
  28. Identity Provider authentication now works with SAML IDP initiated authentication. (28420)
  29. Fixed an issue preventing creation of Mobile SDK per group policies. (28901)
  30. Admins can view the user's authenticators without requiring password permissions. (29188)
  31. Temporary Access Code settings now display an error for Alphabet when Replace Similar Characters is checked and duplicate characters are present. (28327)
  32. Maximum Uses for Temporary Access Code is now added to a user's authenticators filter. (28328)
  33. For a Twitter Identity Provider, the user related fields are no longer shown since they are not used. (28917)
  34. For an OIDC Generic Device application, validation of the usercode mask in the UI has been improved. (28900)

Changes to Identity as a Service APIs

The following attributes have been added to models in the authentication API.

The following methods have been added to the administration API.

The method usersPagedUsingPOST has been replaced with a new V4 version. The new version limits the attributes that are returned by default.

The following attributes have been added to models in the administration API.

Enterprise Service Gateway Upgrade Issue

There is a bug in the 5.25 version of ESG that prevents it from upgrading. There are two ways of resolving this issue.

  1. Instead of upgrading your existing ESG instance, you can create a new 5.26 ESG instance and delete your existing instance.

  2. Before you upgrade your 5.25 ESG instance, log in to the ESG instance and run the following commands:

    • sudo sh -c 'rm -rf /usr/lib/python2.7/site-packages/certifi* /usr/lib/python2.7/site-packages/requests* /usr/lib/python2.7/site-packages/pam* /usr/lib/python2.7/site-packages/python_pam*'
    • sudo sh -c 'pip install python-pam==1.8.4 "requests<2.28" "certifi<=2020.4.5.1"'

    These commands can be run at any time prior to upgrading the ESG instance.

This issue only applies to the 5.25 version of ESG. There are no issues if you are upgrading from an earlier version of ESG.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.26 and the three previous releases 5.23, 5.24 and 5.25). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.