Release 5.31

August 2023

New in this release

Device Verification using Certificates

A new Device Certificates risk factor has been added to Resource Rules. When configured, this risk factor requires that the client be able to perform client-authenticated SSL with a certificate issued from a trusted CA to pass.

When configuring Certificate Authorities, the customer can now configure Issuing CAs which is the existing capability of configuring CAs to issue smart credentials and Trusted CAs which is a new capability for configuring CAs that have issued the certificates on the user's devices.

Device certificates are supported for SAML and OIDC applications as well as the IDaaS portals.

Certificate Details for mPKI CA Smart Credentials

A new Certificate action is available for Smart Credentials using a mPKI CA. The Certificate action lists the certificates issued to the selected Smart Credential and allows an administrator to manage those certificates. Previously this action was only available for Smart Credentials using a PKIaaS CA.

Resource Rule Risk-factor Enhancements

The Risk-factors in resource rules have been enhanced to include a Deny Access option. When the Deny Access option is enabled for a risk factor, access to the application is denied if that risk factor fails regardless of the results of the other risk factors.

OIDC Claim Enhancements

Custom OIDC Claims can be defined and associated to any OIDC application. Claims can be defined to always be returned with User Info or with the ID Token. The way attributes are mapped to OIDC claims has been improved.

Microsoft AD Strong Authentication

Microsoft Windows is changing to require that certificates used for smart-card login include the user's security identifier as an extension. IDaaS has been enhanced to include a new user attribute to store the user's security identifier and to encode this value into smart credentials. Additionally, AD and Azure directory sync have been enhanced to retrieve this value from the customer's directory and store it for IDaaS users.

If you have a CA that was created before this release you will need to update the CA configuration to support Security Identifiers.

• For an Entrust PKIaaS CA, there is a new Refresh action available from the IDaaS Issuing Certificate Authority list. This will update the necessary CA configuration.
• For Entrust mPKI or Microsoft CA the certificate profiles managed from the CA will need to be updated.

Identity Provider Enhancements

The following enhancements have been made to identity providers:

• A new identity provider IDVaaS has been added supporting integration with Entrust's Identity Verification as a Service.
• When configuring an identity provider, additional checks can be configured that ensure IDP claim values match existing IDaaS user attributes to successfully complete IDP authentication.

Administration API Long-Lived Token

An administration API can be configured to support long-lived tokens. When creating an administration API or refreshing its shared secret, a long-lived token is available if enabled for the application. When invoking an administration endpoint, instead of passing the authentication token returned from the administration API authentication endpoint, the long-lived token can be passed instead. The long-lived token does not expire, meaning that client applications do not need to refresh the authentication token periodically.

User Provisioning using System for Cross-Domain Identity Management (SCIM).

IDaaS users can now be managed by 3rd-party clients using SCIM.

SAML Enhancements

The following enhancements have been made to SAML applications:

• A SAML application can now define multiple Assertion Consumer Service (ACS) URLs.
• Each SAML application now has a public endpoint that returns the SAML metadata for the application. This endpoint can be used by SAML service providers that automatically fetch the SAML metadata.
• SAML applications can now be configured to specify the audience returned in SAML assertions. The audience can either be specified in IDaaS or requested from the SAML SP as a parameter.

Manage Inactive Users

IDaaS now allows a customer to have users be blocked from authenticating if the user has not authenticated in a period of time.

User Search/Report Enhancements

The following enhancements have been made to user search/export capabilities:

• The user search criteria have been enhanced to allow an administrator to search for users who have not authenticated in a period of time. Previously, only searching for users who had authenticated in a period of time was supported.
• The user export operation has been enhanced to allow an administrator to export customer defined attributes.

Phone/Email Verification APIs

New administration APIs have been added that allow a customer application to verify that a user owns a given phone number or email address.

User Portal Improvements

The following enhancements have been made to the user portal:

• Users synchronized from AD were unable to modify any contact values. Now they are only blocked from modifying contact values synchronized from AD. Other contact values can be modified.

New Passkey/FIDO2 Registration Policies

The following new policies have been added to the Passkey/FIDO2 Authenticator policies to control registration.

• User Verification - controls if the user must be verified or not.
• Resident Key (User ID stored) - controls if the user ID is stored on the token during registration. This is required if the token is to be used for passwordless Passkey authentication where the user does not need to enter their user ID.
• Authenticator Attachment (platform or cross-platform) - controls whether a platform type, cross-platform type or either type of token can be registered.

Additionally, the option to select whether the User ID is stored during registration has been removed from the token registration dialog. The behavior is now controlled by policy.

Rate Limiting

Rate limiting is now enforced for trial accounts. The current limits are:

• Authentication requests: 5 requests per second (50 requests in a 10-second time window)
• Request to retrieve audits: 1 requests per second (10 requests in a 10-second time window)
• Administration requests: 3 requests per second (30 requests in a 10-second time window)

New Integrations

The following integrations have been added.

• A new OIDC application template for ConnectWise
• A new SAML application template for ConnectWise ScreenConnect
• A new SAML application template for Epic Hyperdrive. This template is designed to be used with the Entrust Epic Hyperdrive plugin.
• A new SAML application template for Fivetran
• A new SAML application template for Pingdom
• A new RADIUS application template for Sophos XG Firewall

Additionally, the existing RADIUS integration Fortinet has been renamed to Fortinet-FortiGate.

Fixed or changed in this release

1. Some dates in IDaaS API responses included milliseconds and some did not. Now all date values are consistent and do not include milliseconds. (31481)
2. Refreshing the page after changing the user locale in the User portal prompts the user to change the locale back to the original value. (31955)
3. Changing the locale on the login page is not always correctly applied. (31962, 32025, 32107)
4. The TLS configuration of the IdentityGuard Agent on the Enterprise Service Gateway (ESG) has been updated. It now supports TLSv1.2 and TLSv1.3 and the ciphers TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384. (16301, 31970)
5. When importing Mobile SDK push notification credentials into IDaaS, the credentials were rejected if they contained extra fields not used by IDaaS. Now those fields are ignored and the credentials are imported. (32040)
6. When configuring the Knowledge-Based Authenticators Minimum Challenge Size and Default Challenge Size a value of 1 should be allowed. (32523)
7. The error message displayed when trying to delete a group assigned to an unassigned grid card was incorrect. (31475)
8. The messages displayed in the Service Provider portal for the delete tenant dialog and the reset resource rule dialogs were incorrect. (31950)
9. The smart credential activation dialog was not formatted correctly for some locales. (31590)
10. When creating a CA the UI now prevents the administrator from entering a duplicate name. (32507)
11. When creating a custom role the UI crashes when trying to add a group. (32061)
12. When a locale is selected during authentication it is not used if the user needs to register. (32015)
13. When a service provider unlocks administrators of a tenant it should not make service provider administrators in that tenant active. (32382)
14. The audit generated when removing a RADIUS application should not list all the attributes of the application. (31133)
15. Improve the formatting of the Registration Settings page. (31974)
16. When a user has a FIDO/Passkey token registration for another application, the user portal registration should require that the user register a FIDO/Passkey token for the user portal. (31606)
17. The audit displayed when a user used a temporary access code as a replacement for a token erroneously stated Grid authentication instead of Token authentication. (32018)
18. The UI now trims leading and trailing whitespace for the Password Expiry Notification Days setting. (31983)
19. Improved handling if the user currently logged into the user portal does not match the userid specified in the password expiry link. (31927)
20. Improved how the number of days until your password expires shown in the password expiry notification email is calculated. (31976)
21. The smart credential unblock dialog has been refreshed. (31363)
22. If a duplicate expected location is added to the RBA settings an error is now returned. Previously duplicates were removed without error. (29346)
23. Improvements made to the OIDC application audits to remove some UUID values that were audited. (24876)
24. When change the password in the portal for user's in a group with group specific policy for the password expiry the password expiry date from the global policy was used. (32341)
25. Client Credentials Grant for OAuth2 resources are now sorted. (31520)
26. Change Password dialog displayed wrong password rules for Include Lowercase set to Not Allowed. (32383)
27. The User Portal session expiry warning dialog can display negative values until expiry. (32019)
28. Users with alternative email addresses for OTP may not see the Alternative Authentication option during login. (32647)
29. The default Group Name Attribute for AD directory synchronization has been changed from sAMAccountName to cn. This change only applies when creating new directories and not to existing directories. (31090)
30. Access to the user location history page in the Administration portal required the settings View permission which should not be required. (31545)
31. The Export Audits dialog in the Administration portal does not display the Filters value if it is set to 1 Hour. (31944)
32. AD Connector page may crash in the UI the if administrator does not have the necessary permission to view it. (32633, 32656)
33. Dates included in Emails are in English and do not use the user's locale. (15278, 31769)
34. ActiveSync Device authentication issues have been addressed. Only OAuth authentication is supported now. (32199, 32730)
35. Prepare Identity as a Service for Salesforce link in Technical Integration Guide is broken. (32060)
36. Email template preview triggers browser console error. (31899)
37. Unable to set the attribute mapping for an Azure directory configuration. (32512)
38. For APIs that do not return a result, the API guides in the developer portal now show the response as "Successful" instead of "No Response". (31024)

Changes to Identity as a Service APIs

Authentication API

The following models have been updated in this release:

• authToken has been added to UserAuthenticateQueryParameters. If passed to the authentication query, the query will determine if authentication is allowed with the given auth token.
• authenticationCompleted has been added to UserAuthenticateQueryResponse. It indicates if further authentication is required when the auth token was passed as a parameter.
• deviceCertAuthDesired has been added to UserAuthenticateQueryResponse. This attribute is currently not used by the public authentication API.
• deviceCertAuthDesired has been added to AuthenticatedResponse. This attribute is currently not used by the public authentication API.
• registrationAuthenticatorAttachment, registrationRequireResidentKey and registrationUserVerification have been added to FIDORegisterChallenge. These attributes are arguments that describe how the FIDO token should be registered.

Administration API

The following APIs have been added in this release:

• POST /api/web/v1/contact/verification/challenge (contactVerificationChallengeUsingPOST)

  Given a phone or email contact value this method sends an OTP challenge to the contact using email or SMS.

• POST /api/web/v1/contact/verification/authenticate (contactVerificationAuthenticateUsingPOST)

  Validate the challenge generated by a previous call to contactVerificationChallengeUsingPOST.

The following models have been added in this release:

• OTPVerificationChallengeValue contains the parameters passed to contactVerificationChallengeUsingPOST.
• OTPVerificationChallengeResponse contains the response returned from contactVerificationChallengeUsingPOST.
• OTPVerificationAuthenticateValue contains the parameters passed to contactVerificationAuthenticateUsingPOST.
• OTPVerificationAuthenticateResponse contains the response returned from contactVerificationAuthenticateUsingPOST.
• DeviceCertificateContext defines the device certificate context for a resource rule.

The following models have been updated in this release:

• inactivityGracePeriod has been added to GeneralSettings. This attribute specifies the amount of time an administrator can grant to a user who has been deactivated due to inactivity to authenticate.
• manageInactiveUsers has been added to GeneralSettings. This attribute specifies if inactive users are blocked from authenticating.
• userInactivityThreshold has been added to GeneralSettings. This attribute specifies the amount of time a user has to be inactive before they are blocked from authenticating.
• frozen has been added to User. This attribute specifies if a user has been frozen (blocked from authenticating) due to inactivity.
• frozenGracePeriod has been added to User. If a user blocked from authenticating due to inactivity has been granted a grace period for the administrator this attribute specifies when that grace period expires.
• securityId has been added to User and UserParms. This attribute specifies the users security identifier and is used to encode the value into the certificates of their smart credentials which will become a requirement to support Microsoft Windows smart-card login.
• userCreationTime and lastModifiedhave been added to User. These attributes specify the date the user was created and last modified.
• applyGracePeriod has been added to UserParms. This attribute is used to specify a grace period to users who have been blocked from authenticating due to inactivity.
• allowLongLivedToken has been added to AdminApiApplication and AdminApiApplicationParms. This attribute specifies if a long-lived token can be used to authenticate to this admin API application.
• denyAccess has been added to DateTimeContext, DeviceCertificateContext, IpContext, KbaContext, LocationContext, LocationHistoryContext, MachineContext, TransactionContext and TravelVelocityContext. This attribute specifies if access to the application associated with the resource rule is denied if this context does not pass evaluation.
• deviceCertificateContext has been added to ResourceRule. This attribute returns the device certificate context of a resource rule.
• deviceCertificateContext and removeDeviceCertificateContext have been added to ResourceRuleParms. These attributes allow the device certificate context of a resource rule to be set or deleted.

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.31 and the three previous releases 5.28, 5.29 and 5.30). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Microsoft Windows 2012 Deprecation

Microsoft will stop supporting Windows Server 2012 and Windows Server 2012 R2 in October 2023. At that time, Identity as a Service will no longer support clients running on these platforms where they do not support up-to-date TLS ciphers.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.