Release 5.32

November 2023

New in this release

Administrator Role Defined by Group Membership

IDaaS has a new group-based policy category that defines an Administrative role. This allows a customer to assign all members of a group an administrative role.

Registration Settings UI Restructured

The Registration Settings page has been restructured so that each category has its own page.

Magic Link for Registration

IDaaS now provides Magic Links that allow a user to register authenticators without requiring a password to authenticate. Magic Links can be delivered by email from IDaaS to the user or returned to customer applications using the Administration API.

Account Rename

The hostname for an account can now be modified by the Service Provider of that account. To support migration between hostnames, there is an option to keep the old hostname available.

Group Provisioning using SCIM

SCIM can now be used to provision groups and to provision group membership of users in IDaaS.

New Default SCIM Provisioning Role

There is now a new default role "SCIM Provisioning." This role contains the permissions required to perform provisioning to IDaaS using SCIM.

Asynchronous Account Creation

New account creation is now performed asynchronously. To support this, the account creation UI in the Service Provider portal has been extensively changed.

New APIs to support asynchronous account creation have been added to the Administration API. The existing APIs have been deprecated and will be removed in a future release.

Directory Synchronization Improvements

The following improvements have been made to directory synchronization.

• User aliases can now be populated from a list of one or more directory attributes.
• IDaaS attributes can now be defined as a composite of multiple directory attributes (for example, '<givenName> <sn>' to specify the user's full name) or a combination of directory attributes and static values (for example, 'ENTRUST\<samAccountName>' to specify the user's domain qualified userID).

Replace Deleted Applications

When creating an Authentication API application, the administrator can now specify the unique ID of the application. This allows an administrator to recreate an application that was deleted with the same unique ID so that existing clients do not need to be reconfigured.

New Integrations

The following integrations have been added.

• A new SAML application template for 15Five
• A new SAML application template for Forest Admin
• A new SAML application template for Freshservice
• A new SAML application template for HubSpot
• A new SAML application template for Jenkins
• A new SAML application template for Miro
• A new SAML application template for Onfido
• A new SAML application template for ReviewInc
• A new SAML application template for Splunk SOAR

Additionally, an integration guide is now available for the Epic Hyperdrive integration that was added in 5.31.

Fixed or changed in this release

1. Fixed an issue where Java clients using the IDaaS APIs could not deserialize null arrays. (33036)
2. Addressed issues in the Google Workspace integration guide. (32947, 33082)
3. Updated the bulk import user sample to include securityId. (32872)
4. Disabled the refresh operation for PKIaaS CAs for administrators that do not have permission to perform the operation. (32931)
5. Removed the Referrer-Policy header that was added in 5.31. It caused issues with some IDaaS clients. (33110)
6. Renamed the "SCIM Provisioning Management" role permission to "Outbound Provisioning Management". (32862)
7. The audit generated when directory attributes are modified now includes the old and new values. (32859)
8. When updating a SAML application when Override SAML Audience is checked, the Audience value is now required. (33034)
9. Addressed issues in the "Integrate Microsoft Azure AD" Technical Guide. (32738, 33137)
10. Improvements to SCIM User Provisioning documentation. (32933)
11. Fixed broken link in "Integrate Nets E-Ident IDP Broker" section of Technical Guide. (33144)
12. Addressed FIDO token registration issues using Safari on Mac. (32702, 32700)
13. In the Service Provider portal, disable the Tenant report option for administrators that do not have permission. (33233)
14. Users added to IDaaS by directory synchronization did not receive their new grid. (32811)
15. Userid search options were disabled for accounts with more than 1 million users. The limit is now 3 million users. (33484)
16. When creating a new SAML application, the Signature Type now defaults to the expected value. (33187)
17. When creating a new SAML application, if only one SAML signing certificate is defined, it is automatically selected. (33188)
18. IDaaS now allows the Authorization Bearer token passed to authenticated endpoints to contain more than one space. The standard specifies a single space but some clients include multiple spaces. (33107)
19. Fixed language selection issue where a user was asked to confirm a change when the default language selected. (33286)
20. Fixed an issue where changing the default account locale can result in the Admin portal displaying that locale instead of English. (32915)
21. Improved text in Gateway download dialog to make it clear that the OVA can be installed onto more than just VMWare vSphere. (32069)
22. When a FIDO token is registered, its origin is now audited. (31237)
23. Changed the Registration page so that the authenticators are sorted. (30794)
24. Improved validation of input on My Authenticator page. (15217)
25. Fixed the issue on Password Reset policies page that prevented an administrator from unchecking Allow Email OTP Delivery. (33109)
26. Enabling/updating tenant management configuration failed in some cases. (33200)
27. When configuring an IDP, Security ID should not be allowed as an attribute used to identify the user. (33146)
28. Improved the formatting of the Risk Factor Evaluation Results in authentication audits. (32497)
29. The authenticator filter in the user list search criteria should only show authenticators that the administrator has permission to access. (31887)
30. Fixed an issue that prevents the custom email server configuration from being saved when the OAuth is reauthorized. (32536)
31. In the User list, when the Last Authenticated before criteria is used it includes users who have never authenticated. The UI now includes a note to indicate this. (32266)
32. Users are unable to use the OTP authenticator because they do not have contact information were not getting the expected error response when Enable Enhanced Authentication Details was checked. (32628)

Changes to Identity as a Service APIs

Authentication API

The following models have been changed in this release.

• serialNumbers in GridChallenge has been deprecated. Use gridInfo instead.

Administration API

The following APIs to support asynchronous account creation have been added in this release.

• POST /api/web/v4/async/tenants (createTenantAsyncUsingPOST)
• GET /api/web/v4/async/tenants/{id}/createstatus (getCreateTenantAsyncStatusUsingGET)
• GET /api/web/v4/async/tenants/{id}/createresult (getCreateTenantAsyncResultUsingGET)

To create a new tenant from a Service Provider:

• call createTenantAsyncUsingPOST to start the tenant creation.
• call getCreateTenantAsyncStatusUsingGET repeatedly until the returned status indicates that the tenant creation is complete.
• call getCreateTenantAsyncResultUsingGet to get the tenant creation result.

The following APIs to support registration of FIDO tokens using the administration API have been added in this release.

• GET /api/web/v1/fidotokens/challenge/{id} (startCreateFIDOTokenUsingGET)
• POST /api/web/v1/fidotokens/complete/{id} (completeCreateFIDOTokenUsingPOST)

The following APIs to support the management of Magic Links for registration have been added in this release.

• PUT /api/web/v1/users/{userid}/magiclink (createMagicLinkUsingPUT)
• DELETE /api/web/v1/users/{userid}/magiclink (deleteMagicLinkUsingDELETE)

The following APIs have been deprecated in this release.

• POST /api/web/v4/tenants (createTenantUsingPOST). Tenants should be created using the new asynchronous methods described above.
• GET /api/web/v1/serviceipaddresses (getServiceIPAddressesUsingGET). IDaaS accounts now have fixed IP addresses.

The following models have been added in this release.

• CreateTenantSyncStatus contains the information returned from getCreateTenantAsyncStatusUsingGET.
• FIDORegisterChallenge contains the information returned from startCreateFIDOTokenUsingGET.
• FIDORegisterResponse contains the information passed to completeCreateFIDOTokenUsingPOST.
• MagicLinkCreateParms contains the parameters passed to createMagicLinkUsingPUT.
• MagicLinkResponse contains the information returned from createMagicLinkUsingPUT.
• UserAlternateEmails contains information about alternative email addresses available to a user.

The following models have been modified in this release.

• id has been added to AuthApiApplicationParms. When creating an authentication API application, the unique UUID of the application can be specified. If an ID is not specified, a random unique ID is generated for the new application.
• created and lastModified have been added to Group. These values specify the date when the Group was created and last modified.
• lockedAuthenticators in User has been deprecated. Use lockedAuthenticatorTypes instead.
• alternateEmails has been added to User. This value lists all the alternate email addresses defined for the user.
• magicLinkEnabled has been added to User. This flag indicates whether magic links are enabled for the user.
• aliasMappingName has been added to Directory. This value specifies the list of directory attributes whose values will be mapped to user aliases.
• previousHostname has been added to Tenant. If set, this value specifies the previous hostname of an account after it has been renamed.

Changes to Identity as a Service SDKs

1. The order of parameters in the API functions may change. Refer to the clients' documentation for the correct order.
2. The python SDK no longer supports accessing properties using dictionary keys. Access properties using object attributes.
3. IDaaS no longer accepts paths that end in /. For example, previously both /api/web/v4/async/tenants and /api/web/v4/async/tenants/ would have been accepted. Now only /api/web/v4/async/tenants will work.
4. The 5.30 and 5.31 Java SDKs did not support models from newer versions of IDaaS that contain new attributes. This issue has been fixed in the 5.32 SDKs.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.32 and the three previous releases 5.29, 5.30 and 5.31). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.