Release 5.30

May 2023

New in this release

SAML Signing Certificate Enhancements

SAML Signing Certificates have been enhanced to support a signing key and certificate issued by a CA (for example, using a P12 file). Additionally, the option to generate a PKCS#10 certificate-signing request (CSR) has been enhanced to offer stronger key size options, signing algorithm options, and an optional challenge password.

SAML Metadata Enhancements

Exported SAML Metadata now also contains the set of configured SAML Attributes.

Authentication Locale Enhancements

When a user chooses a different locale when authenticating to the IDaaS User Portal, the user is given the option to store the new locale as their default. The locale is used to localize any messages (such as an OTP Email or SMS) sent during authentication.

Password Expiry Notification

IDaaS now includes the ability to deliver password expiry notifications to users when their password approaches or reaches expiry. The expiry notification can be sent using EMail or SMS. EMail notifications can include a link to take the user to the password change dialog in the IDaaS user portal.

FIDO2/Passkey Authentication API Support

The IDaaS authentication API now includes FIDO2 and Passkey authentication options. APIs for a user to register FIDO2 tokens are also available.

IDaaS Portal Improvements

The password entry field on the login and password change pages now include an option to view the password.

The change user password dialog has been refactored. Additionally the URL https:///#/?redirect=password&userid= (for example, https://myaccount.us.trustedauth.com/#/?redirect=password&userid=myuserid) takes the user directly to the password change dialog in the User Portal after authentication.

Enterprise Service Gateway Updates

The version of MS CA Proxy used with IDaaS has been updated. Customers that are using IDaaS with Microsoft CAs should update the version of MS CA Proxy they have installed when they upgrade their ESG.

The ESG install documentation now includes a procedure that describes how to configure the ESG UI to use a public CA issued SSL certificate.

New OIDC Integrations

A new OIDC/OAuth application template has been added for OAuth2 Native Apps (RFC 6749 section 4.3)

New RADIUS Integrations

A new RADIUS application template has been added for Fortinet.

Fixed or changed in this release

1. In past releases some customers encountered issues with their ESG when the underlying VM was modified. This required the ESG be re-initialized to recover. This issue has been addressed. (30855)
2. User Provisioning has been optimized to not perform provisioning for some user changes that do not require reprovisioning. (31311, 31323)
3. Address issues in User Provisioning where users were not provisioned or deprovisioned for some group changes. (31317, 31434)
4. User Provisioning related audits have been improved. (31312, 31294)
5. User Provisioning should not be enabled for Service Providers that are not Premium accounts. (31396)
6. Improvements to User Provisioning where attributes, including locale and some custom attributes, were not provisioned as expected. (31278, 31314, 31341)
7. Improvements to User Provisioning configuration to prevent invalid values from being configured and other UI improvements. (31326, 31461, 31492, 31496)
8. The notification sent to users when an authenticator is locked specified the wrong action. (31376)
9. Improved the label for the Smart Credential > Activation Lifetime setting in the UI. (31411)
10. Differentiate audits for FIDO2 authentication to differentiate when the userId is entered and where it comes from the FIDO2 token. (30284)
11. Improvements to Identity Provider configuration for Microsoft Identity Providers. (29118)
12. Improve audit details when the attribute filters for a SAML application are updated. (29222)
13. Fix a problem with Entrust soft token activation when the maximum time steps policy was set to 1. (31397)
14. Improved error message returned when invalid values were provided for Google Max. Time Steps and Max. Reset Time Steps settings. (29721)
15. Some links to documentation in IDaaS admin portal were broken. (30976)
16. RADIUS applications with External first-factor can now be configured to skip second-factor authentication. (31052)
17. Password blocklist did not allow the last value to be deleted. (31402)
18. Admin API authentication now ignores leading or trailing whitespace in the applicationId. (29297)
19. Improve errors logged when attempting to delete external users using the bulk delete user operation. (29530)
20. Fixed issues with date filters for authentication counts in the Admin Portal dashboard. (31519, 31522)
21. The UI in the Admin Portal for adding custom OIDC attributes has been updated. (31674)
22. Improve the audit for modifying OIDC applications to not include attributes that have not been changed. (31399)
23. The audit for delete grid card showed the action in lowercase. (31423)
24. The Admin Portal did not allow email addresses with leading or trailing whitespace. The whitespace is now automatically trimmed. (28895)
25. When creating a new site role, the option to delete groups was missing. (31189)
26. Log file for IdentityGuard bulk import operation now includes more information about errors. (30645)
27. The Azure AD reauthenticate audit used a non-standard date format for the authorizationDate value. (31443)
28. Generic Device OIDC applications should not be clickable in the User Portal. (30456)
29. When configuring a Microsoft CA in the Admin Portal, fix some formatting issues when the configuration is displayed. (31254)
30. When configuring Authorization, OIDC applications created to support Service Provider administration should not be allowed for Client Credentials Grants. (31419)
31. The list of OIDC applications listed for Add Client Credentials Grant for Authorization should be sorted. (31418)
32. OIDC applications without an Initial Login URI configured should not be clickable in the User Portal. (30458)
33. The IDaaS portal has been improved to support authentication in browsers that do not support local storage which is common for browsers running in protected mode or on mobile devices. (31641, 29604, 27564, 30924, 30224)

Changes to Identity as a Service APIs

Authentication API

The following APIs have been added in this release:

• POST /api/web/v1/authentication/passkey (requestPasskeyChallengeUsingPOST)

  Create a Passkey authentication challenge to begin Passkey authentication.

• GET /api/web/v1/self/fidotokens (startFIDORegisterUsingGET)

  Get a FIDO token registration challenge for the authenticated user.

• POST /api/web/v1/self/fidotokens (completeFIDORegisterUsingPOST)

  Complete registration of a FIDO token for the authenticated user.

The following models have been updated in this release:

• FIDORegisterChallenge. This model contains the attributes returned from startFIDORegisterUsingGet.
• FIDORegisterResponse. This model contains the attributes passed to completeFIDORegisterUsingPOST.
• PasskeyChallengeParameters. This model contains the attributes passed to requestPasskeyChallengeUsingPOST.
• PasskeyChallengeResponse. This model contains the attributes returned from requestPasskeyChallengeUsingPOST.

The following models have been updated in this release:

• locale has been added to UserChallengeParameters and UserAuthenticateParameters. If specified, this value specifies the locale to be used when generating messages sent for the authentication challenge or the authentication complete operation. If not specified, the user's default locale is used.
• origin has been added to UserChallengeParameters and UserAuthenticateParameters. If specified, this value specifies the origin of FIDO tokens. Only FIDO tokens registered with this origin are used for authentication.
• In previous releases, the response and newPassword attributes of UserAuthenticateParameters were erroneously labelled as required attributes. These attributes are optional.

Administration API

The following APIs have been added in this release:

• PUT /api/web/v1/users/{userid}/password/notify (sendPasswordExpiryNotificationUsingPUT)

  This API sends a password expiry notification to the specified user.

The following models have been updated in this release:

• expiryNotificationDate has been added to UserPassword. This attribute specifies the next time that a password expiry notification will be delivered.
• passkeyEnabled has been added to AuthApiApplication. This attribute indicates if the application supports Passkey authentication.
• origin has been added to FIDOToken. This attribute indicates the origin from which this token was registered.
• showNotification has been added to User. This attribute is currently not used.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.30 and the three previous releases 5.27, 5.28 and 5.29). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Microsoft Windows 2012 Deprecation

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service will no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service will cease support for Internet Explorer 11 after May 2023.