Release 5.29

March 2023

New in this release

User Provisioning

IDaaS now supports provisioning of users to 3rd-party services using the System for Cross-domain Identity Management (SCIM) protocol. The first release of this feature has been tested against Salesforce.

Identity Provider Enhancements

The following enhancements have been made to Identity Providers:

• A new user verification policy has been added to require a user to approve a user verification message. When configured, users must approve the message in order to complete verification. Administrators configure the user verification messages on the IDaaS Theme page.

• An Administrator can configure IDaaS to find users using the User Principal Name attribute or an IDaaS custom attribute during Identity Provider authentication. This is in addition to finding users using the Userid/Alias attribute.

Token Reset Bulk Operation

A new bulk operation to perform token reset for a list of tokens has been added.

New Option on SAML/OIDC Applications to Disable Go Back Button

A new option has been added to SAML and OIDC applications that allows an administrator to disable the Go Back button that is present during authentication.

Options to configure the User Portal

The following options have been added to allow an administrator to configure the IDaaS User Portal

• Options to select a default tab and additional tabs that appear on the User Portal. The default tab is the landing page tab when a user logs in.
• A setting to specify the URL of the User Guide User Portal help. If set, the User Guide Help option displays this document instead of the default IDaaS documentation. This allows a customer to provide custom documentation.

Create Grid Action in User Portal

Users can now create their own grids in the User Portal. Previously, only administrators could create grids for users.

Fixed in this release

1. When deleting, enabling, or disabling a smart credential from the User portal, the audit specified the Admin portal. (28966, 29007)
2. When changing the variable values of a smart credential, the audit does not indicate which values were changed. (29009)
3. Sync add user audit specified edit permission instead of add permission. (29673)
4. User registration dialog and registration emails for Mobile smart credential contained outdated links for both Android and iOS apps. (30906, 30908)
5. User portal smart credential activation dialog is missing option to download Android and iOS apps. (30877)
6. Updated the encryption of PDF eGrids to use AES-256. (30949)
7. Unable to delete KBA word maps. (30960)
8. Errors updating KBA word maps. (30793)
9. KBA word maps defined in a per group policy were not correctly applied. (30947)
10. Improve the logs generated for the IdentityGuard (Identity Enterprise) import. (30941)
11. When importing tokens using the IdentityGuard (Identity Enterprise) import, the token set name from IDE is imported into the IDaaS token label. (31038)
12. When importing tokens using the IdentityGuard (Identity Enterprise) import, if the token has push authentication enabled, the push authentication is now enabled in IDaaS during import rather than after the first time the user uses the Entrust Identity application after migration. (30899)
13. Creating a smart credential in the User portal sends multiple activate requests. (30248)
14. When adding a contact in the User portal, the generated audit specifies user add. It should be user edit. (29556)
15. When a resource rule is cloned, the UI displays Edit Resource Rule. It should be Add Resource Rule. (31130)
16. When checking user aliases for uniqueness, white space was ignored. White space is significant. (31059)
17. When a resource rule Date/Time context was set without a time zone, it displayed as an unknown value the next time the resource rule was viewed. (30898)
18. When a resource rule Date/Time context was set, the start time may not be set correctly resulting in situations where it was rejected. (30669, 30900)
19. When a second-factor authenticator is checked in the resource rule it should automatically sort above all unselected authenticators. (31015)
20. Display a proper error message if a cloned resource rule is created with an existing name. (31012)
21. When viewing a resource rule as an administrator that does not have write access the External Risk Engine settings should be read-only in the UI. Note that IDaaS correctly rejects the edit request if submitted. (30792)
22. The performance of LDAP queries performed by the directory sync agent on the Enterprise Service Gateway have been improved. (27563)
23. The RADIUS agent option to perform first-factor AD password authentication directly to AD was broken. (30041)
24. The SIEM agent on the Enterprise Service Gateway could stop sending logs to syslog for some network connectivity issues. (30701)
25. The layout of PDF eGrids has been improved. (30657)
26. The authentication types and actions included in the authenticator change notification email are not localized. (30436)
27. Unable to remove the email value from a schedule report. (30655)
28. In the Admin UI, fix the tab order between fields for the EMail Server OAuth Settings page. (30472)
29. When configuring an EMail server to use OAuth, the defined scope may be removed if the OAuth server returns a null scope. (30471)
30. When configuring an EMail server to use OAuth, require the OAuth server to be reauthorized if the OAuth data changes. (30795)
31. When testing EMail server configuration for a server configured to use OAuth, only try the test a single time if the OAuth refresh token is expired. (30785)
32. Improve the audit for Email server configuration changes to show which attributes changed. (30814)
33. When accessing the Email server settings, the OAuth Authorize action should be disabled if the administrator does not have edit permission. (30557)
34. Improve the error messages displayed in the User portal when using FIDO/Passkey authentication. (30384)
35. Reports can get stuck in the schedule state preventing new reports from being started. These reports are now automatically cancelled. (29761, 31164)
36. Accounts with the standard bundle should have access to use IP lists. (30568)
37. The audit generating when modifying User RBA Settings is missing the admin permission. (29717)
38. Fix how the User Portal Change Password dialog is loaded on a slow network so that is does not display until fully rendered. (22039)
39. When modifying Active Sync settings, the Save button should not be enabled until the Test operation completes. (27969)
40. OAuth scopes during authentication are not soprted in the display. (30850)
41. Add gateway audit included information about DB proxy that is not applicable and is now removed. (29472)
42. Audit for unassigning a grid from a user should include the userId of the user. (29339)
43. When all user entitlements have been consumed, synchronizing an inactive user fails. Inactive users do not consume an entitlement. (29135)
44. Warning message displayed when editing a resource rule that has Identity Providers associated with it should only be displayed for resource rules associated with OIDC and SAML applications. (30823)
45. The default Date Range for audit and authentication searches performed on the Admin portal dashboard has been changed from 24 hours to 1 hour.
46. All new Facebook Identity Providers must use openid scope. (31350)

Changes to Identity as a Service APIs

1. IDaaS API documentation has been refactored and moved to the Developer Portal.
2. Dropped support for .NET Core 3.1 for CSharp clients and added support for .NET Framework 4.8.

Changes in this release

The following changes have been made to address issues or enhance existing functionality.

1. All existing Facebook Identity Providers that do not use openid will require an update to use openid.

Authentication API

The following APIs have been updated in this release:

• POST /api/web/v2/authentication/users (userAuthenticatorQueryUsingPOST)

• POST /api/web/v1/authentication/users (userAuthenticatorQueryUsingPOST)

• POST /api/web/api/v1/authentication/users (userAuthenticatorQueryUsingPOST)

  • returnDefaultChallenge has been added to UserAuthenticateQueryParameters. This attribute is used to indicate whether a challenge should be returned for the default authenticator.
  • The following attributes are also added to UserAuthenticateQueryParameters to support returning the default challenge--see UserChallengeParameters for details: summary, priority, requestDetail, pushMessageIdentifier, tokenPushMutualChallengeEnabled, offlineTVS
  • UserAuthenticateQueryResponse has been updated to include the following attributes with the default challenge information--see AuthenticatedResponse for details: otpDeliveryType, kbaChallenge, gridChallenge, tokenDetails, fidoChallenge, tokenChallenge, tempAccessCodeChallenge, tokenPushMutualChallenge
  • authenticatorLockoutStatus has been added to UserAuthenticateQueryResponse. This attribute contains detailed user authenticator lockout information. This behavior is controlled by the General policy enableEnhancedAuthenticationDetails.

• POST /api/web/v1/authentication/users/authenticate/{authenticator}/complete (userAuthenticateUsingPOST)

• POST /api/web/api/v1/authentication/users/authenticate/{authenticator}/complete (userAuthenticateUsingPOST)

  • Providing a JWT in the Authorization header is now optional. This change allows to authenticate a user with a single API call for authenticators that do not require a challenge.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.29 and the three previous releases 5.26, 5.27 and 5.28). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway O/S.

Microsoft Windows 2012 Deprecation

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service may no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.