Release 5.27

December 2022

New in this release

Service Provider Tenant Management Enhancements

When configuring a tenant, authentication to Tenants using Identity Provider authentication can be enabled for Service Provider users.

Passkey/FIDO2 Enhancements

IDaaS has been enhanced to more fully support Passkey/FIDO2 authentication. Enhancements include optionally storing a user’s user ID when registering a Passkey/FIDO2 token and an authentication flow that uses Passkey/FIDO2 to allow a user to authenticate without providing their user ID.

User Authenticator Notification

IDaaS now supports sending user notification emails when a user’s authenticators have been changed. The actions include but are not limited to creating, assigning, deleting, and state changes.

PDF eGrids

User grids can now be exported as a PDF file or delivered to the user by email. eGrids can optionally be encrypted.

Developer Portal

The Developer portal has been redesigned to be more user-friendly and to provide a better experience for developers. The new Developer portal includes installation instructions and hands-on tutorials to help developers get started with the IDaaS API client library. The Python API client library is also available on the Developer portal.

Resource Rules Improvements

• A new clone action has been added to resource rules allowing administrators to clone an existing a resource rule in the same category.
• IP lists can now be associated with source IP addresses in resource rule risk factors. Administrators must configure IP Lists first before using this feature.
• Various resource rules risk factors have been redesigned and refreshed to be more user-friendly.

Group Management Enhancements

The group list page now supports paging when an account has a large number of groups and the option to export a list of groups.

Fixed in this release

The following issues have been fixed in this release.

1. When updating the SAML Web application logo with no additional changes, the audit logs show only the modified logo. (29395)
2. Fixed generating grid cards for selected groups. (25018)
3. When bulk importing users and the CSV file column does not specify user attributes or extra attributes, the original custom user attributes and additional custom user attributes are not deleted or modified. (29323, 29332)
4. The 'overage allowed' attribute no longer appears in the user entitlement information. (29237)
5. Fixed when updating password reset settings, duplicate authenticators throws an error. (29315)
6. Fixed when an optional user attribute column is not included in the bulk operation import file, users can no longer remove those attributes from their user profile. (29304, 29331)
7. Fixed an issue with the Desktop Credential Provider (DCP) offline token support where offline OTPs could not be downloaded after DCP was upgraded. (25145)
8. Changed the Entrust Service Gateway log configuration to automatically rotate the audit log. Previously the Gateway would shut down when this log filled. (29109)
9. When a RADIUS application is configured to perform first-factor token only authentication, the IP address was not being logged in IDaaS audits. (30335)
10. Token synchronization with an empty response did not work for Entrust Soft Tokens. (29877)
11. Importing Entrust Soft Tokens from Identity Enterprise (IdentityGuard) did not work if the tokens were being used for offline token authentication with Desktop Credential Provider. (30058)
12. User list operation filtering by smart credential push authenticator included users with smart credentials that do not support push authentication. (29635)
13. The Admin portal now displays an error if an administrator tries to remove the value for a required attribute. (29324)
14. The pre-5.4 option for registering a Gateway has been removed from the IDaaS Gateway Registration page. (29789)
15. The Submit button on the Service Provider Unlock Administrators dialog has been renamed from OK to UNLOCK. (29798)
16. Fixed IP Address entry fields in the Admin portal to accept IP addresses that end with .0 or .255. (29671)
17. Fixed errors in the API documentation for the Administration API StartSmartCredentialSignParms model. (30243)
18. Fixed errors in the API documentation for the token list operations. The label search criteria was not documented. (29727)
19. When using an offline soft token authentication transaction, a follow-up soft token push authentication transaction would fail (no push notification would be triggered and the transaction would not be initiated). (30298)
20. Fixed a problem on the User portal Activity page where it did not display correctly while loading with a slow network connection. (29638)
21. The Smart Credential Activation page in the User portal is not properly translated for some locales. (29732)
22. In the Admin portal, the Directory Sync page did not correctly sort by Sync Status. (29313)
23. In the Admin portal, when changing the Supported Scopes of an OIDC application, the OIDC signature algorithm could be reset to NONE. (28929)
24. On the OIDC consent page, disable the Cancel and Accept buttons after Accept is clicked. (28862)

Changes to Identity as a Service APIs

Authentication API

The following attributes have been added to models in the authentication API.

• userHandle has been added to FIDOResponse. This value includes the user information stored on the FIDO2 token when it was registered.

The following enhancements have been made to the Authentication API to return more detailed information when authentication fails. This behavior is controlled by the new General policy enableEnhancedAuthenticationDetails.

• When an authentication fails due to an invalid response, the exception returned from IDaaS can include additional information, including the number of authentication attempts remaining.
• When a user is locked out, return the error access_denied_locked instead of access_denied.
• When a user is denied authentication because they have no authenticators, return the error access_denied_no_authenticators instead of access_denied.

Administration API

The following APIs have been added to the administration API.

• getSpIdentityProviderUsingGET returns Service Provider information.
• setSpIdentityProviderUsingPUT updates Service Provider information.
• groupsPagedUsingPOST supports paging through a list of groups.
• deliverAssignedGridByEmailUsingPOST delivers a PDF eGrid by Email.
• getSingleGridExportUsingGET returns a PDF eGrid allowing the client to export it.

The following attributes have been added to models in the Administration API.

• spIdp has been added to Tenant. This setting specifies whether a Service Provider authentication to Tenants using Identity Provider authentication has been enabled.
• userIdStored has been added to FIDOToken. This value indicates if the user's user ID was stored on the FIDO2 token when it was registered.
• newPassword has been added to UserPassword. This value contains the user's new password generated by IDaaS if the client requested it be returned.
• returnPassword has been added to UserPasswordParms. This value allows a client to request the new password generated by IDaaS be returned.
• allowedIpList, deniedIpList and type have been added to IpContext. These values show where IPLists are defined in a Resource Rule context.
• enableEnhancedAuthenticationDetails has been added to GeneralSettings. This setting indicates if additional information about the user's lockout state are returned from authentication requests.

The following models have been added to the Administration API.

• SpIdentityProvider contains information returned from getSpIdentityProviderUsingGET.
• SpIdentityProviderParms contains information passed to setSpIdentityProviderUsingPUT.
• GroupsPage contains information returned from groupsPagedUsingPOST.
• GridExport contains information returned from getSingleGridExportUsingGET.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.27 and the three previous releases 5.24, 5.25 and 5.26). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they don't support up-to-date TLS ciphers.