Release 5.28

February 2023

New in this release

External Risk Engine Support

IDaaS has extended risk-based authentication to include risk factors from external providers. These external providers can track additional information about a user session to determine whether this is likely the user. Only authentications using the Authentication API support External Risk Engines.

PDF eGrid Automatic Delivery

Grid delivery can be configured so that a PDF eGrid is automatically delivered to the user when a new grid is created. Additionally, a new option has been added to registration so that a grid is automatically created when a user is created.

Resource Rule Improvements

The following enhancements have been made to resource rules:

• For customers that are not using resource rule contexts to choose between different risk levels, a new simplified resource rule is shown that hides all of the unused configurations.
• When creating an additional resource rule for an application, the existing resource rule can be cloned.
• The information included in an authentication audit has been enhanced to show how the authentication decision was reached.

Fixed in this release

The following issues have been fixed in this release.

1. A bash script has been added to the Enterprise Gateway to allow administrators to easily configure the static IP address
   of the Enterprise Gateway. The script can be found at /home/entrust/tools/setup_static_ip.sh and requires sudo privileges
   to run. The script prompts for the interface name, IP address, netmask, network gateway, and DNS server. After the script
   runs, users must then use the cockpit to register the Enterprise Gateway with Identity as a Service. (30106)
2. IDaaS features that use OAuth to authenticate to 3rd-party services have been refactored to use common OAuth functionality. These services include External Email, secure device provisioning, and Azure AD directories. Improvements include better handling of expired auth tokens. (30467)
3. A customer can now create multiple bulk operations of the same type. The bulk operations will be queued and run one at a time. Previously a second bulk operation could not be created until the first operation had completed. (29735)
4. FIDO2/Passkey token registration error handling in the User portal has been improved to better handle the error caused when the user has registered the maximum allowed number of FIDO2/Passkey tokens. (30403)
5. The password state icon shown in the User portal authenticator list could be truncated. (30451)
6. The subject of Emails sent to deliver eGrids to users were not translated for non-English locales. (30431)
7. Improved the bulk operation create dialog display when a long description is entered. (30506)
8. Audits generated when a user was updated as part of a directory sync operation indicated the audit was for the Gateway Agent instead of the user. Also, all user attributes were listed instead of just the attributes that changed. (28154)
9. Enhanced the user list password expiry filter to differentiate between a password that has expired and a password that never expires. (28311)
10. The AD Connector Delete Group operation has been renamed from "Delete Group" to "Delete AD Connector Group" so that it does not get confused with deleting IDaaS groups. (29769)
11. Importing a grid export file generated by Identity Enterprise was broken. (30493)
12. Password could not be reused even after password history was cleared. (30083)
13. An OIDC Generic Server Application should not show the "Authentication Flow" option because this type of OIDC application does not support the standard authentication flows. (30376)
14. Disable input fields when displaying a resource rule for administrators that do not have write access. The Save button was correctly disabled. (30569)

Changes to Identity as a Service APIs

The swagger files provided for the IDaaS APIs have been updated from Swagger (OpenAPI 2.0) to OpenAPI 3.0.

Authentication API

The concept of self-management APIs has been introduced and are included in the IDaaS authentication APIs. To use a self-management API, the customer application must do the following:

• Use the authentication API to authenticate the end user which generates an authToken.
• Call a self-management API providing the authToken as an authentication token. The self-management API will act on the user associated with the authToken.

The following self-management APIs have been added in this release:

• POST /api/web/v1/self/values (selfSetUserClientValuesUsingPOST) - store the specified list of name/value pairs for the user.
• GET /api/web/v1/self/values (selfGetUserClientValuesUsingGET) - return the stored name/value pairs from the user.
• PUT /opt/web/v1/self/values (selfDeleteUserClientValuesUsingPUT) - delete the named name/value pairs from the user.

The following models have been added in this release:

• UserClientValue defines a name/value pair that is passed to selfSetUserClientValuesUsingPOST and returned from selfGetUserClientValuesUsingGET.

User client values can be used by any application using an IDaaS authentication API application to manage user client values used by client applications.

Administration API

The following attributes have been added to existing models:

• userValuesEnabled has been added to AuthApiApplication and AuthApiApplicationParms. This boolean value indicates whether user client values can be managed for this application.
• defaultGrid has been added to GeneralSettings. This boolean value indicates if a grid should be automatically created for a new user.
• riskEngineContext has been added to ResourceRule and ResourceRuleParms. This attribute is a list of TransactonContext and specifies external risk engines to apply to the risk authentication.

In previous versions of the Administration API swagger file, the method unblockSmartCredentialUsingPUT was incorrectly defined to return the type SmartCredentialUnblockParms. It should have been SmartCredentialUnblockResponse.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.28 and the three previous releases 5.25, 5.26 and 5.27). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.